Exchange 2013 cu6 external incoming mails domain message like " TLS is not an option on this server)

Hello Experts,

external domains getting message like "tls is not an option on this server" if i checked in exchange 2013 server TLS is enable on send and receive connector.
LVL 4
Manoj BojewarAsked:
Who is Participating?
 
Guy LidbetterCommented:
Your Exchange is not the problem... It's the Cyberoam appliance that needs to be configured for TLS connectivity.

I found this article http://docs.cyberoam.com/default.asp?id=757&SID=

Heres what it ahs to say about TLS

3. Secure Connection over SMTP Mail Notification

With more and more people using the Internet for socializing, personal and professional use, the information shared via Email may not always be secured. Information within Email can be intercepted and/or altered if not encrypted. Privacy and security of confidential and sensitive information has therefore been a growing concern.

A security protocol, Transport Layer Security (TLS) secures the information sent via Email by encrypting Email communication and thereby providing privacy and integrity between SMTP Client and a SMTP Server. Cyberoam supports TLS protocol to provide security over SMTP Mail Notification. With TLS protocol for connection security, Cyberoam automatically encrypts all the Email communications, ensuring the confidentiality for SMTP Mail Notification and hampering the risk of eaves-dropping, interception and alteration.

Security setting for mail servers can be done by configuring the attributes “Connection Security” and “Certificates” from Web Admin Console or using the Wizard. The “Connection Security” attribute can be configured with one of the following options:

·        None – Should be selected if TLS protocol is not supported by mail serves and a normal TCP connection must be established without any security.

·        STARTTLS – If the server supports STARTTLS, the connection is upgraded to TLS else continues as a TCP connection without any security.

·        SSL/TLS – Should be selected to establish a secured TCP connection using TLS protocol.

By default, option “None” is configured for parameter Connection Security.

Cyberoam uses certificates to encrypt the data sent over a TLS supported TCP connection. An Administrator can choose to use a default certificate or select a custom certificate.  

By default, “ApplianceCertificate” is used for data encryption for secured TCP connection.

On Factory Reset, the “Connection Security” and “Certificate” parameters are set to its default values i.e. “None” and “Select Certificate” respectively.

Prior to this version, a normal TCP connection was used for communication between the SMTP Client and a SMTP Server for SMTP Mail Notification.

To configure security settings for mail server from Web Admin Console, go to System > Configuration > Notification and configure Connection Security and Certificate.

Alternately Connection Security and Certificate can be configured from Wizard page of Configure Mail Settings.
0
 
Guy LidbetterCommented:
Can you provide the full NDR? Are you using a Smart Host or security appliance at all?

If you telnet the Exchange server on port 25... after the 220 Banner type "EHLO" and make sure 250-STARTTLS is listed.
0
 
Manoj BojewarAuthor Commented:
if i telnet my server internally, i am getting 250 starttls

220 HOCAS001.domain.com Microsoft ESMTP MAIL Service ready at Thu, 9 Apr 2015 15:18:15 +0530
ehlo
250-HOCAS001.domain.com Hello [127.0.0.1]
250-SIZE 26214400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 XRDST

I dont have NDR, but if i test tls from thirdparty tool its showing fail. I am using cyberoam for incoming and outgoing mails
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Simon Butler (Sembee)ConsultantCommented:
First - CU6 is no longer supported. To remain supported you need to be on the current CU (8 at the moment) or the previous one (CU7).

If you have Cyberoam in front of the Exchange server then you need to check whether that is doing the TLS, not Exchange. An external telnet test should confirm what is answering the SMTP traffic.

If it is the Cyberoam then you will need to look at its configuration, changing Exchange isn't going to help.

Simon.
0
 
Manoj BojewarAuthor Commented:
I appreciate your quick support. Could you please tell me what i need to change in Cyberoam to allow tls?
0
 
Guy LidbetterCommented:
Hi Manoj,

Its a pleasure to help...

The above states
Security setting for mail servers can be done by configuring the attributes “Connection Security” and “Certificates” from Web Admin Console or using the Wizard.
..........

To configure security settings for mail server from Web Admin Console, go to System > Configuration > Notification and configure Connection Security and Certificate.

Alternately Connection Security and Certificate can be configured from Wizard page of Configure Mail Settings.

Do you have access to the appliance web interface?
0
 
Manoj BojewarAuthor Commented:
i changed the setting from cyberoam to enable starttls and apply default appliace certiifcate. but still getting same error.
mxtool.png
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.