Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

[SOLVED] Unable to send TLS emails via Exchange, but can receive

Status
Not open for further replies.
M

member 1677784

Guest
We have been requested to send at very least, Opportunistic TLS emails to one of our partners, so i'm currently trying to get this to work with CheckTLS, however i'm having some trouble doing so.

We have a Server 2008 R2 box which hosts Exchange 2010. We have third party certs installed and can use autodiscover etc

Originally when running tests against our server, we were scoring an F.
Turns out we only had SSL2 enabled. So i've now enabled TLS1.0, 1.1 & 1.3. I've disabled all SSL's.

Enabling these and rebooting the server has changed our test to a an A score.
However enabling these on the server hasn't made a blind bit of difference with sending via TLS and i'm stuck as to where to look next.

Our firewall hasn't been touched so could there be something there which would need amending? We use a Fortinet Fortigate 100D.
We perform SSL inspection on inbound and outbound mail. I've attempted turning off these, the Anti-virus policy (on the firewall), yet still no luck with getting CheckTLS to send the mail as encrypted.

If I perform the test on CheckTLS with my email (inbound) it can see that TLS is enabled on the server and I assume everything looks ok. It says so.

Looking at incoming logs states that messages from external sources are being TLS encrypted, so inbound it looks to be ok.
Outbound however, the logs state nothing regarding TLS at all.
Sending email to my Gmail account shows the little unlocked padlock icon too.

The Send Connector FQDN is set to use the MX record listed with our ISP.
The Receive Connector FQDN uses an address that isn't the MX record. This is another alternate name which is listed in the SAN's within our certificate.
However when telnetting on port 25 with the address listed as our MX record, we can see STARTTLS as an available command.

A lot of different combinations of firewall policies have been tested on our Fortigate but hasn't made any difference. Certificate inspection has been turned off but again no difference.

TLS is definitely enabled on the Send Connector too.

Any help is appreciated, i'm tearing my hair out and I don't have much left :(
 
So I think i've found the culprit of the issue. ForceHELO was enabled on my Default Send Connector. Now that has been set to False, it has allowed all my outbound mail to attempt a TLS session. Now i'll keep an eye on this because I assume ForceHELO was enabled for a reason. No one knows why though.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top