mvalpreda
asked on
Exchange 2010 - can send TLS email, but don't seem to receive
I am able to run tests at checktls.com and everything shows 100% successful.
If I send an email to an @gmail.com address, I see "(version=TLSv1 cipher=RC4-SHA bits=128/128);" in the headers. If I reply from gmail.com back to my Exchange server, I don't see any of that.
What could I be missing so I can get TLS between email servers working?
If I send an email to an @gmail.com address, I see "(version=TLSv1 cipher=RC4-SHA bits=128/128);" in the headers. If I reply from gmail.com back to my Exchange server, I don't see any of that.
What could I be missing so I can get TLS between email servers working?
ASKER
It goes out fine and I can see on an email to gmail.com that it is encrypted. So I would assume the certificate exchange must be correct.
When I try to send to my Exchange server that I don't seem to get TLS email.
When I try to send to my Exchange server that I don't seem to get TLS email.
You need to telnet in to Exchange from an external host and issue a ehlo command. See if STARTTL is on the list:
220 host.example.co.uk Microsoft ESMTP MAIL Service ready at Wed, 28 Aug 2013 17:29:17 +0100
ehlo
250-host.example.co.uk Hello [192.168.3.1]
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250-XRDST
250 XSHADOW
If it isn't on the list then it either isn't enabled on the Receive Connector or something is blocking it.
Important that you do the test from off the network.
Simon.
220 host.example.co.uk Microsoft ESMTP MAIL Service ready at Wed, 28 Aug 2013 17:29:17 +0100
ehlo
250-host.example.co.uk Hello [192.168.3.1]
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250-XRDST
250 XSHADOW
If it isn't on the list then it either isn't enabled on the Receive Connector or something is blocking it.
Important that you do the test from off the network.
Simon.
ASKER
When I do it from checktls.com I get this:
Connected to server
220 Microsoft ESMTP MAIL Service ready at Wed, 28 Aug 2013 09:40:43 -0700
EHLO checktls.com
250-Hello [69.61.187.232]
250-SIZE 20971520
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH
250-8BITMIME
250-BINARYMIME
250 CHUNKING
When I do it from another Exchange server I get this:
EHLO test.domain.com
500 5.3.3 Unrecognized command
EHLO test.domain.com
250- test.domain.com Hello [x.x.x.x]
250-SIZE 20971520
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-XXXXXXXA
250-AUTH
250-8BITMIME
250-BINARYMIME
250 XXXXXXXB
Funny I have to type it in twice. I think there is some sort of inspection on the firewall. Shame I don't manage it. It's a Cisco UC540.
Connected to server
220 Microsoft ESMTP MAIL Service ready at Wed, 28 Aug 2013 09:40:43 -0700
EHLO checktls.com
250-Hello [69.61.187.232]
250-SIZE 20971520
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH
250-8BITMIME
250-BINARYMIME
250 CHUNKING
When I do it from another Exchange server I get this:
EHLO test.domain.com
500 5.3.3 Unrecognized command
EHLO test.domain.com
250- test.domain.com Hello [x.x.x.x]
250-SIZE 20971520
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-XXXXXXXA
250-AUTH
250-8BITMIME
250-BINARYMIME
250 XXXXXXXB
Funny I have to type it in twice. I think there is some sort of inspection on the firewall. Shame I don't manage it. It's a Cisco UC540.
Ah ha.
That will be it.
See the XXXX - those are the verbs being blocked out by the Cisco device. That is why you don't get TLS, because the remote side doesn't know you support it.
Ciscos are notorious for this - they have a mailguard or FIXUP SMTP (depending on the OS version) which blocks it.
It is so bad that Microsoft had to write a KB article to explain what was happening:
http://support.microsoft.com/kb/320027
If you need to support TLS you need to get whoever manages the device to turn the feature off.
Simon.
That will be it.
See the XXXX - those are the verbs being blocked out by the Cisco device. That is why you don't get TLS, because the remote side doesn't know you support it.
