Send Connector requiring TLS.

I'm running Exchange 2016. I configured my receive connector to require TLS and assigned a certificate to it. Now my send connector is not sending to a few domains. Event log shows event ID 2015. "The send connector requires Transport Layer Security (TLS) authentication, but is unable to establish TLS with the receiving server for the remote domain. "
In Powershell the settings are False for RequireTLS and TLSAuthLevel, TLSCertificateName and TLSDomain are blank in the send connector. When I telnet to the failing domains smtp server and type EHLO domain.com it does not show STARTTLS.
Where is my send connector getting the require TLS from? Or is it? The problem only seems to be with a few domains but it worked before I made the changes to the receive connector.
DougPennemanAsked:
Who is Participating?
 
timgreen7077Connect With a Mentor Exchange EngineerCommented:
The best thing to do is leave the default connectors created by exchange alone, and if you have a client requiring TLS, create a send connector for that client domain and force or require TLS on that send connector.
0
 
timgreen7077Connect With a Mentor Exchange EngineerCommented:
Exchange use opportunistic TLS by default so both mail servers agree on a TLS transmission, I think the issue you are experience has to do with you modifying the default receive connector requiring TLS traffic into your org, so now you are running into a domain that isn't using TLS for some reason and the mail fails because you can't agree on the handshake. You will need to change it back to the defaults or you will have this happen whenever you run into a domain like that. Send connect is failing because of the handshake.
0
 
DougPennemanAuthor Commented:
So the Send connector is using settings from the receive connector? I'm confused. Also, one of the domains is suddenlink.net, which is a large internet service provider. I can't imagine that they don't use opportunistic TLS.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
timgreen7077Exchange EngineerCommented:
Your settings on the send connector is showing it's not forcing TLS, but your receive connector requires it so it seems that they work together for securing communication and since the receive requires it that seems like the reason it's failing the handshake. the handshake is sending and receiving.
0
 
SysToolsData Expert - Recovery,Backup,MigrationCommented:
Error Event ID 2015 indicates that specified Send connector must use Transport Layer Security (TLS) for all messages that are sent to the remote server:
event-id-2015.png
To Fix these issues follow the below steps:

event-id-20151.png
Helpful link: https://technet.microsoft.com/en-us/library/ff982694(v=exchg.141).aspx
0
 
DougPennemanAuthor Commented:
I can't configure the remote server. It's not mine. And they do not respond with 250-STARTTLS. I'll set my receive connectors back to default and see if it clears up. (But, this may cause issues with doing business with defense contractors and government?)
0
 
DougPennemanAuthor Commented:
Update - send connector RequireTLS is false, default frontend RequireTLS false. About two weeks ago i assigned my SSL cert to the receive connector using Set-ReceiveConnector -TLSCertificatename. It wasn't until a week later that the send connector require TLS started. It only seems to be happening on the same 5 domains (according to the Queue viewer). One of them is Barracuda so I'm sure they have TLS enabled.
0
 
DougPennemanAuthor Commented:
UPDATE - I'm an idiot. I had set a transport rule to require TLS on ALL emails incoming and outgoing. I deleted that.
But, in your experience, do you find companies like barracuda not offering opportunistic TLS?
Thanks for your help.
0
 
timgreen7077Exchange EngineerCommented:
Barracuda is an appliance so it depends on how it was setup. Good luck and I hope your change to the transport rule fix your issue.
0
All Courses

From novice to tech pro — start learning today.