Dave Messman
asked on
SBS/Exchange 2003 not receiving some emails - senders getting delivery delays about TLS
I have an SBS 2003 box that has been in production for about 4 years. I've made some changes recently (which I'll explain), but in the last week, I've gotten complaints from some external senders (some seem to be on non-Exchange platforms) that they are getting delivery delays (which will eventually fail) when sending to us.
I have two of those delivery delays that say:
451 Remote TLS ERROR - Connection closed by peer (state:SSLv2/v3
read server hello A) (host:mail.domain.org.) - psmtp
<scott@domain.org>... Deferred: 451 Remote TLS ERROR - Connection
closed by peer (state:SSLv2/v3 read server hello A)
(host:mail.domain.org.) - psmtp
and
The following addresses had permanent fatal errors ----- <april@domain.org>
(reason: 403 4.7.0 TLS handshake failed.)
----------------
For most of the past 4 years, the server was using the ISA firewall built into SBS 2003 Premium in a dual NIC solution. In preparation for a migration to SBS 2008, I put in a Syswan router. I opened up all the normal ports and pointed them to the internal IP of the SBS 2003 box - 25, 443, 4125, 1723, 587, 80. I made this change about a week and a half ago - and it very well may coincide with these issues. Though I don't know what port would be missing that TLS would be using to connect. Shouldn't it just use port 25?
Also - about 2 months ago, I changed the primary domain name in use. The server's public address is mail.domain2.org. But 2 months ago, we changed the domain on our emails to domain.org. So I created an MX record for domain.org that points to mail.domain.org (not mail.domain2.org). As far as I can tell, it works fine. 98% of all emails seem to go through just fine. But it's these messages that seem to want to use TLS that are the problem.
I have an SSL certificate that I installed on my server for mail.domain2.org. That SSL certificate for mail.domain2.org is set up on the SMTP virtual servers, though I do not have TLS required on my SMTP virtual servers.
Do I create a new SMTP virtual server that requires TLS? If so, please provide the exact steps, I'm a bit of a noob on that. And if so, how do I create a new one that operates on port 25 since the default SMTP connector already uses port 25.
I appreciate any and all help.
Thanks
I have two of those delivery delays that say:
451 Remote TLS ERROR - Connection closed by peer (state:SSLv2/v3
read server hello A) (host:mail.domain.org.) - psmtp
<scott@domain.org>... Deferred: 451 Remote TLS ERROR - Connection
closed by peer (state:SSLv2/v3 read server hello A)
(host:mail.domain.org.) - psmtp
and
The following addresses had permanent fatal errors ----- <april@domain.org>
(reason: 403 4.7.0 TLS handshake failed.)
----------------
For most of the past 4 years, the server was using the ISA firewall built into SBS 2003 Premium in a dual NIC solution. In preparation for a migration to SBS 2008, I put in a Syswan router. I opened up all the normal ports and pointed them to the internal IP of the SBS 2003 box - 25, 443, 4125, 1723, 587, 80. I made this change about a week and a half ago - and it very well may coincide with these issues. Though I don't know what port would be missing that TLS would be using to connect. Shouldn't it just use port 25?
Also - about 2 months ago, I changed the primary domain name in use. The server's public address is mail.domain2.org. But 2 months ago, we changed the domain on our emails to domain.org. So I created an MX record for domain.org that points to mail.domain.org (not mail.domain2.org). As far as I can tell, it works fine. 98% of all emails seem to go through just fine. But it's these messages that seem to want to use TLS that are the problem.
I have an SSL certificate that I installed on my server for mail.domain2.org. That SSL certificate for mail.domain2.org is set up on the SMTP virtual servers, though I do not have TLS required on my SMTP virtual servers.
Do I create a new SMTP virtual server that requires TLS? If so, please provide the exact steps, I'm a bit of a noob on that. And if so, how do I create a new one that operates on port 25 since the default SMTP connector already uses port 25.
I appreciate any and all help.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Exchange 2003 did not support opportunistic TLS, which is why you are required to have a certificate and a separate SMTP VS.
You will need to use the TLS port not the SMTP port.
Philip