none
Opportunic TLS does not work

    Question

  • Hello community,

     

    our Exchange2013-server can not handle opportunistic TLS and I really don’t know why…everything I’ve found so far seems to be fine. Please help…thank you very much!

     

     

    Exchange Version: 15.0 Build 1210.3

     

    Our Firewall is configured as the Mailgateway.

     

    Get-SendConnector * | Ft Identity,IgnoreSTARTTLS

    gives one SendConnector back listed with FALSE.

     

    Get-ExchangeCertificate | ft subject,services

    Gives back two certificates for SMTP. One internal and our public wildcard-certificate – is it a problem that two certificates are enabled for SMTP?

     

    The TLSCertificateName attribute was empty on Sendconnectors. I’ve changed this to the thumbprint of our public certificate - but no change.

     

    C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpSend:

     ...
    
    2016-12-21T00:00:08.487Z,Inbound Proxy Internal Send
    Connector,08D4143AB830A2B0,10,*InternalExchIP*:26966,*InternalExchIP*:2525,<,250-STARTTLS,
    
    2016-12-21T00:00:08.487Z,Inbound Proxy Internal Send
    Connector,08D4143AB830A2B0,11,*InternalExchIP*:26966,*InternalExchIP*:2525,<,250-X-ANONYMOUSTLS,
    
    2016-12-21T00:00:08.487Z,Inbound Proxy Internal Send
    Connector,08D4143AB830A2B0,12,*InternalExchIP*:26966,*InternalExchIP*:2525,<,250-AUTH
    NTLM,
    
    2016-12-21T00:00:08.487Z,Inbound Proxy Internal Send
    Connector,08D4143AB830A2B0,13,*InternalExchIP*:26966,*InternalExchIP*:2525,<,250-X-EXPS
    GSSAPI NTLM,
    
    2016-12-21T00:00:08.487Z,Inbound Proxy Internal Send Connector,08D4143AB830A2B0,14,*InternalExchIP*:26966,*InternalExchIP*:2525,<,250-8BITMIME,
    
    2016-12-21T00:00:08.487Z,Inbound Proxy Internal Send
    Connector,08D4143AB830A2B0,15,*InternalExchIP*:26966,*InternalExchIP*:2525,<,250-BINARYMIME,
    
    2016-12-21T00:00:08.487Z,Inbound Proxy Internal Send Connector,08D4143AB830A2B0,16,*InternalExchIP*:26966,*InternalExchIP*:2525,<,250-CHUNKING,
    
    2016-12-21T00:00:08.487Z,Inbound Proxy Internal Send
    Connector,08D4143AB830A2B0,17,*InternalExchIP*:26966,*InternalExchIP*:2525,<,250-XEXCH50,
    
    2016-12-21T00:00:08.487Z,Inbound Proxy Internal Send
    Connector,08D4143AB830A2B0,18,*InternalExchIP*:26966,*InternalExchIP*:2525,<,250-XRDST,
    
    2016-12-21T00:00:08.487Z,Inbound Proxy Internal Send
    Connector,08D4143AB830A2B0,19,*InternalExchIP*:26966,*InternalExchIP*:2525,<,250
    XSHADOWREQUEST,
    
    2016-12-21T00:00:08.487Z,Inbound Proxy Internal Send
    Connector,08D4143AB830A2B0,20,*InternalExchIP*:26966,*InternalExchIP*:2525,>,X-ANONYMOUSTLS,
    
    2016-12-21T00:00:08.487Z,Inbound Proxy Internal Send
    Connector,08D4143AB830A2B0,21,*InternalExchIP*:26966,*InternalExchIP*:2525,<,220
    2.0.0 SMTP server ready,
    
    2016-12-21T00:00:08.518Z,Inbound Proxy Internal Send
    Connector,08D4143AB830A2B0,22,*InternalExchIP*:26966,*InternalExchIP*:2525,*,,Remote
    certificate
    
    2016-12-21T00:00:08.518Z,Inbound Proxy Internal Send
    Connector,08D4143AB830A2B0,23,*InternalExchIP*:26966,*InternalExchIP*:2525,*,"CN=*.company.xx,
    O=company AG, OU=IT, L=nirvana, S=neverland, C=xx",Certificate subject
    
    2016-12-21T00:00:08.518Z,Inbound Proxy Internal Send
    Connector,08D4143AB830A2B0,24,*InternalExchIP*:26966,*InternalExchIP*:2525,*,"CN=XXX
    CA - SHA256 - G2, O=CertAuth nv-sa, C=BE",Certificate issuer name
    
    2016-12-21T00:00:08.518Z,Inbound Proxy Internal Send
    Connector,08D4143AB830A2B0,25,*InternalExchIP*:26966,*InternalExchIP*:2525,*,179765A42F6A43A80097A459,Certificate
    serial number
    
    2016-12-21T00:00:08.518Z,Inbound Proxy Internal Send
    Connector,08D4143AB830A2B0,26,*InternalExchIP*:26966,*InternalExchIP*:2525,*,2DBA3C3C149C146A6DXXXXXXXX92187A0954,Certificate
    thumbprint
    
    2016-12-21T00:00:08.518Z,Inbound Proxy Internal Send
    Connector,08D4143AB830A2B0,27,*InternalExchIP*:26966,*InternalExchIP*:2525,*,*.company.xx;autodiscover.company.xx;mail.company.xx;owa.company.xx;company.xx,Certificate
    alternate names
    
