none
TLS based emails NOT sending nor receiving

    Question

  • Hello everyone.

    I have been trying to establish a secure SMTP line for various clients, and recently went through the steps listed at the following URL: http://msexchangeteam.com/archive/2006/10/04/429090.aspx

    I've gone through everything, implemented the certificate, etc.  The only step I altered was where it asks you to specify a bridgehead server.  I opted to allow the default option isntead to allow DNS to do the routing.

    I then specified the domains I wanted, lets say in this case bob.com in the address space.

    I know on the firewall that my securemail.domain.com is allowing traffic to pass in and out on port 25.  I know in DNS that it has the correct internal ip address to translate to, and on the outside (which I can verify with a ping) that the correct external ip address is established as well.

    I set up relay on the secure smtp to allow for the server itself and necessary domain entries for the rest of the domain.  If I were to take those out I'd just get immediate NDR's saying I can't relay so at least that seems to be set up ok.

    Upon trying to send ANY emails to bob.com's domain, it just sits forever in a lookup queue and retries until it fails.

    What I am not sure about is the errors I am receiving. 

    Here is a look at what logging is saying: as an example:

    10.101.100.31 - mail.domain.com [10/Jan/2011:16:35:03 -0500] "MAIL -? FROM:<me@domain.com> SMTP" 250 47
    10.101.100.31 - mail.domain.com [10/Jan/2011:16:35:03 -0500] "RCPT -? TO:<test@bob.com> SMTP" 250 40
    10.101.100.31 - mail.domain.com [10/Jan/2011:16:35:03 -0500] "xexch50 -? 2136 2 SMTP" 504 32
    10.101.100.31 - mail.domain.com [10/Jan/2011:16:35:03 -0500] "BDAT -? <33DF1A59E633F64A996DABD8BE5701080C27E5B4mailserver.domain.local> SMTP" 250 103
    10.101.100.31 - mail.domain.com [10/Jan/2011:16:35:03 -0500] "QUIT -?mail.domain.com SMTP" 240 71
    10.101.100.31 - mail.domain.com [10/Jan/2011:16:58:51 -0500] "EHLO -? mail.domain.com SMTP" 250 301
    10.101.100.31 - mail.domain.com [10/Jan/2011:16:58:51 -0500] "x-exps -? GSSAPI SMTP" 0 22
    10.101.100.31 - mail.domain.com [10/Jan/2011:16:58:51 -0500] "x-link2state -? LAST CHUNK={0000006a} MULTI (5) ({00000051} DIGEST_QUERY 84629faa467d354da9acf4686f319f59 6639f6040080ccfa9c084dc5218aa155  )   SMTP" 200 68
    10.101.100.31 - mail.domain.com [10/Jan/2011:16:58:51 -0500] "MAIL -? FROM:<me@domain.com> SMTP" 250 52
    10.101.100.31 - mail.domain.com [10/Jan/2011:16:58:51 -0500] "RCPT -? TO:<test@bob.com> SMTP" 250 40
    10.101.100.31 - mail.domain.com [10/Jan/2011:16:58:51 -0500] "xexch50 -? 2120 2 SMTP" 504 32
    10.101.100.31 - mail.domain.com [10/Jan/2011:16:58:51 -0500] "BDAT -? <33DF1A59E633F64A996DABD8BE5701080C27E63E@mailserver.domain.local> SMTP" 250 103
    10.101.100.31 - mail.domain.com [10/Jan/2011:16:58:51 -0500] "QUIT -?mail.domain.com SMTP" 240 71
      
    I guess I do not nderstand why this is happening.

    It looks like A) the email is trying to talk to the regular email smtp connector which othertwise works.  The SMTP Secure connector for TLS is currently set to use the Secure SMTP Protocol I set up.  Again this was all per the above link.

    My concerns here is that I did something wrong, and if someone could identify that from the info given, that I'd be much apprecaited, or it may have to do with our barracuda spam/av appliance, although it doesn't seem like it as I've tried (at least I think I was able to) adding the securemail.domain.com entry to the domains, its ip address, etc.  Otherwise, if its not monitoring that securemail.domain.com entry it shouldn't be having a problem from what I can tell.

    At the time of testing, TLS was enabled on the recipients end, so not sure what else to do.

    Any assistance here would be greatly appreciated!!
    Really scratching my head! 
                                                                                                                                                                                                                                                                                                                          

    Monday, January 10, 2011 10:37 PM

All replies

  • First thoughts that come to mind are:

    Which version of Exchange are you using? [From the link I am guessing you have Exchange 2003?] 
    What mail system are the destination domains using?  Exchange 20xx? Group Wise? Lotus Notes?  Hosted services?
    Did they set up TLS on their side?  Is their certificate a public or self-signed/private certificate
    What kind of certificate are you using to do the TLS connection with?  The self signed on or a public one from Verisign, GoDaddy, DigiCert or some other SSL vendor?
    What is the cost on the TLS connector?  What is the cost on all other connectors?

    For the Barracuda device, where does it sit in terms of mail flow?  Does it scan the inbound emails only or does it scan the outbound ones as well?  This could determine some TLS issues as well.  I can tell you that I had a client that changed their mail flow to use just the Barracuda for receiving and sending external emails.  Once set up, the added TLS.   What model of Barracuda do you have?


    JAUCG
    • Proposed as answer by JAUCGMVP Saturday, February 04, 2012 4:27 AM
    Thursday, January 12, 2012 12:01 AM
  • Any updates on this?
    JAUCG
    Friday, January 13, 2012 8:27 PM
  • Anything new?
    JAUCG
    Wednesday, January 18, 2012 9:31 PM
  • Any new updates?
    JAUCG
    Monday, January 23, 2012 2:36 PM