Prolblem with TLS in Exchange 2010

I'm try to test that my Exchange 2010 SP3 UP23 is actually offering TLS on incoming SMTP emails. I have a 3rd party cert installed and assigned to the SMTP service. The default receive connector has the correct FQDN (our external MX ) , Authenication is TLS and Permission Group is Anonymous. I test my SMTP using MXtoolbox.com and it says my server does not offer TLS, but in the SMTP receive logs on my server i find the mxtoolbox.com connection and it has 250-StartTLS listed. i have also Telnet to my exchange server and it also does NOT show 250-StartTLS.

what am i missing? why do the server logs say TLS is offered, but the other end doesn't get it?
Exchange is running on WIn Srv 2008R2, fully updated, with TLS 1.0,1.1, and 1.2
ExchangeSMTPreceiveLOG.txt
mxtoolbox_SMTP_test.docx
Joseph StrongIT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jose Gabriel Ortega CastroEE Solution Guide/Topic Advisor and CEO Faru Bonon ITCommented:
Well just to start. TLS 1.0 is vulnerable to attacks.

So this script will solve that: https://gallery.technet.microsoft.com/scriptcenter/Solve-SWEET32-Birthday-d2df9cf1

Now, are you actually using TLS for a reason?
This discrepancy can by for the TLS version since the clients are waiting for TLS 1.1 and 1.2 version and not TLS 1.0.

Run the script, reboot the computer, and try the mxtoolbox reports again.
timgreen7077Exchange EngineerCommented:
Just send a test email out of your org to an external account and look at the headers and see if it was sent via TLS, also send a test email from an external domain to your internal email address and look at the headers and see if it was sent via TLS. If it was then you are fine. Exchange uses opportunistic TLS by default so unless you changed your receive connectors you are ok, but just do the test i mentioned and the email header will tell you if it was sent via TLS or not.
Joseph StrongIT ManagerAuthor Commented:
Thank you both for your advice. I have found the cause of my issue. My Untangle gateway appliance strips the StartTLS from the session to prevent any encrypted email that would prevent it from filtering for Spam and viruses, that's why i was seeing the StartTLS in the exchange logs but not from outside sources.
Joseph StrongIT ManagerAuthor Commented:
Untangle removes StartTLS

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.