    2016-12-21T00:00:08.518Z,Inbound Proxy Internal Send
    Connector,08D4143AB830A2B0,28,*InternalExchIP*:26966,*InternalExchIP*:2525,*,,"TLS
    protocol SP_PROT_TLS1_2_CLIENT negotiation succeeded using bulk encryption
    algorithm CALG_AES_256 with strength 256 bits, MAC hash algorithm CALG_SHA_384
    with strength 384 bits and key exchange algorithm CALG_ECDHE with strength 384
    bits"
    
    2016-12-21T00:00:08.518Z,Inbound Proxy Internal Send
    Connector,08D4143AB830A2B0,29,*InternalExchIP*:26966,*InternalExchIP*:2525,*,,Received
    certificate
    
    2016-12-21T00:00:08.518Z,Inbound Proxy Internal Send
    Connector,08D4143AB830A2B0,30,*InternalExchIP*:26966,*InternalExchIP*:2525,*,2DBA3C3C149C146A6DXXXXXXXX92187A0954,Certificate
    thumbprint
    
    2016-12-21T00:00:08.518Z,Inbound Proxy Internal Send
    Connector,08D4143AB830A2B0,31,*InternalExchIP*:26966,*InternalExchIP*:2525,>,EHLO
    *internalExchDNS*,
    
    2016-12-21T00:00:08.518Z,Inbound Proxy Internal Send
    Connector,08D4143AB830A2B0,32,*InternalExchIP*:26966,*InternalExchIP*:2525,<,250-*internalExchDNS*
    Hello [*InternalExchIP*],....

    The Output of "Get-AuthConfig | Format-List " gives me a "CurrentCertificateThumbprint" I can't identify,

    so I guess it does not exist anymore.

    I was not able to change it to the current internal certificate as it is said:

    "has a private key that is not exporable". -not sure if this is a problem.

    Maybe I did more I can't remember right now...but I think this is all mentionable so far.

     

    Wednesday, December 21, 2016 3:08 PM

Answers

  • If you are relaying messages through a mail proxy on your firewall, then the Exchange settings for opportunistic TLS only apply on it's connections to the firewall and not out to the Internet.

    Verify the TLS configuration on your firewall. It may not be configured with the correct hostname or certificate to allow for TLS.


    Byron Wright (http://byronwright.blogspot.ca)

    • Marked as answer by BenSe2013 Thursday, December 22, 2016 4:36 PM
    Wednesday, December 21, 2016 9:12 PM

All replies

  • Only one exchange server, so all necessary roles on this machine.
    Wednesday, December 21, 2016 3:11 PM
  • If you are relaying messages through a mail proxy on your firewall, then the Exchange settings for opportunistic TLS only apply on it's connections to the firewall and not out to the Internet.

    Verify the TLS configuration on your firewall. It may not be configured with the correct hostname or certificate to allow for TLS.


    Byron Wright (http://byronwright.blogspot.ca)

    • Marked as answer by BenSe2013 Thursday, December 22, 2016 4:36 PM
    Wednesday, December 21, 2016 9:12 PM
  • Hi,

    Please post the result of the following command for troubleshooting, and is this a dedicated Send Connector for a Specific Domain?

    Get-SendConnector | FL

    If you want to configure TLSCertificateName attribute for Sendconnector, try this method:

    $TLSCert = Get-ExchangeCertificate -Thumbprint <Thumbprint>

    $TLSCertName = "<I>$($TLSCert.Issuer)<S>$($TLSCert.Subject)"

    Set-SendConnector -TLSCertificateName $TLSCertName

    The rest thing is the configuration as mentioned above.


    Best Regards,

    Lynn-Li
    TechNet Community Support


    Please remember to mark the replies as answers.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, December 22, 2016 10:05 AM
    Moderator
  • Thanks for the replies! I'll check my firewall settings and will update it later...

    Here is the output:

    AddressSpaces                : {SMTP:*;1}
    AuthenticationCredential     :
    CloudServicesMailEnabled     : False
    Comment                      :
    ConnectedDomains             : {}
    ConnectionInactivityTimeOut  : 00:10:00
    DNSRoutingEnabled            : False
    DomainSecureEnabled          : False
    Enabled                      : True
    ErrorPolicies                : Default
    ForceHELO                    : False
    Fqdn                         :
    FrontendProxyEnabled         : False
    HomeMTA                      : Microsoft MTA
    HomeMtaServerId              : *Exchange-Server-Name*
    Identity                     : E-Mails to Internet
    IgnoreSTARTTLS               : False
    IsScopedConnector            : False
    IsSmtpConnector              : True
    MaxMessageSize               : Unlimited
    Name                         : E-Mails to Internet
    Port                         : 25
    ProtocolLoggingLevel         : None
    RequireOorg                  : False
    RequireTLS                   : False
    SmartHostAuthMechanism       : None
    SmartHosts                   : {*IPofFirewall->MTA-Gateway*}
    SmartHostsString             : [*IPofFirewall->MTA-Gateway*]
    SmtpMaxMessagesPerConnection : 20
    SourceIPAddress              : 0.0.0.0
    SourceRoutingGroup           : Exchange Routing Group (DWBGZMFD01QNBJR)
    SourceTransportServers       : {*Exchange-Server-Name*}
    TlsAuthLevel                 :
    TlsCertificateName           : *public cert...*
    TlsDomain                    :
    UseExternalDNSServersEnabled : False

    Yeah, I've used this method to configure the connectors. This is the only sendconnector.

    Best regards

    Thursday, December 22, 2016 3:50 PM
  • Ok, I've just talked with our Firewallsupport. There is no support for TLS (also not planned) for the Mailgateway as they have their own solution with spam detection....

    So I can configure what I want on Exchange...it does not matter....>:

    Thank you guys.

    Thursday, December 22, 2016 4:35 PM