Exchange 2013 cu6 external incoming mails domain message like " TLS is not an option on this server)

Hello Experts,

external domains getting message like "tls is not an option on this server" if i checked in exchange 2013 server TLS is enable on send and receive connector.
LVL 4
Manoj BojewarAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Guy LidbetterCommented:
Can you provide the full NDR? Are you using a Smart Host or security appliance at all?

If you telnet the Exchange server on port 25... after the 220 Banner type "EHLO" and make sure 250-STARTTLS is listed.
0
Manoj BojewarAuthor Commented:
if i telnet my server internally, i am getting 250 starttls

220 HOCAS001.domain.com Microsoft ESMTP MAIL Service ready at Thu, 9 Apr 2015 15:18:15 +0530
ehlo
250-HOCAS001.domain.com Hello [127.0.0.1]
250-SIZE 26214400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 XRDST

I dont have NDR, but if i test tls from thirdparty tool its showing fail. I am using cyberoam for incoming and outgoing mails
0
Simon Butler (Sembee)ConsultantCommented:
First - CU6 is no longer supported. To remain supported you need to be on the current CU (8 at the moment) or the previous one (CU7).

If you have Cyberoam in front of the Exchange server then you need to check whether that is doing the TLS, not Exchange. An external telnet test should confirm what is answering the SMTP traffic.

If it is the Cyberoam then you will need to look at its configuration, changing Exchange isn't going to help.

Simon.
0
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

Guy LidbetterCommented:
Your Exchange is not the problem... It's the Cyberoam appliance that needs to be configured for TLS connectivity.

I found this article http://docs.cyberoam.com/default.asp?id=757&SID=

Heres what it ahs to say about TLS

3. Secure Connection over SMTP Mail Notification

With more and more people using the Internet for socializing, personal and professional use, the information shared via Email may not always be secured. Information within Email can be intercepted and/or altered if not encrypted. Privacy and security of confidential and sensitive information has therefore been a growing concern.

A security protocol, Transport Layer Security (TLS) secures the information sent via Email by encrypting Email communication and thereby providing privacy and integrity between SMTP Client and a SMTP Server. Cyberoam supports TLS protocol to provide security over SMTP Mail Notification. With TLS protocol for connection security, Cyberoam automatically encrypts all the Email communications, ensuring the confidentiality for SMTP Mail Notification and hampering the risk of eaves-dropping, interception and alteration.

Security setting for mail servers can be done by configuring the attributes “Connection Security” and “Certificates” from Web Admin Console or using the Wizard. The “Connection Security” attribute can be configured with one of the following options:

·        None – Should be selected if TLS protocol is not supported by mail serves and a normal TCP connection must be established without any security.

·        STARTTLS – If the server supports STARTTLS, the connection is upgraded to TLS else continues as a TCP connection without any security.

·        SSL/TLS – Should be selected to establish a secured TCP connection using TLS protocol.

By default, option “None” is configured for parameter Connection Security.

Cyberoam uses certificates to encrypt the data sent over a TLS supported TCP connection. An Administrator can choose to use a default certificate or select a custom certificate.  

By default, “ApplianceCertificate” is used for data encryption for secured TCP connection.

On Factory Reset, the “Connection Security” and “Certificate” parameters are set to its default values i.e. “None” and “Select Certificate” respectively.

Prior to this version, a normal TCP connection was used for communication between the SMTP Client and a SMTP Server for SMTP Mail Notification.

To configure security settings for mail server from Web Admin Console, go to System > Configuration > Notification and configure Connection Security and Certificate.

Alternately Connection Security and Certificate can be configured from Wizard page of Configure Mail Settings.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Manoj BojewarAuthor Commented:
I appreciate your quick support. Could you please tell me what i need to change in Cyberoam to allow tls?
0
Guy LidbetterCommented:
Hi Manoj,

Its a pleasure to help...

The above states
Security setting for mail servers can be done by configuring the attributes “Connection Security” and “Certificates” from Web Admin Console or using the Wizard.
..........

To configure security settings for mail server from Web Admin Console, go to System > Configuration > Notification and configure Connection Security and Certificate.

Alternately Connection Security and Certificate can be configured from Wizard page of Configure Mail Settings.

Do you have access to the appliance web interface?
0
Manoj BojewarAuthor Commented:
i changed the setting from cyberoam to enable starttls and apply default appliace certiifcate. but still getting same error.
mxtool.png
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.