none
TLS RRS feed

  • Question

  • Hello,

    When I run a test from MX Tool box against my mail server I get a message that TLS is not enabled. I have tried to follow the article here:

    https://terenceluk.blogspot.com/2013/09/enabling-tls-for-exchange-server-2010.html

    to enable TLS but I still get the same result. Under receive connectors I have two connectors: 1. Client and 2. default. I have enabled TLS under both. Please confirm that I need to have both enabled.

    This is Exchange 2010. Can you tell me what to check or how to enable it? Do we actually need it enabled.


    Thank you. Karel Grulich, MCSE, SBS


    Monday, July 15, 2019 11:44 PM

All replies

  • Hi,

    Is it convenient for you to post the screenshot of the test result message here? Don't forget to cover your personal information.

    Please check the certificate in your organization for double confirm. You can use the following command to make sure the cert you are using is assigned to POP,IMAP,IIS,SMTP service:

    Get-ExchangeCertificate | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint,Services

    You can check this for more information about these Exchange service: Assign certificates to Exchange Server services

    Here is an official document about configuring mutual TLS, you can check the procedures and make sure everything is configured correctly: Using Domain Security: Configuring Mutual TLS

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Tuesday, July 16, 2019 6:28 AM
    Moderator
  • Hello and thank you for your help. Yes I checked the certificate and it is assigned to all services. However, when I run the MX tool I still get that TLS is not supported. As you can see from images I have the default and client receive connectors configured for TLS.

    Thank you. Karel Grulich, MCSE, SBS

    Tuesday, July 16, 2019 11:37 PM
  • Hi,

    Did you configure the send connectors as well?

    What's the result of the telnet? Did you get 250-STARTTLS from the output?

    On Exchange server, protocol logging records the SMTP conversations that occur between messaging servers as part of message delivery. As is mentioned in the article provided above, you can review the send and receive protocol logs to determine whether TLS negotiation has been successful.

    When the server is the SMTP receiving system, the following strings exist in the log depending on the version of TLS used:

    • TLS protocol SP_PROT_TLS1_0_SERVER
    • TLS protocol SP_PROT_TLS1_1_SERVER
    • TLS protocol SP_PROT_TLS1_2_SERVER

    When the server is the SMTP sending system, the following strings exist in the log depending on the version of TLS used:

    • TLS protocol SP_PROT-TLS1_0_CLIENT
    • TLS protocol SP_PROT-TLS1_1_CLIENT
    • TLS protocol SP_PROT-TLS1_2_CLIENT

    For reference: Exchange Server TLS guidance Part 2: Enabling TLS 1.2 and Identifying Clients Not Using It

    Set-ReceiveConnector "<ConnectorIdentity>" -ProtocolLoggingLevel Verbose Set-SendConnector "<ConnectorIdentity>" -ProtocolLoggingLevel Verbose

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Thursday, July 18, 2019 10:11 AM
    Moderator
  • The send connector is configured properly. What commands do you want me to run with telnet? I read that it is impossible to test TLS with Telnet. What do you need or what do you need me to run to test? Also could the firewall be blocking the TLS communication? If yes what port do I need to open?

    Thank you. Karel Grulich, MCSE, SBS

    Monday, July 22, 2019 4:06 PM
  • Hi,

    The telnet command is mentioned in the blog your provided. Use "telnet localhost 25" and "ehlo",  and "250 STARTTLS" in the output means the endpoint accepts TLS connection requests.

    If you enabled TLS on Exchange for inbound messages, the server will refuse to accept emails from any SMTP server that doesn't enable TLS. You can check the message header of inbound messages to make sure, if you have enable TLS:

    Did you get any details about the test procedures and what the tool tests? Since it's a third party tool, you also can contact with the supporter about the test result.

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Thursday, July 25, 2019 2:55 AM
    Moderator
  • I ran the telnet test and it looks like TLS is enabled. Do I need to open any ports other than 25 on the firewall for TLS go through?

    Thank you. Karel Grulich, MCSE, SBS

    Thursday, July 25, 2019 8:39 PM

  • Thank you. Karel Grulich, MCSE, SBS

    Thursday, July 25, 2019 8:39 PM
  • Hi,

    You can check this document about Network ports for clients and mail flow in Exchange. However, whether TLS is enabled or not may not relate to the firewall port. If the specific port is not opened, the message will be blocked instead of alerting that TLS is not enabled.

    Please check the Registry Editor to make sure if TLS is enabled. Locate to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols, check the Enabled entry for TLS 1.0 (or TLS 1.1 or TLS 1.2)\Server. You can check this for more details about TLS entries and DWORD values in registry: TLS 1.0

    Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data. For reference: How to back up and restore the registry in Windows

    If you want enable TLS1.2, there are requirements need to be paid attention to. You can get useful information from this blog: Exchange Server TLS guidance, part 1: Getting Ready for TLS 1.2

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Monday, July 29, 2019 9:54 AM
    Moderator
  • This is the only entry I see.


    Thank you. Karel Grulich, MCSE, SBS

    Thursday, August 1, 2019 2:57 PM
  • Hi,

    You can create an Enabled entry in Server subkey as described in the provided document. After you have created the entry, change the DWORD value to 1.

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, August 2, 2019 10:07 AM
    Moderator
  • Is creating the registry entry the only way to do this? Why wasn't the entry created during the Exchange install?

    Thank you. Karel Grulich, MCSE, SBS

    Tuesday, August 6, 2019 3:10 PM
  • Hi,

    Yes, please try to create the entry and check if the issue is solved. For Exchange 2013 and Exchange 2016 newer versions, TLS 1.0/1.1/1.2 entries are created by default.

    Additionally, Exchange Server 2010 will reach end of support on January 14, 2020. We suggest to migrate to Office 365 or Exchange 2016 for better services.

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Thursday, August 8, 2019 9:16 AM
    Moderator
  • Is creating the registry entry the only way to do this? Why wasn't the entry created during the Exchange install?

    Thank you. Karel Grulich, MCSE, SBS

    Yes - this is an OS level configuration that is used by IIS, Exchange etc. 

    Not enabled by default on older OS as the security standards have changed and evolved.  Older OS are in extended support and are not serviced the same as current products.  That's why you need to make sure this is done by setting the keys either manually or via a tool. 


    Cheers,

    Rhoderick

    Microsoft Senior Exchange PFE

    Blog: http://blogs.technet.com/rmilne  Twitter:   LinkedIn:   Facebook:   XING:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, August 8, 2019 6:11 PM