Exchange 2010 SMTP over SSL connection


  • I have a Exchange 2010 with SSL enable. We would like to enable SSL over SMTP, but when we change the connection from Auto to TLS it works, but not SSL. It will prompt

    Your server does not support the connection encryption type you specified. Try changing the encryption method.

    The reason of using SSL over SMTP is because of the Sophos smart host require that, if not when using outlook at outside premises they are unable to send mail.

    Friday, October 05, 2012 1:29 AM

All replies

  • Can you describe a little bit more about your Infra ?

    ExchangeGeek (MCITP,Enterprise Messaging Administrator)

    ***Don't forget to mark helpful or answer***

    **Note:(My posts are provided “AS IS” without warranty of any kind)

    Friday, October 05, 2012 1:53 AM
  • we had mix user of exchange and pop3, when user sending email it would pass thru a smart host. previously it was working fine until the firmware of the smart host is updated. According to the provided, should we sending email using pop3, we are require to use SSL. Email will be contain inside smart host if we do not do that and manually purge is require so that email is sent. We already revert back to the firmware for the time being.
    Friday, October 05, 2012 2:16 AM
  • Okay. so you want to use POP over SSL ?

    ExchangeGeek (MCITP,Enterprise Messaging Administrator)

    ***Don't forget to mark helpful or answer***

    **Note:(My posts are provided “AS IS” without warranty of any kind)

    Friday, October 05, 2012 2:18 AM
  • SMTP over SSL
    Friday, October 05, 2012 2:21 AM

    ExchangeGeek (MCITP,Enterprise Messaging Administrator)

    ***Don't forget to mark helpful or answer***

    **Note:(My posts are provided “AS IS” without warranty of any kind)

    Friday, October 05, 2012 2:31 AM
  • hi, this had been done. outlook able to connect via TLS and Auto but not SSL.
    Friday, October 05, 2012 2:42 AM

    Have you tried this ??

    Check the authentication in Receiver connector.

    ExchangeGeek (MCITP,Enterprise Messaging Administrator)

    ***Don't forget to mark helpful or answer***

    **Note:(My posts are provided “AS IS” without warranty of any kind)

    Friday, October 05, 2012 2:50 AM
  • if you see that, the SMTP is not on SSL, according to the link... It is set to TLS, which i'm currently using right now.
    Friday, October 05, 2012 3:47 AM
  • hi,

    Smtp over ssl is TLS. Please see the sembee's answer in below link.

    If you want to pop to use ssl to communicate to your server.

    You should install a certificate and assgin it to your pop service. Have you done that?

    pleae run the cmd:get-exchangecertificate | fl

    hope can help you



    TechNet Community Support

    Monday, October 08, 2012 7:03 AM
  • hi... all the service being assigned.... it had been done previously....
    Monday, October 08, 2012 7:33 AM
  • Hi,

    did you try the steps to enable SSL on POP from this document?

    Configure POP3 to Use TLS or SSL

    Wednesday, October 10, 2012 7:15 AM
  • hi... yes... it had been enabled....
    Wednesday, October 10, 2012 8:19 AM
  • Hi,

    can you check the cerficate is correct from the configuration of POP3 Over SSL, it should be a third-party or public certicate. By default, it's configurated to use the self-sign certificate.

    Thursday, October 11, 2012 6:39 AM
  • hi,

    i had checked for many times. It is correctly configured, i'm able to use TLS but not SSL. we are using self sign certificate which comes from our AD Cert Authority.

    Thursday, October 11, 2012 9:44 AM
  • Hi,

    If everything is correct on server side, please go to check if the certificate had been installed on the client machine. And, did the issue occur on all clients when trying to use POP3 mode to connect mail server? can you provide a screenshot of the returned error information you received?

    Friday, October 12, 2012 1:35 AM
  • hi... all client being installed with this certificate. It occur to all client outside of the LAN, meaning client trying to send mail from out of office perimeter.

    Friday, October 12, 2012 1:40 AM
  • Hi,

    what about if the client select auto encryted mode now?

    as you menioned, there is a smart host in your exchange server and it required to use SSL encryted mode, did I understand correct?

    however, from the returned information, it seems like clients outside can't send message from SMTP accout, it should be not related to the smart host.

