E-mail error when recieving mail from customer

Hi,

We have a customer who is having problems getting an email through to us.  We have a Exchange 2003 Server which is running on Server 2003 box both are fully service packed.   We run GFI MailEssentials for our Spam filtering to which I have whitelisted the customers domian name and sending mail servers IP address's.   We are only having problems with this one new customer who keeps having mail bounced back to them with a 4.4.2 error as per below which is the error message they have sent to us via an alternative email address.

"Message delivery completed to the 212.35.253.xxx host with encryption setting of TLS based opportunistic TLS for recipient "me@mycompany.com".  The 212.35.253.xxx destination host returned delivery information of 442 lost connection with "my.emailserver" 212.35.253.xxx while sending mail from anddelivery status delayed."

There mail is being relayed via Websense-Email-Security-Gateway.

They believe the fault lies with our server but I can't get to the bottom of what is causing this problem.... help please!

Cheers

Andy
asatchwellAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KimputerCommented:
Did you setup TLS on your Exchange 2003 server ? This is not on by default, so you should know if you configured it or not.
If you did not, you can either:

a. Ask the other side not to send email through their TLS enabled connector
b. Configure your server to accept their TLS connection.
0
asatchwellAuthor Commented:
Yes we have TLS setup but we do not have a routing group connector setup for this domain as they are a new customer. I guess once I have set this up thet will be able to send us mail.
0
Simon Butler (Sembee)ConsultantCommented:
Routing Group Connectors have nothing to do with external email delivery. They are for routing groups, which is Exchange internal only.

On Exchange 2003 TLS is either ON or OFF, it doesn't do opportunist TLS. If you want that you need to upgrade to something more modern. Although this shoudl be done by your websense gateway, and that is where I would be pointing the finger. Either that or something is scanning SMTP traffic which shouldn't be - firewall for example.

Simon.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics ā€“ known as key performance indicators (KPIs) ā€“ for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

asatchwellAuthor Commented:
Routing groups can be used to deliver mail to external domains using specified IP address's, so they can be used for external mail delivery.

We are not using websene, it is the company trying to deliver mail to us that uses websense, and our firwall is not scanning SMTP traffic.  we only have this problem with one company on a mail server setup that has been in place for some time.

TLS is setup and my server and always has been, it has been checked on http://www.checktls.com website.  The only slight problem I can see is that there is a certificate mismatch the Cert Hostname DOES NOT VERIFY (starck.sirius-xxxxxxl.xxx != Sirius-xxxxx.xxx)
So email is encrypted but the host is not verified.
0
Simon Butler (Sembee)ConsultantCommented:
You are wrong.
Routing Group Connectors have nothing to do with external email delivery.
SMTP Connectors which can be restricted to specific routing groups or global.

If you are using TLS, then you must have two SMTP virtual servers because Exchange 2003 doesn't do opportunist TLS. You must also be using either an alternative port or alternative host name for TLS, for the same reasons.

If you think otherwise then you are being very very lucky with email delivery, and all your email is coming from sites that support TLS.

SMTP Communication is always best effort, their server is expecting something that your server is not capable of. Exchange 2003 cannot do opportunist TLS. Ask them if they can configure their server to always send email over TLS and give them the alternative port/host name.

The Certificate mismatch maybe the cause of the problem - it depends on how strict the sending server is on the certificate name matching. That differs.

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
asatchwellAuthor Commented:
OK that been the case then how do I setup my 2003 exchange server to except email from a server that insists on TLS for mail between our companies.

We can send them mail no problem I just need to be able to recieve mail from them.

Thanks

Andy
0
Simon Butler (Sembee)ConsultantCommented:
I have already answered that.
You need an additional SMTP virtual server, with a seperate host name or port and the other side needs to know which it is.
If you upgraded to something more modern then it can all be done on the same host name with the additional steps.

Simon.
0
asatchwellAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for asatchwell's comment #a39524150

for the following reason:

blah
0
Simon Butler (Sembee)ConsultantCommented:
Why do you want this question closed? "Blah" isn't an acceptable reason.
0
asatchwellAuthor Commented:
I want to close this question because no expert has come up with a solution to my question, company X still can't get email through to us and I'm no closer to a solution and frankly I'm not sure why I pay my subs.
0
asatchwellAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for asatchwell's comment #a39535715

for the following reason:

Poor with no reference to the question
0
Simon Butler (Sembee)ConsultantCommented:
I disagree.

You have posted an error about the remote site trying to opportunist TLS. Exchange 2003 doesn't support opportunist TLS, so you have to use another method if you want to use TLS, which I have also outlined to you.

Simon.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.