INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

[SOLVED] Unable to send TLS emails via Exchange, but can receive

[SOLVED] Unable to send TLS emails via Exchange, but can receive

(OP)
We have been requested to send at very least, Opportunistic TLS emails to one of our partners, so i'm currently trying to get this to work with CheckTLS, however i'm having some trouble doing so.

We have a Server 2008 R2 box which hosts Exchange 2010. We have third party certs installed and can use autodiscover etc

Originally when running tests against our server, we were scoring an F.
Turns out we only had SSL2 enabled. So i've now enabled TLS1.0, 1.1 & 1.3. I've disabled all SSL's.

Enabling these and rebooting the server has changed our test to a an A score.
However enabling these on the server hasn't made a blind bit of difference with sending via TLS and i'm stuck as to where to look next.

Our firewall hasn't been touched so could there be something there which would need amending? We use a Fortinet Fortigate 100D.
We perform SSL inspection on inbound and outbound mail. I've attempted turning off these, the Anti-virus policy (on the firewall), yet still no luck with getting CheckTLS to send the mail as encrypted.

If I perform the test on CheckTLS with my email (inbound) it can see that TLS is enabled on the server and I assume everything looks ok. It says so.

Looking at incoming logs states that messages from external sources are being TLS encrypted, so inbound it looks to be ok.
Outbound however, the logs state nothing regarding TLS at all.
Sending email to my Gmail account shows the little unlocked padlock icon too.

The Send Connector FQDN is set to use the MX record listed with our ISP.
The Receive Connector FQDN uses an address that isn't the MX record. This is another alternate name which is listed in the SAN's within our certificate.
However when telnetting on port 25 with the address listed as our MX record, we can see STARTTLS as an available command.

A lot of different combinations of firewall policies have been tested on our Fortigate but hasn't made any difference. Certificate inspection has been turned off but again no difference.

TLS is definitely enabled on the Send Connector too.

Any help is appreciated, i'm tearing my hair out and I don't have much left :(

RE: [SOLVED] Unable to send TLS emails via Exchange, but can receive

(OP)
So I think i've found the culprit of the issue. ForceHELO was enabled on my Default Send Connector. Now that has been set to False, it has allowed all my outbound mail to attempt a TLS session. Now i'll keep an eye on this because I assume ForceHELO was enabled for a reason. No one knows why though.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close