Incoming TLS problems

Red_Nine used Ask the Experts™
I've got a bit of an odd problem with TLS email.

It works from some senders, but not others.

From one of the senders that's not working, I get EHLO, STARTTLS, STARTTLS, MAIL, RCPT then QUIT. No DATA. It just quits out.

The only NDR I've had sent to me showed a 4.4.2 error from Postfix. "Lost connection while sending MAIL FROM".  

Other servers use TLS with no issues, and a check of the received mail's headers shows that the session was over a secure channel, so TLS is presumably working correctly there. Outbound TLS seems unaffected (We have two SMTP connectors on each server - one with specified domains that supports TLS and one without for the rest.)

My workaround has been to disable TLS every few hours for a short while to let retried mails in without TLS - this is definitely NOT a preferred solution! :)

The thing that's odd - it's affecting two SMTP servers (both Exchange 2003) in different offices. I could accept one server having a bad day or two, but two at the same time?

And it was working normally until recently! :s

The certificates have been renewed (they weren't too far away from expiry anyway) and CheckTLS,com and MXToolbox,com don't flag any problems when TLS is enabled. They didn't show any problems beforehand, either. There have been no significant changes to either SMTP server. Certainly nothing that would affect SMTP and TLS.

Diagnostics Logging for Exchange Transport is on maximum, but gives me nothing about these problems.

Has anyone seen a similar problem to this? Is it possible it's an ISP issue? The one thing both servers have in common is they're both on the same ISP.

Any help or insight would be welcome.

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2014
TLS on Exchange 2003 was never very good, the problems you are seeing are not unusual.
Therefore an upgrade of Exchange would be your best option - it is a lot more reliable in the later versions of Exchange.

I have also seen problems with TLS caused by AV software, anti-spam and firewalls. It also doesn't help that each MTA developer has a different interpretation of the RFCs so SMTP is different on every server. The world has moved on and Exchange 2003 is based on technology that is over 12 years old, anything more modern will struggle to communicate.

Not the answer you are looking for, I know, but sometimes an upgrade is the only thing you can do. Exchange 2003 is EOL and well past its sell by date.



Not really what I wanted to hear, but thanks for your input.

The problem occurs with AV and the various layers of anti-spam turned off (in some cases with the SMTP sinks removed, too). :s

On the firewall, the first thing I suspected was ESMTP inspection, but the Cisco bods assure me this is not the case. If it was on, why would only some TLS mail be stopped and not all of it?

For "never very good" Exchange 2003 has done just fine for the 6+ years I've been using TLS on it. :)  I planned on retiring both boxes this year anyway, but unless the ISP come back with an admission of buggering up a router or two and a promise to fix them, it looks like it's sleeves up and Edge Server install time a bit earlier.

"It also doesn't help that each MTA developer has a different interpretation of the RFCs"

Standards; there's either too bloody many of them, or if there's only one, no two organisations actually follow it the same way.

The certificates that you renewed - are they rooting in the same anchor (root CA) as before, with the same thumbprint?
Only logging on the sender side could help you further diagnose the issue.
It might be a case that your new certs are signed by a different root CA that is not trusted by some senders.


The certs are from the same CA, with the same Root and Chain certs. I've checked the current chain and root certs against what I have installed and they're the same. The certificate console doesn't report any problems. The external test for TLS confidence at doesn't return any problems.

"renewed" is probably the wrong term - "revoked and started again from scratch with new requests" is more accurate.

I might try a whole new cert from another CA. Any recommendations?

"Only logging on the sender side could help you further diagnose the issue."

I've requested help from our ISP in case it's a transport thing (the problem seems to be regional with France and Germany affected most) and also from the ISP of the main offender. But as I'm not a customer of theirs, they're not really being helpful; if I call them, they just go down the first-line cheat sheet for client issues. An email has requested an escalation to the backroom boys and some log excerpts, but I'm not holding my breath. (And I did provide them with an alternate email address!! :) )

The thing that makes me weep - the emails from Experts Exchange telling me of replies...

...are TLS encrypted. "over TLS secured channel with Microsoft SMTPSVC". :s


Mail from the affected senders started coming in correctly after deploying an Edge Transport Server.

However, one of the affected senders has confirmed a known issue at their end, so it's not all Exchange 2003's fault.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial