M
member 1677784
Guest
We have been requested to send at very least, Opportunistic TLS emails to one of our partners, so i'm currently trying to get this to work with CheckTLS, however i'm having some trouble doing so.
We have a Server 2008 R2 box which hosts Exchange 2010. We have third party certs installed and can use autodiscover etc
Originally when running tests against our server, we were scoring an F.
Turns out we only had SSL2 enabled. So i've now enabled TLS1.0, 1.1 & 1.3. I've disabled all SSL's.
Enabling these and rebooting the server has changed our test to a an A score.
However enabling these on the server hasn't made a blind bit of difference with sending via TLS and i'm stuck as to where to look next.
Our firewall hasn't been touched so could there be something there which would need amending? We use a Fortinet Fortigate 100D.
We perform SSL inspection on inbound and outbound mail. I've attempted turning off these, the Anti-virus policy (on the firewall), yet still no luck with getting CheckTLS to send the mail as encrypted.
If I perform the test on CheckTLS with my email (inbound) it can see that TLS is enabled on the server and I assume everything looks ok. It says so.
Looking at incoming logs states that messages from external sources are being TLS encrypted, so inbound it looks to be ok.
Outbound however, the logs state nothing regarding TLS at all.
Sending email to my Gmail account shows the little unlocked padlock icon too.
The Send Connector FQDN is set to use the MX record listed with our ISP.
The Receive Connector FQDN uses an address that isn't the MX record. This is another alternate name which is listed in the SAN's within our certificate.
However when telnetting on port 25 with the address listed as our MX record, we can see STARTTLS as an available command.
A lot of different combinations of firewall policies have been tested on our Fortigate but hasn't made any difference. Certificate inspection has been turned off but again no difference.
TLS is definitely enabled on the Send Connector too.
Any help is appreciated, i'm tearing my hair out and I don't have much left
We have a Server 2008 R2 box which hosts Exchange 2010. We have third party certs installed and can use autodiscover etc
Originally when running tests against our server, we were scoring an F.
Turns out we only had SSL2 enabled. So i've now enabled TLS1.0, 1.1 & 1.3. I've disabled all SSL's.
Enabling these and rebooting the server has changed our test to a an A score.
However enabling these on the server hasn't made a blind bit of difference with sending via TLS and i'm stuck as to where to look next.
Our firewall hasn't been touched so could there be something there which would need amending? We use a Fortinet Fortigate 100D.
We perform SSL inspection on inbound and outbound mail. I've attempted turning off these, the Anti-virus policy (on the firewall), yet still no luck with getting CheckTLS to send the mail as encrypted.
If I perform the test on CheckTLS with my email (inbound) it can see that TLS is enabled on the server and I assume everything looks ok. It says so.
Looking at incoming logs states that messages from external sources are being TLS encrypted, so inbound it looks to be ok.
Outbound however, the logs state nothing regarding TLS at all.
Sending email to my Gmail account shows the little unlocked padlock icon too.
The Send Connector FQDN is set to use the MX record listed with our ISP.
The Receive Connector FQDN uses an address that isn't the MX record. This is another alternate name which is listed in the SAN's within our certificate.
However when telnetting on port 25 with the address listed as our MX record, we can see STARTTLS as an available command.
A lot of different combinations of firewall policies have been tested on our Fortigate but hasn't made any difference. Certificate inspection has been turned off but again no difference.
TLS is definitely enabled on the Send Connector too.
Any help is appreciated, i'm tearing my hair out and I don't have much left
