• Status: Solved
  • Priority: High
  • Security: Public
  • Views: 192
  • Last Modified:

451 4.7.6 [internal] STARTTLS required but not advertised

I'm relaying inbound mail from salesforce.com to onprem exchange 2010 server internal recipients.  on Feb 18, 2018, we renewed a self-signed cert with service IIS assigned to it, and that's it.  the validity date pushed forward, I was good to go.

However, the email log from salesforce began generating an error, indicates this error began the morning of Feb 16 sometime after it was renewed on 02/15.
451 4.7.6 [internal] STARTTLS required but not advertised

this is a SHA1 cert, so I thought perhaps ciphers were the problem.  I inserted a SHA2 cert generated using command line and bound it to the * 443 interface in IIS and found no change.

TLS is offered on all receive connectors.  a godaddy cert is bound to SMTP/POP/IMAP.    the error causes the mail to not be received.   changing to TLS "preferred" instead of "Required" on the salesforce side results in flowing mail but unencrypted messages are not an option.  

any ideas?  I've checked the cert and the connector, and salesforce tech support seems stumped.  I still think there is something to the cert..
0
csg-unit
Asked:
csg-unit
  • 4
  • 3
  • 2
2 Solutions
 
Gaurav SinghSolution ArchitectCommented:
Can you  check the Saleforce email configuration for "TLS" setting, if found than change it to preferred if its not set to preferred and share the results
0
 
Hasin Ahmed ChoudharyExchange AdministratorCommented:
1) Enable protocol logging for receive connector use by salesforce (when a connection is made to your server).
2) Go through log and see which certificate is used for handshake? If it still using old GoDaddy one or by-chance using your new Self-Signed Cert.

3)I don't know much about SalesForce, but is that dedicated server in your ORg? or cloud services?  If the dedicated server, try to telnet your exchange server from that host and check if you see SMTP verbs properly?

If it cloud base service and can't do TELNET, you may also see verbs provided Exchange server on that receive Connector from protocol logging.
0
 
csg-unitAuthor Commented:
@Guarav
hanging to TLS "preferred" instead of "Required" on the salesforce side results in flowing mail but unencrypted messages are not an option

@Hasin
I'll try your suggestions

Thank you for your assistance
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
csg-unitAuthor Commented:
This might be relevant
0
 
csg-unitAuthor Commented:
3. can't telnet in, there are firewalls i can't turn off.
0
 
Gaurav SinghSolution ArchitectCommented:
check the ports then if needed .. open the required port in firewall
0
 
Hasin Ahmed ChoudharyExchange AdministratorCommented:
3. can't telnet in, there are firewalls i can't turn off.

IS that dedicated host for Salesforce ?  

We just need port 25 open for SMTP to work. Try to telnet exchange server on port 25 and check what are smtp verb you get in response when you do HELO.
0
 
Hasin Ahmed ChoudharyExchange AdministratorCommented:
No further response from Author
0
 
csg-unitAuthor Commented:
This was ultimately solved from salesforce by creating a new receive connector with only the networks for salesforce listed, and in here deleted any redundant addresses that already occur within the subnets listed - then under authentication unchecking everything except "TLS Auth"  and "Externally secured" and then under groups - unchecking all but the first three in the list.  we also disabled SSL v2/v3 in registry
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now