Solved

SMTP 587 TLS Encryption not working on Exchange 2013 CAS

Posted on 2014-03-10
11
1,782 Views
Last Modified: 2014-08-03
Hello,

I have internet facing CAS servers with Mailbox servers on the backend.  My users require connecting to the Exchange from externally via POP SSL or IMAP SSL for inbound and SMTP 587 TLS for Outbound emails.

Everything is working except when I enable TLS or SSL I get an error.  If I use none for Encryption and use port 25 or 587 everything works fine.

SSL certificate is in place, a proof of which is POP SSL and IMAP SSL working fine.

Do I need to bind the SSL cert to the receive connector or something?? If so, how?

Any advise?
0
Comment
Question by:fais79
  • 5
  • 4
  • 2
11 Comments
 
LVL 6

Expert Comment

by:insidetech
ID: 39919745
What kind of error do you get?
Is it possible that your firewall or ISP or something else is blocking ports 443 etc.
0
 

Author Comment

by:fais79
ID: 39919753
443?  I don't think this is relevant here is it? Any way OWA is working which means ISP is not blocking it.

Error:
The server does not support the connection encryption type you have specified...
0
 
LVL 6

Expert Comment

by:insidetech
ID: 39919765
Given your description the port is not relevant to your problem.
But just for the heck of it when you https to your OWA what port is used for this secure communication?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:fais79
ID: 39919791
443
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39920129
If you run get-exchangecertificate, you should have a certificate bound to the "S" service - S for SMTP. You don't bind specific certificates to specific connectors.

If you telnet to the SMTP port and issue a ehlo, do you see StartTLS as one of the verbs?

Simon.
0
 

Author Comment

by:fais79
ID: 39921483
Hi Simon,

When I do telnet I do not see Start TLS, however the certificate is assigned correctly as you can see below..  

I'm lost..


Identity                                                              Bindings                               Enabled
--------                                                                 --------                                  -------
CASSERVER1\Client Frontend    CASSERVER1      {[::]:587, 0.0.0.0:587}               True


Get-Exchangecertificate -server CASSERVER1


F1F96AC1668FF0728A2C18D672C5AE0CD5CB882A  ...WS..    CN=*.domain.cm, O=FCT, L=London, S=London, C=UK, SERIALNUMB
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39922139
If you aren't seeing StartTLS then that is why you aren't getting the connection.
Was that a test on the server itself, as it can sometimes mean interference, or something blocking the SMTP traffic.

Simon.
0
 

Author Comment

by:fais79
ID: 39923526
Yes, I did that test locally on the server itself..
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39923625
Do you have just the one SSL certificate on the server, or multiple?
Exchange will create a certificate when it is installed, which becomes the default SMTP certificate. That should be left in place. If you have removed it, then run new-exchangecertificate (no switches) and accept the prompt to set it as the default SMTP certificate. Then restart Exchange Transport service and test again.

Simon.
0
 

Author Comment

by:fais79
ID: 39923856
Hi Simon,

The default certificate is still there and assigned to SMTP.

Any other advise??
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39924430
Is TLS enabled on the Receive Connector? There is a problem with the connector configuration somewhere, which is why you aren't seeing StartTLS on the verbs.

Simon.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SharePoint 2013 to SharePoint Online migration:  (links) 2 34
Exchange 2010 RU 16 5 42
voice mail Box feature on Lync 2010 3 39
exchange, email gateway 2 31
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
This video discusses moving either the default database or any database to a new volume.

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question