Ciscos are notorious for this - they have a mailguard or FIXUP SMTP (depending on the OS version) which blocks it.
It is so bad that Microsoft had to write a KB article to explain what was happening:
http://support.microsoft.com/kb/320027
If you need to support TLS you need to get whoever manages the device to turn the feature off.
Simon.
ASKER
I don't see anything with SMTP inspection though. grrrr
ip inspect WAAS flush-timeout 10
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW http
ip inspect name SDM_LOW tcp router-traffic
ip inspect name dmzinspect tcp
ip inspect name dmzinspect udp
ip inspect SDM_LOW in
ip inspect SDM_LOW in
ip inspect SDM_LOW in
ip inspect SDM_LOW in
ip inspect dmzinspect out
ip inspect SDM_LOW in
ip inspect dmzinspect out
ip inspect SDM_LOW in
ip inspect WAAS flush-timeout 10
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW http
ip inspect name SDM_LOW tcp router-traffic
ip inspect name dmzinspect tcp
ip inspect name dmzinspect udp
ip inspect SDM_LOW in
ip inspect SDM_LOW in
ip inspect SDM_LOW in
ip inspect SDM_LOW in
ip inspect dmzinspect out
ip inspect SDM_LOW in
ip inspect dmzinspect out
ip inspect SDM_LOW in
Something is doing it though, because the commands are being hidden.
It could be grouped in with something else.
Simon.
It could be grouped in with something else.
Simon.
ASKER
Still not working and I have the commands ok. This is from outside the network.
ehlo tlstest.tls.com
250-SIZE 20971520
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH
250-8BITMIME
250-BINARYMIME
250 CHUNKING
All I did on the receive connector was add TLS and Mutual Auth TLS. Is there maybe something else I need to do it order to accept TLS email?
I am testing this by sending an email to gmail and I see TLS in the headers. When I reply back, no TLS in the headers.
This what the headers from GMail to our server look like
Received: from mail-qc0-f175.google.com (209.85.216.175) by
mailserver (192.168.0.12) with Microsoft SMTP Server (TLS) id
14.3.123.3; Wed, 28 Aug 2013 15:01:44 -0700
Received: by mail-qc0-f175.google.com with SMTP id m4so3842743qcy.6 for
<email@domain.com>; Wed, 28 Aug 2013 15:01:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:reply-to:in -reply-to: references :date:mess age-id
:subject:from:to:content-t ype;
bh=4M3ySUYuELdm3cWainIuXIj 3jN82gIkot ek7B6Axg+Q =;
b=Q9a2vmwgJ8m2wHPV5qVztPai xa9mkj8ZG1 6kf0FiHu4I nZlSQFFXO3 ZU8AS3jIIB gW
o2M04MC8eGRfIxKCoBeCzsORCl iTLUE9T5hl C0ZodZqVB/ U1PFiAq/hj vbT0+bdN7D ld
vWDZRr7gBExn054gyNhvRIDVNX wHyqQsLbXN nbti7alS0e bOow3wYDCO i4NvkDZey7 8E
WRfVEo3aeAcQLPTNHRRhUBt0uR rH//TXcdwL JawiHCH0dT 3Z/RF8mZsL bELo5Bko4I 4X
GtTgQNb1NHqceHCmA3S0yU1G9h gJTQHDNdWj dprZb2hkXj uAMWSDk2T8 EcN6P9aZRd Pm
LybQ==
ehlo tlstest.tls.com
250-SIZE 20971520
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH
250-8BITMIME
250-BINARYMIME
250 CHUNKING
All I did on the receive connector was add TLS and Mutual Auth TLS. Is there maybe something else I need to do it order to accept TLS email?
I am testing this by sending an email to gmail and I see TLS in the headers. When I reply back, no TLS in the headers.
