Exchange 2010 - can send TLS email, but don't seem to receive

Exchange does opportunist TLS, so it works if the certificate negotiation is successful.
Primary reasons for failure are issues with the SSL certificate or something interferring with the traffic - router doing SMTP scanning for example.

Simon.

It goes out fine and I can see on an email to gmail.com that it is encrypted. So I would assume the certificate exchange must be correct.

When I try to send to my Exchange server that I don't seem to get TLS email.

You need to telnet in to Exchange from an external host and issue a ehlo command. See if STARTTL is on the list:

220 host.example.co.uk Microsoft ESMTP MAIL Service ready at Wed, 28 Aug 2013 17:29:17 +0100
ehlo
250-host.example.co.uk Hello [192.168.3.1]
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250-XRDST
250 XSHADOW

If it isn't on the list then it either isn't enabled on the Receive Connector or something is blocking it.

Important that you do the test from off the network.

Simon.

When I do it from checktls.com I get this:

Connected to server
220 Microsoft ESMTP MAIL Service ready at Wed, 28 Aug 2013 09:40:43 -0700
EHLO checktls.com
250-Hello [69.61.187.232]
250-SIZE 20971520
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH
250-8BITMIME
250-BINARYMIME
250 CHUNKING

When I do it from another Exchange server I get this:


EHLO  test.domain.com
500 5.3.3 Unrecognized command
EHLO  test.domain.com
250- test.domain.com Hello [x.x.x.x]
250-SIZE 20971520
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-XXXXXXXA
250-AUTH
250-8BITMIME
250-BINARYMIME
250 XXXXXXXB

Funny I have to type it in twice. I think there is some sort of inspection on the firewall. Shame I don't manage it. It's a Cisco UC540.

Ah ha.
That will be it.
See the XXXX - those are the verbs being blocked out by the Cisco device. That is why you don't get TLS, because the remote side doesn't know you support it.

Ciscos are notorious for this - they have a mailguard or FIXUP SMTP (depending on the OS version) which blocks it.

It is so bad that Microsoft had to write a KB article to explain what was happening:
http://support.microsoft.com/kb/320027

If you need to support TLS you need to get whoever manages the device to turn the feature off.

Simon.

I don't see anything with SMTP inspection though. grrrr

ip inspect WAAS flush-timeout 10
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW http
ip inspect name SDM_LOW tcp router-traffic
ip inspect name dmzinspect tcp
ip inspect name dmzinspect udp
 ip inspect SDM_LOW in
 ip inspect SDM_LOW in
 ip inspect SDM_LOW in
 ip inspect SDM_LOW in
 ip inspect dmzinspect out
 ip inspect SDM_LOW in
 ip inspect dmzinspect out
 ip inspect SDM_LOW in

Something is doing it though, because the commands are being hidden.
It could be grouped in with something else.

Simon.

Still not working and I have the commands ok. This is from outside the network.

ehlo tlstest.tls.com
250-SIZE 20971520
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH
250-8BITMIME
250-BINARYMIME
250 CHUNKING

All I did on the receive connector was add TLS and Mutual Auth TLS. Is there maybe something else I need to do it order to accept TLS email?

I am testing this by sending an email to gmail and I see TLS in the headers. When I reply back, no TLS in the headers.

This what the headers from GMail to our server look like
Received: from mail-qc0-f175.google.com (209.85.216.175) by
 mailserver (192.168.0.12) with Microsoft SMTP Server (TLS) id
 14.3.123.3; Wed, 28 Aug 2013 15:01:44 -0700
Received: by mail-qc0-f175.google.com with SMTP id m4so3842743qcy.6        for
 <email@domain.com>; Wed, 28 Aug 2013 15:01:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:reply-to:in-reply-to:references:date:message-id
         :subject:from:to:content-type;
        bh=4M3ySUYuELdm3cWainIuXIj3jN82gIkotek7B6Axg+Q=;
        b=Q9a2vmwgJ8m2wHPV5qVztPaixa9mkj8ZG16kf0FiHu4InZlSQFFXO3ZU8AS3jIIBgW
         o2M04MC8eGRfIxKCoBeCzsORCliTLUE9T5hlC0ZodZqVB/U1PFiAq/hjvbT0+bdN7Dld
         vWDZRr7gBExn054gyNhvRIDVNXwHyqQsLbXNnbti7alS0ebOow3wYDCOi4NvkDZey78E
         WRfVEo3aeAcQLPTNHRRhUBt0uRrH//TXcdwLJawiHCH0dT3Z/RF8mZsLbELo5Bko4I4X
         GtTgQNb1NHqceHCmA3S0yU1G9hgJTQHDNdWjdprZb2hkXjuAMWSDk2T8EcN6P9aZRdPm
         LybQ==

I am seeing this in the receive logs

250-AUTH,
250-8BITMIME,
250-BINARYMIME,
250 CHUNKING,
STARTTLS,
220 2.0.0 SMTP server ready,
Sending certificate
CERTIFICATE STUFF
EHLO ng22-vm2.bullet.mail.bf1.yahoo.com,
,TlsDomainCapabilities='None'; Status='NoRemoteCertificate'

I am really missing something here. I am able to send from several other Exchange 2010 servers to gmail and get TLS.

Received: from other.domain.com by mx.google.com with ESMTPS id co1si21857550pbc.228.1969.12.31.16.00.00
        (version=TLSv1 cipher=RC4-SHA bits=128/128);

Reply and no TLS.

