none
STARTTLS not advertised on relay receive connector

    Question

  • Hi All,

    On exchange 2013 I have StartTLS adverstised on our default receive connector and that is working fine, but any other receive connectors I setup never show the StartTLS advertised when a client connects which is shown through protocol logs and using Telnet to the server on a IP that is scoped to the receiver connector with the issue. This frontend receive connector is operating on port 25.

    Upon viewing the Get-receiveconnector output the AuthMechanism is set to TLS. I have also tried setting various security options on the connector but none seem to activate 250-StartTLS. Even when I set require Tls to true.

    Does anyone know what is happening here, is there something i'm overlooking?

    I need to send emails from our web server to external addresses via this receive connector and also need to ensure TLS is encrypting these emails.


    • Edited by DennisMarinos Monday, June 20, 2016 4:09 AM added more information
    Monday, June 20, 2016 3:41 AM

Answers

  • Do you have a valid certificate installed on the Exchange server and is it enabled for SMTP?  Is there anything in the event log, particularly MSExchangeTransport?

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    • Marked as answer by DennisMarinos Tuesday, June 21, 2016 6:42 AM
    Tuesday, June 21, 2016 12:48 AM
    Moderator
  • Thanks for your help, Our default connector was working fine on TLS and cert had been assigned. In the application logs there was a MSExchangeTransport Error stating that there was no certificate, and when I checked the FQDN on the configured relay receive connector it was the wrong fqdn and didn't match the cert so it was enable to offer STARTTLS.
    Tuesday, June 21, 2016 6:43 AM

All replies

  • You would have to configure the receive connector that's selected when the web server connects.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Monday, June 20, 2016 6:50 PM
    Moderator
  • Hi Ed,

    Yes I am configuring the receive connected scoped to the ip of the web server, and also when I telnet to the server from a IP that is scoped to that connector there is no 250-Starttls advertised.

    Monday, June 20, 2016 11:22 PM
  • Post the results of this command:

    Get-ReceiveConnector -Identity "Connector Name" | FL


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Monday, June 20, 2016 11:34 PM
    Moderator
  • Thanks for the reply,

    Here is the output:

    RunspaceId                              : 70f4197e-15d8-46c4-adb6-300afb46461c
    AuthMechanism                           : Tls
    Banner                                  :
    BinaryMimeEnabled                       : True
    Bindings                                : {0.0.0.0:25}
    ChunkingEnabled                         : True
    DefaultDomain                           :
    DeliveryStatusNotificationEnabled       : True
    EightBitMimeEnabled                     : True
    SmtpUtf8Enabled                         : False
    BareLinefeedRejectionEnabled            : False
    DomainSecureEnabled                     : False
    EnhancedStatusCodesEnabled              : True
    LongAddressesEnabled                    : False
    OrarEnabled                             : False
    SuppressXAnonymousTls                   : False
    ProxyEnabled                            : False
    AdvertiseClientSettings                 : False
    Fqdn                                    : XXXXX.XXXXXXX.local
    ServiceDiscoveryFqdn                    :
    TlsCertificateName                      :
    Comment                                 :
    Enabled                                 : True
    ConnectionTimeout                       : 00:10:00
    ConnectionInactivityTimeout             : 00:05:00
    MessageRateLimit                        : Unlimited
    MessageRateSource                       : IPAddress
    MaxInboundConnection                    : 5000
    MaxInboundConnectionPerSource           : 20
    MaxInboundConnectionPercentagePerSource : 2
    MaxHeaderSize                           : 128 KB (131,072 bytes)
    MaxHopCount                             : 60
    MaxLocalHopCount                        : 5
    MaxLogonFailures                        : 3
    MaxMessageSize                          : 35 MB (36,700,160 bytes)
    MaxProtocolErrors                       : 5
    MaxRecipientsPerMessage                 : 200
    PermissionGroups                        : AnonymousUsers, Custom
    PipeliningEnabled                       : True
    ProtocolLoggingLevel                    : Verbose
    RemoteIPRanges                          : {10.1.21.101, 117.55.235.21, 175.107.155.82}
    RequireEHLODomain                       : False
    RequireTLS                              : False
    EnableAuthGSSAPI                        : False
    ExtendedProtectionPolicy                : None
    LiveCredentialEnabled                   : False
    TlsDomainCapabilities                   : {}
    Server                                  : IRIS
    TransportRole                           : FrontendTransport
    SizeEnabled                             : Enabled
    TarpitInterval                          : 00:00:05
    MaxAcknowledgementDelay                 : 00:00:30
    AdminDisplayName                        :
    ExchangeVersion                         : 0.1 (8.0.535.0)
    Name                                    : WebServer Connector

    Monday, June 20, 2016 11:54 PM
  • Do you have a valid certificate installed on the Exchange server and is it enabled for SMTP?  Is there anything in the event log, particularly MSExchangeTransport?

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    • Marked as answer by DennisMarinos Tuesday, June 21, 2016 6:42 AM
    Tuesday, June 21, 2016 12:48 AM
    Moderator
  • Thanks for your help, Our default connector was working fine on TLS and cert had been assigned. In the application logs there was a MSExchangeTransport Error stating that there was no certificate, and when I checked the FQDN on the configured relay receive connector it was the wrong fqdn and didn't match the cert so it was enable to offer STARTTLS.
    Tuesday, June 21, 2016 6:43 AM
  • You're welcome.  Happy to have helped.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Tuesday, June 21, 2016 8:22 PM
    Moderator