This what the headers from GMail to our server look like
Received: from mail-qc0-f175.google.com (209.85.216.175) by
mailserver (192.168.0.12) with Microsoft SMTP Server (TLS) id
14.3.123.3; Wed, 28 Aug 2013 15:01:44 -0700
Received: by mail-qc0-f175.google.com with SMTP id m4so3842743qcy.6 for
<email@domain.com>; Wed, 28 Aug 2013 15:01:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:reply-to:in
:subject:from:to:content-t
bh=4M3ySUYuELdm3cWainIuXIj
b=Q9a2vmwgJ8m2wHPV5qVztPai
o2M04MC8eGRfIxKCoBeCzsORCl
vWDZRr7gBExn054gyNhvRIDVNX
WRfVEo3aeAcQLPTNHRRhUBt0uR
GtTgQNb1NHqceHCmA3S0yU1G9h
LybQ==
ASKER
I am seeing this in the receive logs
250-AUTH,
250-8BITMIME,
250-BINARYMIME,
250 CHUNKING,
STARTTLS,
220 2.0.0 SMTP server ready,
Sending certificate
CERTIFICATE STUFF
EHLO ng22-vm2.bullet.mail.bf1.y ahoo.com,
,TlsDomainCapabilities='No ne'; Status='NoRemoteCertificat e'
250-AUTH,
250-8BITMIME,
250-BINARYMIME,
250 CHUNKING,
STARTTLS,
220 2.0.0 SMTP server ready,
Sending certificate
CERTIFICATE STUFF
EHLO ng22-vm2.bullet.mail.bf1.y
,TlsDomainCapabilities='No
ASKER
I am really missing something here. I am able to send from several other Exchange 2010 servers to gmail and get TLS.
Received: from other.domain.com by mx.google.com with ESMTPS id co1si21857550pbc.228.1969. 12.31.16.0 0.00
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Reply and no TLS.
Received: by mail-qc0-f180.google.com with SMTP id l13so3332095qcy.39
for <user@domain>; Wed, 28 Aug 2013 17:15:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:reply-to:in -reply-to: references :date:mess age-id
:subject:from:to:content-t ype;
bh=JXwsM9j37OVa2iJ0QMn8QfC HFhHXBw2tL Co1k+I1pas =;
b=LJGaGQaSILynmCslQhsEoU8g xfAwcFLSXC iKUBvSzKZ5 833o253ZjF QKs1DrpiVB O0
OA/N0v8wEUt0Ay60Dflb5t+osa wOCtk7ryEp K/3yZ6720K ZjCO6gvydX 0/zEITxvnB 83
gx6SKJtW4pBBBsm/KxpUJV7X/7 NbQEjzDpzd 6K7JUaKxhb f4FQbUulyn zeT8FEJ4xR Us
3byeoY460tStiiPggmajFfLISx Pqe2iV/x7X dlnqEB9Lqg +dNg0S1tDy RsUxRyTrZR ys
4ij7M4c5sM61qn96gOsisqV97I sM2Svu4Jft k205MgcSWN RFaEK9ouci 96trcrZZqK tH
V0nQ==
This is the same on 4 different Exchange 2010 servers I manage. They all have legit certs and the EHLO responses are the same. All say they have TLS. If I try to send between then, no TLS.
Is there a document that shows how to set up TLS from start to end? How to set the receive connector, certificate, etc?
I have a feeling I am missing something very simple.
Received: from other.domain.com by mx.google.com with ESMTPS id co1si21857550pbc.228.1969.
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Reply and no TLS.
Received: by mail-qc0-f180.google.com with SMTP id l13so3332095qcy.39
for <user@domain>; Wed, 28 Aug 2013 17:15:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:reply-to:in
:subject:from:to:content-t
bh=JXwsM9j37OVa2iJ0QMn8QfC
b=LJGaGQaSILynmCslQhsEoU8g
OA/N0v8wEUt0Ay60Dflb5t+osa
gx6SKJtW4pBBBsm/KxpUJV7X/7
3byeoY460tStiiPggmajFfLISx
4ij7M4c5sM61qn96gOsisqV97I
V0nQ==
This is the same on 4 different Exchange 2010 servers I manage. They all have legit certs and the EHLO responses are the same. All say they have TLS. If I try to send between then, no TLS.
