Link to home
Start Free TrialLog in
Avatar of ejscn
ejscnFlag for United States of America

asked on

TLS Negotiation Failed on messages sent from Gmail to Exchange 2013

Hello all,

When sending from Gmail to my domain, I am getting this delayed delivery message from Gmail:

Final-Recipient: rfc822; username@mydomain.com
Action: delayed
Status: 4.7.0
Remote-MTA: dns; mailserver.mydomain.com. (<my mail server Public IP>, the server for the domain mydomain.com.)
Diagnostic-Code: smtp; TLS Negotiation failed: generic::failed_precondition: starttls error (0): protocol error
Last-Attempt-Date: Sat, 18 Feb 2017 23:22:22 -0800 (PST)
Will-Retry-Until: Mon, 20 Feb 2017 22:27:26 -0800 (PST)

I have verified SMTP with Microsoft's Test Connectivity Tool and mxtoolbox.com.  There are no errors.  We are receiving mail from all other domains (as far as I can tell).

The back story is that this Exchange 2013 server had been working well for 3 years.  We attempted to set up a hybrid Office 365 scenario on February 17.  After several hours troubleshooting mailflow from Exchange Online Protection to our mail server, we made the decision to revert the MX and SPF records back so mail flows directly to our on-premise server.  I would appreciate any help you can offer.
Avatar of Tom Cieslik
Tom Cieslik
Flag of United States of America image

I think you missed something.
Can you please publish your domain name. It's hard to send any advise without troubleshooting.
Avatar of ejscn

ASKER

elizajen.org
ASKER CERTIFIED SOLUTION
Avatar of Tom Cieslik
Tom Cieslik
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ejscn

ASKER

Thank you.  When I said there were no errors, I was performing a test on inbound SMTP mail flow, which is our issue with Gmail.

Can you tell me which test you have used in the screen shot above?  I would like to use that information to correct those issues.

Do you think resolving these items will resolve the TLS error I'm getting from Gmail?
Any test , like MX lookup for your domain, then go to result and click on Green button "FIND PROBLEMS"

SPF record is crucial to make email server work with no problem.
It's easy to create especially with tool I've sent you.
All you nee to know is your External IP registered in your DNS, Server name (mail.elizajen.org)

Your SPF record should look like this:   elizajen.org.  IN TXT "v=spf1 mx a ip4:199.96.153.114 -all"
(this is going to work only if your Incoming and outgoing IP address is the same (if you sned directly from your server without smart houst)
Avatar of ejscn

ASKER

Thanks, Tom.  I have updated our SPF policy.  It is still listed as not present using mxtoolbox.com, but it is there and Gmail verifies that I pass the SPF test when sending mail to it.