TLS email to partner failing

Hi, I have a SBS2008 single server with exchange 2007 and am trying to send Secure TLS email to a partner Domain.
Both Domains have certificates from Godaddy. After sending a message it sits in the queue until it fails.
Looking in the send connector logs I can see that after the certificates get exchanged and the message is being sent I get the error below


492,sending message
2013-09-28T00:00:39.225Z,TLS Domains,08D089F435CE61B1,42,192.168.1.10:50650,222.222.22.222:25,>,MAIL FROM:<steve@mydomain.org.uk> SIZE=3781,
2013-09-28T00:00:39.225Z,TLS Domains,08D089F435CE61B1,43,192.168.1.10:50650,222.222.22.222:25,>,"RCPT TO:<john@otherdomain.com> NOTIFY=SUCCESS,FAILURE,DELAY",
2013-09-28T00:00:44.263Z,TLS Domains,08D089F435CE61B1,44,192.168.1.10:50650,222.222.22.222:25,<,451 4.7.3 The admin has temporarily disallowed this secure domain,
2013-09-28T00:00:49.271Z,TLS Domains,08D089F435CE61B1,45,192.168.1.10:50650,222.222.22.222:25,<,503 5.5.2 Need mail command,

I must have made a configuration error in the connectors, but cannot see where.

Thanks
Stev0WIT CONTRACTORAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ChrisCommented:
First thing to check are
- make sure the certificate is bound to the smtp service
- check the send connectors and make sure the are configured with the name cover in the cert
- check that tls does work, you can use something like this site to test it http://www.checktls.com/

you can start off with opportunistic TLS to see if it goes before enforcing
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Stev0WIT CONTRACTORAuthor Commented:
Hi irweazelwallis, Thanks for the reply.

Mail.mydomin.org.uk is a subject alternative name on the UCC certificate.


Here is the result of checktls.com

Trying TLS on mail.mydomain.org.uk[222.222.222.222] (10):

seconds

test stage and result

[000.117]  Connected to server  
[000.231] <-- 220 remote.mydomain.org.uk Microsoft ESMTP MAIL Service ready at Sun, 29 Sep 2013 21:02:55 +0100  
[000.237]  We are allowed to connect  
[000.238] --> EHLO checktls.com  
[000.354] <-- 250-remote.mydomain.org.uk Hello [69.61.187.232]
250-SIZE 41943040
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH
250-8BITMIME
250-BINARYMIME
250 CHUNKING  
[000.355]  We can use this server  
[000.868]  TLS is an option on this server  
[000.869] --> STARTTLS  
[000.977] <-- 220 2.0.0 SMTP server ready  
[000.977]  STARTTLS command works on this server  
[001.563]  Cipher in use: AES128-SHA  
[001.563]  Connection converted to SSL  
[001.601]  Certificate 1 of 3 in chain:
subject= /O=remote.mydomain.org.uk/OU=Domain Control Validated/CN=remote.mydomain.org.uk
issuer= /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification
 
All Looks good, but when I  create the send connector with the partners Domain, add them to the TLSSendDomainSecureList  and enable it. I get the result in the first post.
I am going to delete the send and receive connectors I have setup for TLS & try to configure them again later today. will let you know how it goes. Any tips would be welcome.
0
ChrisCommented:
when you re-create it post up the setting on the connector

security and authentication tab
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Stev0WIT CONTRACTORAuthor Commented:
Hi irweazelwallis
Here are the tabs on the receive connector.


Receive-connector-Authentication
Permissions-Groups
I am about to restart the transport service, but will wait for your comments first.
0
Jozef WooSystem EngineerCommented:
Was this the real solution for this problem?
0
Stev0WIT CONTRACTORAuthor Commented:
It turned out that after the partner (a bank) had said they had enforced TLS and where adamant they had, a Microsoft engineer confirmed they hadn't.  I switched back to opportunistic and the mail started flowing again.
1
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.