[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2251
  • Last Modified:

SMTP 587 TLS Encryption not working on Exchange 2013 CAS

Hello,

I have internet facing CAS servers with Mailbox servers on the backend.  My users require connecting to the Exchange from externally via POP SSL or IMAP SSL for inbound and SMTP 587 TLS for Outbound emails.

Everything is working except when I enable TLS or SSL I get an error.  If I use none for Encryption and use port 25 or 587 everything works fine.

SSL certificate is in place, a proof of which is POP SSL and IMAP SSL working fine.

Do I need to bind the SSL cert to the receive connector or something?? If so, how?

Any advise?
0
fais79
Asked:
fais79
  • 5
  • 4
  • 2
1 Solution
 
insidetechCommented:
What kind of error do you get?
Is it possible that your firewall or ISP or something else is blocking ports 443 etc.
0
 
fais79Author Commented:
443?  I don't think this is relevant here is it? Any way OWA is working which means ISP is not blocking it.

Error:
The server does not support the connection encryption type you have specified...
0
 
insidetechCommented:
Given your description the port is not relevant to your problem.
But just for the heck of it when you https to your OWA what port is used for this secure communication?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
fais79Author Commented:
443
0
 
Simon Butler (Sembee)ConsultantCommented:
If you run get-exchangecertificate, you should have a certificate bound to the "S" service - S for SMTP. You don't bind specific certificates to specific connectors.

If you telnet to the SMTP port and issue a ehlo, do you see StartTLS as one of the verbs?

Simon.
0
 
fais79Author Commented:
Hi Simon,

When I do telnet I do not see Start TLS, however the certificate is assigned correctly as you can see below..  

I'm lost..


Identity                                                              Bindings                               Enabled
--------                                                                 --------                                  -------
CASSERVER1\Client Frontend    CASSERVER1      {[::]:587, 0.0.0.0:587}               True


Get-Exchangecertificate -server CASSERVER1


F1F96AC1668FF0728A2C18D672C5AE0CD5CB882A  ...WS..    CN=*.domain.cm, O=FCT, L=London, S=London, C=UK, SERIALNUMB
0
 
Simon Butler (Sembee)ConsultantCommented:
If you aren't seeing StartTLS then that is why you aren't getting the connection.
Was that a test on the server itself, as it can sometimes mean interference, or something blocking the SMTP traffic.

Simon.
0
 
fais79Author Commented:
Yes, I did that test locally on the server itself..
0
 
Simon Butler (Sembee)ConsultantCommented:
Do you have just the one SSL certificate on the server, or multiple?
Exchange will create a certificate when it is installed, which becomes the default SMTP certificate. That should be left in place. If you have removed it, then run new-exchangecertificate (no switches) and accept the prompt to set it as the default SMTP certificate. Then restart Exchange Transport service and test again.

Simon.
0
 
fais79Author Commented:
Hi Simon,

The default certificate is still there and assigned to SMTP.

Any other advise??
0
 
Simon Butler (Sembee)ConsultantCommented:
Is TLS enabled on the Receive Connector? There is a problem with the connector configuration somewhere, which is why you aren't seeing StartTLS on the verbs.

Simon.
0

Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

  • 5
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now