External mail issues on Exchange Server 2016 SU8

I have two issues on my Exchange Server 2016 wuth SU8

1. I do not receive email from external (from Internet) resources. while I can send out to external (internet).
2. StartTLS only seen in internal network.

Below the result of telnet to mail server:


220 mail.duifkruid.nl Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at  Sat, 3 Mar 2018 00:55:17 +0100
250-mail.xxxxxxx.nl Hello []
250 OK


[000.097]            Connected to server
[000.187]      <--       220 xxxxxxxx.nl
[000.187]            We are allowed to connect
[000.187]       -->      EHLO checktls.com
[000.279]      <--       250-xxxxxxxx.nl Hello []
250-SIZE 37748736
[000.282]            We can use this server
[000.282]            TLS is not an option on this server
[000.282]       -->      MAIL FROM:<test@checktls.com>
[000.376]      <--       250 2.1.0 Sender OK
[000.377]            Sender is OK
[000.377]       -->      QUIT
[000.464]      <--       221 2.0.0 Service closing transmission channel

Certificate is assigned to smtp.

How can I resolve these issues?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

timgreen7077Exchange EngineerCommented:
Is this a new server build?
When did it start happening?
how does emails route into your org? Do you have a 3rd party hosted service that filters your spam and then sends email to you or what?
Do you have a firewall blocking or not forwarding mail to your exchange server via port 25?
jjvalstarAuthor Commented:
I have a new build server (Windows Server 2016 with Exchange server 2016) which will replace my old one running on Windows Server 2003 with Exchange Server 2003.

Port 25 was redirected at first to the exchange 2003 server and I was able to send mail from exchange server 2016 to external email addresses.
I wanted to test prior the replacement if I could receive emails, so I redirected port 25 to my new exchange server.

So, at that point I noticed that I was not able to get new emails and tests also shows that StartTLS was not seen for the external mails (from the internet) while it was seen on the internal network.

I have only one Exchange Server ( I don't use a backend exchange server).  Traffic goes from firewall to specified IP/port.
Saying this, all traffic which are coming in on port 25 will be redirected to the internal exchange server.

As antivirus software, I uses Eset for Exchange Mail server.

Does has anyone an idee how I can resolve this?

Thanks in advance.
timgreen7077Exchange EngineerCommented:
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

jjvalstarAuthor Commented:
The issue is not present on the 2k3 server. The exchange server 2003 will be replaced by the exchange server 2016.
On the firewall I change the redirection to the new server and then I'm not able to receive.

So, the issue is in the exchange server 2016.
timgreen7077Exchange EngineerCommented:
do you have mailboxes on the 2016 exchange server
jjvalstarAuthor Commented:
Yes, I used Lepide Migrator. All users and mailboxes (and emails) are already on the new one.
timgreen7077Exchange EngineerCommented:
have you made any changes to the default receive connectors on 2016.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
timgreen7077Exchange EngineerCommented:
also make sure the windows firewall in control panel isn't interfering.
jjvalstarAuthor Commented:
No, not at first. A few minutes ago I change from <machine.domain> to  <domain> but  results are the same.

But when doing a telnet from external network I see:
SERVER -> CLIENT: 250-DUIFSRV01.emea.duifkruid.nl Hello []
                     250-SIZE 37748736
                     250 XKWFCHUNKING-DENIED <======= What does this mean????

And at the end I see:
SERVER -> CLIENT: 250 Message accepted for delivery

But don't see anything iin the queue!!
timgreen7077Exchange EngineerCommented:
I have you leave at the moment. I suggest setting all default 2016 receive connectors back to their default options. see link in those connectors. also once you change it back send email and see if the Transport queues show anything, also is the external sending domain getting any NDR or bounce back email.

timgreen7077Exchange EngineerCommented:
Also I'm assuming that you're MX record it's pointing to the fire wall which forwards the mail to 2016 or something of that nature.
jjvalstarAuthor Commented:
By add the host of the email server to the host file I was able to receive emails from external.

I added for example:  MAILSRV01  MAILSRV01.DOMAIN.LOCAL

But SMTP TLS still fails.
timgreen7077Exchange EngineerCommented:
You never mentioned you was using host files. I assumed you were using DNS. in future that is helpful info. :)

Exchange use TLS by default. It may be because of the changes you made on the receive connector. if you successfully got and email, look at the email headers and it will tell you if TLS was used. paste the headers is a header analyzer. you can go to mxtoolbox.com and paste the email header in the header analyzer.
jjvalstarAuthor Commented:
I used for the internal e-mail an ip address instead of DNS. I have changed it to external dns.

I check the mail server at mxtoolbox.com and there it said:

      SMTP TLS      Warning - Does not support TLS.

While internal you see 250 StartTLS, why also not for external?
timgreen7077Exchange EngineerCommented:
exchange supports TLS by default internal or external. did you check receive connectors based on the article I sent. also what are you telnetting to, is it to your exchange server or firewall?
timgreen7077Exchange EngineerCommented:
Gave user possible solutions and no longer received additional responses. closing ticket and assigning points.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.