Mutual TLS w/Partner Domain through FOPE


  • A little background. My company (DomainA) has a sister corporation (DomainB) on an enitrely separate network. We both have 3rd party SSL certs from the same provider. We need to exchange e-mail securely.

    The following Setup Exists:

    • DomainA has a send connector of type "partner domain" for DomainB with Mutual TLS enabled and the FQDN matches the information in the SSL cert.
    • DomainB has a send connector of type "partner domain" for DomainA with Mutual TLS enabled FQDN matches the information in the SSL cert.

    Until yesterday all seemed to be working, however now the Systems Engineer at DomainB is stating that queues to DomainA are backing up and providing a Certificate Validation Error.

    • DomainA has FOPE for all inbound mail and only accepts mail from the FOPE servers.
    • DomainA connects directly to DomainB's mailserver so TLS encrypted e-mail communication works fine.
    • DomainB's logs now reveal that certificate it receives during the TLS exchange is the one for the FOPE -- -- so it is delaying delivery of the e- mails. When he routes all traffic destined for DomainA back through his default send connector, everything works fine for DomainB -> DomainA routed e-mail.

    My question is: how do I get this resolved? It was working perfectly fine until yesterday morning. Should I give it a couple of days to make sure it's not an FOPE glitch or is there some trick to making Mutual TLS work between two domains, one of which has FOPE in place?

    Thanks in advance

    Friday, February 17, 2012 1:52 PM

All replies

  • I am confused... you state that DomainA only accepts mail from FOPE, but that Domain A connects directly to Domain B's mail servers? Are encrypted e-mail flowing from Domain A to Domain B, but not the other way around?

    What are the send connector settings at Domain B for Domain A? Since they are receiving the FOPE certificate during the TLS handshake, it seems they are routing to your MX record, and not a smart host. Is that the desired configuration?

    Friday, February 17, 2012 3:18 PM
  • My apologies for any confusion.

    DomainA can send mail through its TLS encrypted Send Connector configured with DomainB as "partner" type. It does not work the other way around. DomainB cannot use their send connector to send to DomainA because FOPE is returning their SSL certificate information to DomainB, thusly delaying the delivery and backing up the Queue on DomainB's Exchange server.

    You are correct. A smarthost is not the desired connection as DomainA will not be a smarthost for DomainB. All inbound mail needs to pass through DomainA's FOPE account.

    • Edited by blc_rysmith Friday, February 17, 2012 4:43 PM
    Friday, February 17, 2012 4:41 PM
  • Here is the XML Verbose Error Message on DomainB's Exchange Server...


    - <System>

      <Provider Name="MSExchangeTransport" />

      <EventID Qualifiers="49156">11016</EventID>




      <TimeCreated SystemTime="2012-02-16T22:32:23.000Z" />




      <Security />


    - <EventData>


      <Data>Domain A</Data>

      <Data>,, OU=Forefront Online Protection for Exchange, O=Microsoft Corporation, L=Redmond, S=Washington, C=US</Data>



    Friday, February 17, 2012 4:58 PM
  • Have you verified your FOPE Connector setup per the FOPE user guide?
    Friday, February 17, 2012 5:01 PM
  • According to that part of the guide the only thing I forgot was the subnet in the IP address of their mail server. I will try that and see what happens.

    I do not configure an outbound connector because I do not forward my outbound traffice from DomainA through FOPE. Only used for inbound filtering.

    Friday, February 17, 2012 5:55 PM
  • According to that part of the guide the only thing I forgot was the subnet in the IP address of their mail server. I will try that and see what happens.

    Apparently this did not work. Oh well. I've disabled it. I'm going to be looking at possibly using a Site-to-Site VPN for that domain and route mail over it. *sigh*. Not what I wanted to do since the functionality is built in.
    Tuesday, February 21, 2012 2:21 PM