Received: by mail-qc0-f180.google.com with SMTP id l13so3332095qcy.39
        for <user@domain>; Wed, 28 Aug 2013 17:15:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:reply-to:in-reply-to:references:date:message-id
         :subject:from:to:content-type;
        bh=JXwsM9j37OVa2iJ0QMn8QfCHFhHXBw2tLCo1k+I1pas=;
        b=LJGaGQaSILynmCslQhsEoU8gxfAwcFLSXCiKUBvSzKZ5833o253ZjFQKs1DrpiVBO0
         OA/N0v8wEUt0Ay60Dflb5t+osawOCtk7ryEpK/3yZ6720KZjCO6gvydX0/zEITxvnB83
         gx6SKJtW4pBBBsm/KxpUJV7X/7NbQEjzDpzd6K7JUaKxhbf4FQbUulynzeT8FEJ4xRUs
         3byeoY460tStiiPggmajFfLISxPqe2iV/x7XdlnqEB9Lqg+dNg0S1tDyRsUxRyTrZRys
         4ij7M4c5sM61qn96gOsisqV97IsM2Svu4Jftk205MgcSWNRFaEK9ouci96trcrZZqKtH
         V0nQ==

This is the same on 4 different Exchange 2010 servers I manage. They all have legit certs and the EHLO responses are the same. All say they have TLS. If I try to send between then, no TLS.

Is there a document that shows how to set up TLS from start to end? How to set the receive connector, certificate, etc?

I have a feeling I am missing something very simple.

There is nothing to setup - Exchange 2010 by default does opportunist TLS. Therefore if both sides support TLS then it is available.
You don't have to enable mutual TLS on the Default Receive Connector, just Transport Layer Security. After making the change, restart the Exchange Transport Service.

Simon.

Internet send connector is set up like this:
FQDN: same as GoDaddy cert
Address space: *
Network: Use DNS and Enable Domain Security (Mutual Auth TLS)

Internet receive connector is set up like this:
General Tab
Name: Internet
Protocol logging level: None
FQDN: same as the GoDaddy cert
Max size: 20480

Network Tab
Port 25 on IPv4 and IPv6
All IPs

Authentication Tab
TLS
Mutual Auth TLS

Permission Tab
Anonymous users

I should change Authentication to TLS only on both send and receive and restart "Microsoft Exchange Transport" ?

I turned off the mutual auth on both send and receive and restarted the service.
Emails to GMail
Received: from mail.domain.com (reverse DNS)
        by mx.google.com with ESMTPS id mp5si25669164pbc.3.1969.12.31.16.00.00
        (version=TLSv1 cipher=RC4-SHA bits=128/128);
        Thu, 29 Aug 2013 11:09:04 -0700 (PDT)

Emails from GMail
Received: from mail-qc0-f174.google.com (209.85.216.174) by mail.domain.com
 (192.168.0.21) with Microsoft SMTP Server (TLS) id 14.2.342.3; Thu, 29 Aug
 2013 11:07:44 -0700
Received: by mail-qc0-f174.google.com with SMTP id e10so429877qcy.5        for
 <administrator@cdomain.com>; Thu, 29 Aug 2013 11:09:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:reply-to:date:message-id:subject:from:to:content-type;

I see that sha256 in there....but I don't think that is TLS correct?

Everything I read says this is automatic and should just work once the cert it applied to the SMTP service....is there logs somewhere that will say why it is not doing TLS?

If I send Exchange to Exchange I don't see anything TLS related.

Both of those headers show TLS was being used.

Received: from mail-qc0-f174.google.com (209.85.216.174) by mail.domain.com
 (192.168.0.21) with Microsoft SMTP Server (TLS) id 14.2.342.3; Thu, 29 Aug
 2013 11:07:44 -0700


Received: from mail.domain.com (reverse DNS)
        by mx.google.com with ESMTPS id mp5si25669164pbc.3.1969.12.31.16.00.00
        (version=TLSv1 cipher=RC4-SHA bits=128/128);

The SHA256 is DKIM which is a signing antispam feature, similar to SPF records.

Simon.

I sent an email from a non-TLS enabled host (old Exchange 2003 install with no certs) and it said TLS in the headers. I saw that TLS in there and thought it was TLS.....but it seems that everything I get has TLS in the headers. I even checked the protocol logs and it never said STARTTLS in there. In fact the email from the Exchange 2003 server was behind an old PIX that still had fixup enabled on SMTP.....so it was masking all but the most basic verbs.

I saw this on a site showing what email coming into Exchange looks like with TLS

Received: from mailgateway01 (1.2.3.4) by mailserver01.domain.com (1.2.3.5)
with Microsoft SMTP Server (TLS) id 8.1.263.0; Mon, 16 Mar 2009 18:05:18
-0400
Received: from mail.global.frontbridge.com ([65.55.88.22]) by mail.somedomain.com
([1.2.3.4]) with ESMTP (TREND IMSS SMTP Service 7.0; TLS:
TLSv1/SSLv3,128bits,AES128-SHA) id 06456c96000057da for <jdoe@microsoft.com>;
Mon, 16 Mar 2009 18:05:16 -0500

I never see any of the TLS/SSL/AES info in my headers on emails into any of my Exchange servers.

Thanks for confirming.....I figured that SHA256 was like SPF.

Are you sure that the 2003 server sent direct to your Exchange 2010 server?
Just checking the headers of some senders where I know there is no TLS support, there is no TLS in the header at all.

Checking another header from a server that I know does TLS shows the headers as you have posted, with the (TLS) included.

Simon.

What is odd is I see emails from the same Exchange 2010 server with TLS and some without. A user on Outlook 2003 sends me emails, no TLS in the headers. I send from OWA and there is TLS. Does that make sense?

I cannot answer questions about Outlook 2003 behaviour. I haven't used that version for five years and never recommend to clients to allow it to be used with Exchange 2010.

Simon.

I'm not disagreeing! Sometimes they spend their money foolishly. :)

So is the long and short of this, if it says TLS is the headers at the top like I have sent over....that is TLS email and it was secure from server to server?