Is there a document that shows how to set up TLS from start to end? How to set the receive connector, certificate, etc?
I have a feeling I am missing something very simple.
There is nothing to setup - Exchange 2010 by default does opportunist TLS. Therefore if both sides support TLS then it is available.
You don't have to enable mutual TLS on the Default Receive Connector, just Transport Layer Security. After making the change, restart the Exchange Transport Service.
Simon.
You don't have to enable mutual TLS on the Default Receive Connector, just Transport Layer Security. After making the change, restart the Exchange Transport Service.
Simon.
ASKER
Internet send connector is set up like this:
FQDN: same as GoDaddy cert
Address space: *
Network: Use DNS and Enable Domain Security (Mutual Auth TLS)
Internet receive connector is set up like this:
General Tab
Name: Internet
Protocol logging level: None
FQDN: same as the GoDaddy cert
Max size: 20480
Network Tab
Port 25 on IPv4 and IPv6
All IPs
Authentication Tab
TLS
Mutual Auth TLS
Permission Tab
Anonymous users
I should change Authentication to TLS only on both send and receive and restart "Microsoft Exchange Transport" ?
FQDN: same as GoDaddy cert
Address space: *
Network: Use DNS and Enable Domain Security (Mutual Auth TLS)
Internet receive connector is set up like this:
General Tab
Name: Internet
Protocol logging level: None
FQDN: same as the GoDaddy cert
Max size: 20480
Network Tab
Port 25 on IPv4 and IPv6
All IPs
Authentication Tab
TLS
Mutual Auth TLS
Permission Tab
Anonymous users
I should change Authentication to TLS only on both send and receive and restart "Microsoft Exchange Transport" ?
ASKER
I turned off the mutual auth on both send and receive and restarted the service.
Emails to GMail
Received: from mail.domain.com (reverse DNS)
by mx.google.com with ESMTPS id mp5si25669164pbc.3.1969.12 .31.16.00. 00
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Thu, 29 Aug 2013 11:09:04 -0700 (PDT)
Emails from GMail
Received: from mail-qc0-f174.google.com (209.85.216.174) by mail.domain.com
(192.168.0.21) with Microsoft SMTP Server (TLS) id 14.2.342.3; Thu, 29 Aug
2013 11:07:44 -0700
Received: by mail-qc0-f174.google.com with SMTP id e10so429877qcy.5 for
<administrator@cdomain.com >; Thu, 29 Aug 2013 11:09:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:reply-to:da te:message -id:subjec t:from:to: content-ty pe;
I see that sha256 in there....but I don't think that is TLS correct?
Everything I read says this is automatic and should just work once the cert it applied to the SMTP service....is there logs somewhere that will say why it is not doing TLS?
If I send Exchange to Exchange I don't see anything TLS related.
Emails to GMail
Received: from mail.domain.com (reverse DNS)
by mx.google.com with ESMTPS id mp5si25669164pbc.3.1969.12
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Thu, 29 Aug 2013 11:09:04 -0700 (PDT)
Emails from GMail
Received: from mail-qc0-f174.google.com (209.85.216.174) by mail.domain.com
(192.168.0.21) with Microsoft SMTP Server (TLS) id 14.2.342.3; Thu, 29 Aug
2013 11:07:44 -0700
Received: by mail-qc0-f174.google.com with SMTP id e10so429877qcy.5 for
<administrator@cdomain.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:reply-to:da
I see that sha256 in there....but I don't think that is TLS correct?
Everything I read says this is automatic and should just work once the cert it applied to the SMTP service....is there logs somewhere that will say why it is not doing TLS?
If I send Exchange to Exchange I don't see anything TLS related.
Both of those headers show TLS was being used.
Received: from mail-qc0-f174.google.com (209.85.216.174) by mail.domain.com
(192.168.0.21) with Microsoft SMTP Server (TLS) id 14.2.342.3; Thu, 29 Aug
2013 11:07:44 -0700
Received: from mail.domain.com (reverse DNS)
by mx.google.com with ESMTPS id mp5si25669164pbc.3.1969.12 .31.16.00. 00
(version=TLSv1 cipher=RC4-SHA bits=128/128);
The SHA256 is DKIM which is a signing antispam feature, similar to SPF records.
