451 4.7.6 [internal] STARTTLS required but not advertised

I'm relaying inbound mail from salesforce.com to onprem exchange 2010 server internal recipients.  on Feb 18, 2018, we renewed a self-signed cert with service IIS assigned to it, and that's it.  the validity date pushed forward, I was good to go.

However, the email log from salesforce began generating an error, indicates this error began the morning of Feb 16 sometime after it was renewed on 02/15.
451 4.7.6 [internal] STARTTLS required but not advertised

this is a SHA1 cert, so I thought perhaps ciphers were the problem.  I inserted a SHA2 cert generated using command line and bound it to the * 443 interface in IIS and found no change.

TLS is offered on all receive connectors.  a godaddy cert is bound to SMTP/POP/IMAP.    the error causes the mail to not be received.   changing to TLS "preferred" instead of "Required" on the salesforce side results in flowing mail but unencrypted messages are not an option.  

any ideas?  I've checked the cert and the connector, and salesforce tech support seems stumped.  I still think there is something to the cert..
LVL 1
csg-unitAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

systechadminConsultantCommented:
Can you  check the Saleforce email configuration for "TLS" setting, if found than change it to preferred if its not set to preferred and share the results
0
Hasin Ahmed ChoudharyExchange AdministratorCommented:
1) Enable protocol logging for receive connector use by salesforce (when a connection is made to your server).
2) Go through log and see which certificate is used for handshake? If it still using old GoDaddy one or by-chance using your new Self-Signed Cert.

3)I don't know much about SalesForce, but is that dedicated server in your ORg? or cloud services?  If the dedicated server, try to telnet your exchange server from that host and check if you see SMTP verbs properly?

If it cloud base service and can't do TELNET, you may also see verbs provided Exchange server on that receive Connector from protocol logging.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
csg-unitAuthor Commented:
@Guarav
hanging to TLS "preferred" instead of "Required" on the salesforce side results in flowing mail but unencrypted messages are not an option

@Hasin
I'll try your suggestions

Thank you for your assistance
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

csg-unitAuthor Commented:
This might be relevant
0
csg-unitAuthor Commented:
3. can't telnet in, there are firewalls i can't turn off.
0
systechadminConsultantCommented:
check the ports then if needed .. open the required port in firewall
0
Hasin Ahmed ChoudharyExchange AdministratorCommented:
3. can't telnet in, there are firewalls i can't turn off.

IS that dedicated host for Salesforce ?  

We just need port 25 open for SMTP to work. Try to telnet exchange server on port 25 and check what are smtp verb you get in response when you do HELO.
0
Hasin Ahmed ChoudharyExchange AdministratorCommented:
No further response from Author
0
csg-unitAuthor Commented:
This was ultimately solved from salesforce by creating a new receive connector with only the networks for salesforce listed, and in here deleted any redundant addresses that already occur within the subnets listed - then under authentication unchecking everything except "TLS Auth"  and "Externally secured" and then under groups - unchecking all but the first three in the list.  we also disabled SSL v2/v3 in registry
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.