451 4.7.6 [internal] STARTTLS required but not advertised
I'm relaying inbound mail from salesforce.com to onprem exchange 2010 server internal recipients. on Feb 18, 2018, we renewed a self-signed cert with service IIS assigned to it, and that's it. the validity date pushed forward, I was good to go.
However, the email log from salesforce began generating an error, indicates this error began the morning of Feb 16 sometime after it was renewed on 02/15.
451 4.7.6 [internal] STARTTLS required but not advertised
this is a SHA1 cert, so I thought perhaps ciphers were the problem. I inserted a SHA2 cert generated using command line and bound it to the * 443 interface in IIS and found no change.
TLS is offered on all receive connectors. a godaddy cert is bound to SMTP/POP/IMAP. the error causes the mail to not be received. changing to TLS "preferred" instead of "Required" on the salesforce side results in flowing mail but unencrypted messages are not an option.
any ideas? I've checked the cert and the connector, and salesforce tech support seems stumped. I still think there is something to the cert..
However, the email log from salesforce began generating an error, indicates this error began the morning of Feb 16 sometime after it was renewed on 02/15.
451 4.7.6 [internal] STARTTLS required but not advertised
this is a SHA1 cert, so I thought perhaps ciphers were the problem. I inserted a SHA2 cert generated using command line and bound it to the * 443 interface in IIS and found no change.
TLS is offered on all receive connectors. a godaddy cert is bound to SMTP/POP/IMAP. the error causes the mail to not be received. changing to TLS "preferred" instead of "Required" on the salesforce side results in flowing mail but unencrypted messages are not an option.
any ideas? I've checked the cert and the connector, and salesforce tech support seems stumped. I still think there is something to the cert..
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ASKER
3. can't telnet in, there are firewalls i can't turn off.
check the ports then if needed .. open the required port in firewall
3. can't telnet in, there are firewalls i can't turn off.
IS that dedicated host for Salesforce ?
We just need port 25 open for SMTP to work. Try to telnet exchange server on port 25 and check what are smtp verb you get in response when you do HELO.
IS that dedicated host for Salesforce ?
We just need port 25 open for SMTP to work. Try to telnet exchange server on port 25 and check what are smtp verb you get in response when you do HELO.
No further response from Author
ASKER
This was ultimately solved from salesforce by creating a new receive connector with only the networks for salesforce listed, and in here deleted any redundant addresses that already occur within the subnets listed - then under authentication unchecking everything except "TLS Auth" and "Externally secured" and then under groups - unchecking all but the first three in the list. we also disabled SSL v2/v3 in registry
ASKER
@Hasin
I'll try your suggestions
Thank you for your assistance