    Friday, October 12, 2012 6:04 AM
  • we had tested, if client select auto, it would be the same...

    yes, there's a sophos smart host which required SSL...

    it is 100% related to smart host, as when email is send from client outside, those mail will be quarantine inside the smart host appliance until we manually purge/send out via the appliance console.

    Tuesday, October 16, 2012 1:50 AM
  • hi,

    in light of this, I suspend the mail flow is different between inside and outside. when users sending message inside, it's possible it does not use the smart host. you can check message header to verify it.

    If so, your exchange server should be ok, the cause is smart host.

    Tuesday, October 16, 2012 5:58 AM
  • hi,

    the mail IS configured to send thru smart host only. be it inside or outside of organization. Is just that from inside, it is local LAN, thus smart host trusted it. if out of the LAN, it will require SSL to detect or something...

    Tuesday, October 16, 2012 6:27 AM
  • Hi,

    this is strange because clients will connect your exchange server firstly whatever inside or outside and then exchange will transfer the message to the smart host server. Smart host server can't know where the message from which client, it just know if the message is delivered from the exchange server or not.

    again, I'd like to confirm with you, the mail flow should be same whatever inside and outside. Since as you menioned, when sending message from outside, the message will be in queue in smart host server, it indicts exchange transfer the server successfully, there should be no issue on exchange server side.

    Tuesday, October 16, 2012 9:10 AM
  • hi... yes... as i mentioned earlier... if client use Auto or TLS encrytion, there's no error pop out... but mail will be quarantine inside the smart host appliance. If we use SSL (which is required for mail to go thru smart host without being quarantine) the error as above will pop out and thus user unable to send any mail to exchange from outlook....
    Tuesday, October 16, 2012 9:14 AM
  • Hi,

    exchange 2010 only support TLS encryption on SMTP layer, so it failed to connect to exchange server from outlook side when you select SSL.
    so far, from your description, the smart host server need SSL encryption so that it can deliver message successfully. therefore, we have to configure send connector in exchange server side. But as far as I know, there only 4 authentication mode on send connectors in exchange 2010:
    None   Select this option if the smart host is configured to accept anonymous connections.
    Basic Authentication   Select this option if the smart host requires Basic authentication. Basic authentication requires that you provide a user name and password. We strongly recommend that you use an encrypted connection if you're using Basic authentication, because the user name and password are sent in clear text. Select the Basic Authentication over TLS check box to enable encryption on the connection. Also, if you specify more than one smart host for this Send connector, all of the specified smart hosts must accept the same user name and password.
    Exchange Server Authentication   Select this option to authenticate to a smart host by using an Exchange authentication mechanism, such as TLS direct trust or TLS\Kerberos.
    Externally Secured (for example, with IPsec)   Select this option if the connection to the smart host is secured by external means, such as being physically secured over a private network or secured using Internet Protocol security (IPsec). When you select this option, you make an assertion of external security that can't be programmatically verified by Exchange.

    there is not an option for SSL only an option Basic Authentication over TLS. you can try this option to do a test, but I'm not sure if it works.

    on the other hand, as I mentioned, smarthost can not know a message is delivered from outside or inside, it can only know the message is from an exchange server. I'm confused why the clients inside have no issue, I still think there should be a different way to send message inside. did you test to send message from inside and outside to the same address? Is the outlook client configured as pop3 account inside as well or configure using MAPI connection?

    at last, in my experience, message are queue in the smart host server, there should be no issue in exchange server side.

    Wednesday, October 17, 2012 1:47 AM

    Hello ,


    Did the information help you? Let us know if you need further assistance from us.

    Monday, October 22, 2012 3:15 AM
  • hi,

    we already open a case with Microsoft Support. and in the midst of troubleshooting. Thanks

    Monday, October 22, 2012 4:40 AM
  • Hi,

     I do appreciate if you can provide the solution here after the issue was resolved.

    Tuesday, October 23, 2012 2:29 AM
  • Hi,

    I have the same problem.

    Please let us know when you have the solution.

    Best regards,

    Wednesday, February 27, 2013 2:12 PM