Exchange 2010 best practice for receive connectors to avoid STARTTLS errors
Posted on 2014-08-29
We're receiving the usual MSExchangeTransport 12014 error on our new Exchange 2010 box. It's a single box and still talking to our old Exchange 2007 while we wrap up the migration.
No edge server or device. We send all email out to a single mail server (offsite) that handles anti-spam for us; they also send back in on the same range of IP addresses and we have our hardware firewall set to only allow SMTP in from that range.
Our internal domain is domain.local, for sake of this discussion.
Our best practice has always been to leave the DEFAULT receive connector alone, with the except of taking out 0.0.0.0-255.255.255.255 from the network and just specifying our local subnet (192.168.0.x) in here. We understand the DEFAULT connector is for Exchange servers to talk to each other. We do not touch the FQDN here as this appears to be a no-no and will break Exchange servers from talking to each other.
We then setup a second receive connector which we'll call "Receive from Internet". In here we set the network to be 0.0.0.0-22.214.171.124 and 126.96.36.199-255.255.255.255. We set proper authentication and security and DO set the correct external FQDN here (mail.domain.com.)
We receive the 12014 STARTTLS error on the default receive connector, and presumably this is only while the old 2007 box is still around.
I couldn't find a good article explaining how Exchange 2007 and 2010 talk to each other in this situation, so I wasn't comfortable unchecking TLS or any other authentication methods on the box.
Any suggestions? Thanks.