Exchange 2010 403 4.7.0 TLS handshake failed.

Dear all,

We are having a problem with multiple companies not being able to reach any of our clients by e-mail.

We have an Exchange 2010 server with latest updates.

When an e-mail is sent the external users gets the error:

403 4.7.0 TLS handshake failed.

I have tried disabling TLS and enabling basic authentication on the receive connectors but that didn't help either.
I have checked the certificates and they are still valid.

I have used http://www.checktls.com/index.html to see if TLS works and it does.
I have tested incoming SMTP traffic with https://testconnectivity.microsoft.com and that doesn't give any errors either?

Please advise on more steps I can do to find the cause of this problem.

Thank you
LVL 1
ItxxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
The main cause of that is something in between Exchange and the internet.
Firewall for example, scanning the SMTP transport.

If you have disabled TLS, when you do a telnet test in to the server and issue a ehlo you shouldn't see StartTLS.

Simon.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
systechadminConsultantCommented:
Also please check you Exchange certificate if its valid or not?
ItxxAuthor Commented:
I might have found the solution. It has to do with TLS 1.2 not yet being activated and SSL3 still activated.

I'm going to try a few things tonight and update with the result and hopefully the solution.
ItxxAuthor Commented:
The problem has been resolved.

We had to disable SSl2 & 3 (It was still enabled, shame on me) and enable TLS 1.1 & 1.2.

I used Crypto IIS (https://www.nartac.com/Products/IISCrypto) to change the settings.
ItxxAuthor Commented:
Found the problem myself with Simon's tips.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.