fais79
asked on
SMTP 587 TLS Encryption not working on Exchange 2013 CAS
Hello,
I have internet facing CAS servers with Mailbox servers on the backend. My users require connecting to the Exchange from externally via POP SSL or IMAP SSL for inbound and SMTP 587 TLS for Outbound emails.
Everything is working except when I enable TLS or SSL I get an error. If I use none for Encryption and use port 25 or 587 everything works fine.
SSL certificate is in place, a proof of which is POP SSL and IMAP SSL working fine.
Do I need to bind the SSL cert to the receive connector or something?? If so, how?
Any advise?
I have internet facing CAS servers with Mailbox servers on the backend. My users require connecting to the Exchange from externally via POP SSL or IMAP SSL for inbound and SMTP 587 TLS for Outbound emails.
Everything is working except when I enable TLS or SSL I get an error. If I use none for Encryption and use port 25 or 587 everything works fine.
SSL certificate is in place, a proof of which is POP SSL and IMAP SSL working fine.
Do I need to bind the SSL cert to the receive connector or something?? If so, how?
Any advise?
ASKER
443? I don't think this is relevant here is it? Any way OWA is working which means ISP is not blocking it.
Error:
The server does not support the connection encryption type you have specified...
Error:
The server does not support the connection encryption type you have specified...
Given your description the port is not relevant to your problem.
But just for the heck of it when you https to your OWA what port is used for this secure communication?
But just for the heck of it when you https to your OWA what port is used for this secure communication?
ASKER
443
If you run get-exchangecertificate, you should have a certificate bound to the "S" service - S for SMTP. You don't bind specific certificates to specific connectors.
If you telnet to the SMTP port and issue a ehlo, do you see StartTLS as one of the verbs?
Simon.
If you telnet to the SMTP port and issue a ehlo, do you see StartTLS as one of the verbs?
Simon.
ASKER
Hi Simon,
When I do telnet I do not see Start TLS, however the certificate is assigned correctly as you can see below..
I'm lost..
Identity Bindings Enabled
-------- -------- -------
CASSERVER1\Client Frontend CASSERVER1 {[::]:587, 0.0.0.0:587} True
Get-Exchangecertificate -server CASSERVER1
F1F96AC1668FF0728A2C18D672
When I do telnet I do not see Start TLS, however the certificate is assigned correctly as you can see below..
I'm lost..
Identity Bindings Enabled
-------- -------- -------
CASSERVER1\Client Frontend CASSERVER1 {[::]:587, 0.0.0.0:587} True
Get-Exchangecertificate -server CASSERVER1
F1F96AC1668FF0728A2C18D672
If you aren't seeing StartTLS then that is why you aren't getting the connection.
Was that a test on the server itself, as it can sometimes mean interference, or something blocking the SMTP traffic.
Simon.
Was that a test on the server itself, as it can sometimes mean interference, or something blocking the SMTP traffic.
Simon.
ASKER
Yes, I did that test locally on the server itself..
Do you have just the one SSL certificate on the server, or multiple?
Exchange will create a certificate when it is installed, which becomes the default SMTP certificate. That should be left in place. If you have removed it, then run new-exchangecertificate (no switches) and accept the prompt to set it as the default SMTP certificate. Then restart Exchange Transport service and test again.
Simon.
Exchange will create a certificate when it is installed, which becomes the default SMTP certificate. That should be left in place. If you have removed it, then run new-exchangecertificate (no switches) and accept the prompt to set it as the default SMTP certificate. Then restart Exchange Transport service and test again.
Simon.
ASKER
Hi Simon,
The default certificate is still there and assigned to SMTP.
Any other advise??
The default certificate is still there and assigned to SMTP.
Any other advise??
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Is it possible that your firewall or ISP or something else is blocking ports 443 etc.