I'm working on an issue I have with a vendor. They are unable to communicate with our exchange server.  The following message was sent to us.

"A Purchase Order sent to this email address has failed because a “secure delivery could not be established.
If it is a valid email address, please make sure that your company white lists all emails from the domain so Purchase Orders can flow without failures.  Also, please make sure that your email can handle TLS encrypted emails.  Our ordering system utilizes TLS encryption. "

I went to with the following results



TLS 1.3      No
TLS 1.2      Yes
TLS 1.1      Yes
TLS 1.0      Yes
SSL 3      No
SSL 2      No
For TLS 1.3 tests, we currently support draft version 28.

Certificate #1: RSA 2048 bits (SHA1withRSA)

Server Key and Certificate #1
Fingerprint SHA256: 242108f159834deXX
Pin SHA256: gJb0SUQGT9xdgAUkLtUabTUHxx
Common names
Alternative names exchange.domain.local AutoDiscover.domain.local mge.local
Serial Number      505976e8d2dacd9445086axxx
Valid from      Thu, 09 Jul 2015 21:01:06 UTC
Valid until      Thu, 09 Jul 2020 21:01:06 UTC (expires in 1 year and 10 months)
Key      RSA 2048 bits (e 65537)
Weak key (Debian)      No
Issuer   Self-signed
Signature algorithm      SHA1withRSA   INSECURE
Extended Validation      No
Certificate Transparency      No
OCSP Must Staple      No
Revocation information      None
DNS CAA      No (more info)
Trusted      No   NOT TRUSTED
Mozilla  Apple  Android  Java  Windows


Cipher Suites
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp384r1 (eq. 7680 bits RSA)   FS      256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp384r1 (eq. 7680 bits RSA)   FS      128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp384r1 (eq. 7680 bits RSA)   FS      256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp256r1 (eq. 3072 bits RSA)   FS      128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK      256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK      128
TLS_RSA_WITH_RC4_128_SHA (0x5)   INSECURE      128
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jose Gabriel Ortega CastroCEOCommented:
I would make sure to make it work all behind TLS 1.2 by running the script:

The script is used to solve Sweet32 and TLS1.0 Problem for PCI Compliance.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jcl64213Author Commented:
Having a really hard time running that script
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Disabling TLS 1.0 + TLS 1.1 in your SSL config file is usually sufficient to clear this error... as...

TLS 1.0 + TLS 1.1 are both deprecated by most companies... because both protocol levels have security problems...
Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

btanExec ConsultantCommented:
If Windows, can disable TLS1.0 but sometime it may also requires modifying your webserver  affected application component

At OS level, via this registry entry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\TLS 1.0\Server

More details: How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services

Can try out IISCRYPTO tool to do the job in addition to other tweaks like favoring Forward Secrecy (ECHDE) ciphers.
Sunil ChauhanLead AdministratorCommented:
before you jump to running this script, I would like to know a few things.....

  1. what email gateway you are using??
  2. did you analyze the NDR they received?
  3. did you check the rejection logs from your email gateway ???

Note: Any External application will not hit your exchange server directly, you suppose to have an email gateway like Microsoft Edge server, Cisco IronPort, Proofpoint etc, and by default most email gateway uses the Opportunistic TLS, you can also enforce the TLS from your gateway settings as well for the specific domain.
btanExec ConsultantCommented:
Also in support to TLS 1.2 - if that is the basis for your partner's exchange connection

>>Exchange Server 2016
Install Cumulative Update (CU) 8 in production for TLS 1.2 support and be ready to upgrade to CU9 after its release if you need to disable TLS 1.0 and TLS 1.1.
Install the newest version of .NET and associated patches supported by your CU (currently 4.7.1).

>>Exchange Server 2013
Install CU19 in production for TLS 1.2 support and be ready to upgrade to CU20 after its release if you need to disable TLS 1.0 and TLS 1.1.
Install the newest version of .NET and associated patches supported by your CU (currently 4.7.1).

>>Exchange Server 2010
Install SP3 RU19 in production today for TLS 1.2 support and be ready to upgrade to SP3 RU20 in production after its release if you need to disable TLS 1.0 and TLS 1.1.
Install the latest version of .NET 3.5.1 and patches.

Many protocols used in Exchange Server are HTTP based, and therefore traverse the IIS processes on the Exchange server. MAPI/HTTP, Outlook Anywhere, Exchange Web Services, Exchange ActiveSync, REST, OWA & EAC, Offline Address Book downloads, and Autodiscover are examples of HTTP based protocols used by Exchange Server.

SMTP Logs in Exchange 2010 through Exchange 2016 will contain the encryption protocol and other encryption related information used during the exchange of email between two systems.

When the server is the SMTP receiving system, the following strings exist in the log depending on the version of TLS used.


When the server is the SMTP sending system, the following strings exist in the log depending on the version of TLS used.

Deploy the latest releases for Exchange 2010, Exchange 2013, and Exchange 2016 released in March 2018. These releases are the first to support turning off TLS 1.0 and TLS 1.1.
Jose Gabriel Ortega CastroCEOCommented:
Omg why?

Open a Powershell Console as administrator
like this:

Then go to the Script download (for example Download on your Download Folder within your profile)
Set-ExecutionPolicy Unrestricted #Then accepting the mesage by pressing Y and enter)
cd $env:userprofile\Download
#And just the script
#Optional set back the policy
Set-ExecutionPolicy RemoteSigned #Then accepting the mesage by pressing Y and enter)

Open in new window

and that's it.
btanExec ConsultantCommented:
For author advice
btanExec ConsultantCommented:
No further input received. for consideration
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.