Send Connector requiring TLS.

I'm running Exchange 2016. I configured my receive connector to require TLS and assigned a certificate to it. Now my send connector is not sending to a few domains. Event log shows event ID 2015. "The send connector requires Transport Layer Security (TLS) authentication, but is unable to establish TLS with the receiving server for the remote domain. "
In Powershell the settings are False for RequireTLS and TLSAuthLevel, TLSCertificateName and TLSDomain are blank in the send connector. When I telnet to the failing domains smtp server and type EHLO domain.com it does not show STARTTLS.
Where is my send connector getting the require TLS from? Or is it? The problem only seems to be with a few domains but it worked before I made the changes to the receive connector.
DougPennemanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

timgreen7077Exchange EngineerCommented:
Exchange use opportunistic TLS by default so both mail servers agree on a TLS transmission, I think the issue you are experience has to do with you modifying the default receive connector requiring TLS traffic into your org, so now you are running into a domain that isn't using TLS for some reason and the mail fails because you can't agree on the handshake. You will need to change it back to the defaults or you will have this happen whenever you run into a domain like that. Send connect is failing because of the handshake.
0
DougPennemanAuthor Commented:
So the Send connector is using settings from the receive connector? I'm confused. Also, one of the domains is suddenlink.net, which is a large internet service provider. I can't imagine that they don't use opportunistic TLS.
0
timgreen7077Exchange EngineerCommented:
Your settings on the send connector is showing it's not forcing TLS, but your receive connector requires it so it seems that they work together for securing communication and since the receive requires it that seems like the reason it's failing the handshake. the handshake is sending and receiving.
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

SysToolsData Expert - Recovery,Backup,MigrationCommented:
Error Event ID 2015 indicates that specified Send connector must use Transport Layer Security (TLS) for all messages that are sent to the remote server:
event-id-2015.png
To Fix these issues follow the below steps:

event-id-20151.png
Helpful link: https://technet.microsoft.com/en-us/library/ff982694(v=exchg.141).aspx
0
DougPennemanAuthor Commented:
I can't configure the remote server. It's not mine. And they do not respond with 250-STARTTLS. I'll set my receive connectors back to default and see if it clears up. (But, this may cause issues with doing business with defense contractors and government?)
0
DougPennemanAuthor Commented:
Update - send connector RequireTLS is false, default frontend RequireTLS false. About two weeks ago i assigned my SSL cert to the receive connector using Set-ReceiveConnector -TLSCertificatename. It wasn't until a week later that the send connector require TLS started. It only seems to be happening on the same 5 domains (according to the Queue viewer). One of them is Barracuda so I'm sure they have TLS enabled.
0
DougPennemanAuthor Commented:
UPDATE - I'm an idiot. I had set a transport rule to require TLS on ALL emails incoming and outgoing. I deleted that.
But, in your experience, do you find companies like barracuda not offering opportunistic TLS?
Thanks for your help.
0
timgreen7077Exchange EngineerCommented:
The best thing to do is leave the default connectors created by exchange alone, and if you have a client requiring TLS, create a send connector for that client domain and force or require TLS on that send connector.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
timgreen7077Exchange EngineerCommented:
Barracuda is an appliance so it depends on how it was setup. Good luck and I hope your change to the transport rule fix your issue.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.