asked on

Starttls not showing on receive connector

I have a few customers with exchange 2016. They all have a 3rd party SSL certificate and it is designated for imap, pop, iis and smtp I have the main receive connector set to do TLS but for some reason when I connect externally to port 25 with a telnet program it connects but when I do ehlo it does not show 250-starttls. I have port 25 and 443 open to the servers is there something else I need to do to the server for it to accept incoming tls or do I need to open more ports on the firewall?

PRADIIP SINGH

Sometimes it could;d be blocked at your network device may be firewall or how about internal?

grevels

ASKER

Is it port 25 or should there be another port open for it

PRADIIP SINGH

Its port 25 only but I roughly remember that there was CISCO device which can block these verbos.

Michael B. Smith

Lots of firewalls do not forward STARTTLS if they don't have the SSL certificate loaded on them. Cisco is one of them. Cisco ASA appliances implement something called "smtp inspection" that will prevent STARTTLS.

Generally you can look at the '220' header to determine whether you are talking to an Exchange server or to a firewall. Exchange looks like this:

220 Ex2019.smithcons.com Microsoft ESMTP MAIL Service ready

Followed by a datestamp. A firewall will look differently.

Generally speaking, the firewall should NAT or passthrough "without inspection" (unless you've configured it to do deep inspection in which case you wouldn't be asking this question). :-)

Pete Long

Mmm my money is on the Exchange receive connector? Did you enable TLS on there? I've never needed to open another port for a StartTLS connection, and I am the LordOfCiscoFirewalls?

Pete

ASKER CERTIFIED SOLUTION

grevels

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Michael B. Smith

Just FYI - you should award some points for assistance on our part. Thanks!