Simon.
Received: from mail-qc0-f174.google.com (209.85.216.174) by mail.domain.com
(192.168.0.21) with Microsoft SMTP Server (TLS) id 14.2.342.3; Thu, 29 Aug
2013 11:07:44 -0700
Received: from mail.domain.com (reverse DNS)
by mx.google.com with ESMTPS id mp5si25669164pbc.3.1969.12
(version=TLSv1 cipher=RC4-SHA bits=128/128);
The SHA256 is DKIM which is a signing antispam feature, similar to SPF records.
Simon.
ASKER
I sent an email from a non-TLS enabled host (old Exchange 2003 install with no certs) and it said TLS in the headers. I saw that TLS in there and thought it was TLS.....but it seems that everything I get has TLS in the headers. I even checked the protocol logs and it never said STARTTLS in there. In fact the email from the Exchange 2003 server was behind an old PIX that still had fixup enabled on SMTP.....so it was masking all but the most basic verbs.
I saw this on a site showing what email coming into Exchange looks like with TLS
Received: from mailgateway01 (1.2.3.4) by mailserver01.domain.com (1.2.3.5)
with Microsoft SMTP Server (TLS) id 8.1.263.0; Mon, 16 Mar 2009 18:05:18
-0400
Received: from mail.global.frontbridge.co m ([65.55.88.22]) by mail.somedomain.com
([1.2.3.4]) with ESMTP (TREND IMSS SMTP Service 7.0; TLS:
TLSv1/SSLv3,128bits,AES128 -SHA) id 06456c96000057da for <jdoe@microsoft.com>;
Mon, 16 Mar 2009 18:05:16 -0500
I never see any of the TLS/SSL/AES info in my headers on emails into any of my Exchange servers.
Thanks for confirming.....I figured that SHA256 was like SPF.
I saw this on a site showing what email coming into Exchange looks like with TLS
Received: from mailgateway01 (1.2.3.4) by mailserver01.domain.com (1.2.3.5)
with Microsoft SMTP Server (TLS) id 8.1.263.0; Mon, 16 Mar 2009 18:05:18
-0400
Received: from mail.global.frontbridge.co
([1.2.3.4]) with ESMTP (TREND IMSS SMTP Service 7.0; TLS:
TLSv1/SSLv3,128bits,AES128
Mon, 16 Mar 2009 18:05:16 -0500
I never see any of the TLS/SSL/AES info in my headers on emails into any of my Exchange servers.
Thanks for confirming.....I figured that SHA256 was like SPF.
Are you sure that the 2003 server sent direct to your Exchange 2010 server?
Just checking the headers of some senders where I know there is no TLS support, there is no TLS in the header at all.
Checking another header from a server that I know does TLS shows the headers as you have posted, with the (TLS) included.
Simon.
Just checking the headers of some senders where I know there is no TLS support, there is no TLS in the header at all.
Checking another header from a server that I know does TLS shows the headers as you have posted, with the (TLS) included.
Simon.
ASKER
What is odd is I see emails from the same Exchange 2010 server with TLS and some without. A user on Outlook 2003 sends me emails, no TLS in the headers. I send from OWA and there is TLS. Does that make sense?
I cannot answer questions about Outlook 2003 behaviour. I haven't used that version for five years and never recommend to clients to allow it to be used with Exchange 2010.
Simon.
Simon.
ASKER
I'm not disagreeing! Sometimes they spend their money foolishly. :)
So is the long and short of this, if it says TLS is the headers at the top like I have sent over....that is TLS email and it was secure from server to server?
So is the long and short of this, if it says TLS is the headers at the top like I have sent over....that is TLS email and it was secure from server to server?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Primary reasons for failure are issues with the SSL certificate or something interferring with the traffic - router doing SMTP scanning for example.
Simon.