Link to home
Start Free TrialLog in
Avatar of Joshua DeLaura
Joshua DeLauraFlag for United States of America

asked on

Prolblem with TLS in Exchange 2010

I'm try to test that my Exchange 2010 SP3 UP23 is actually offering TLS on incoming SMTP emails. I have a 3rd party cert installed and assigned to the SMTP service. The default receive connector has the correct FQDN (our external MX ) , Authenication is TLS and Permission Group is Anonymous. I test my SMTP using MXtoolbox.com and it says my server does not offer TLS, but in the SMTP receive logs on my server i find the mxtoolbox.com connection and it has 250-StartTLS listed. i have also Telnet to my exchange server and it also does NOT show 250-StartTLS.

what am i missing? why do the server logs say TLS is offered, but the other end doesn't get it?
Exchange is running on WIn Srv 2008R2, fully updated, with TLS 1.0,1.1, and 1.2
ExchangeSMTPreceiveLOG.txt
mxtoolbox_SMTP_test.docx
Avatar of J0rtIT
J0rtIT
Flag of Venezuela, Bolivarian Republic of image

Well just to start. TLS 1.0 is vulnerable to attacks.

So this script will solve that: https://gallery.technet.microsoft.com/scriptcenter/Solve-SWEET32-Birthday-d2df9cf1

Now, are you actually using TLS for a reason?
This discrepancy can by for the TLS version since the clients are waiting for TLS 1.1 and 1.2 version and not TLS 1.0.

Run the script, reboot the computer, and try the mxtoolbox reports again.
Avatar of timgreen7077
timgreen7077

Just send a test email out of your org to an external account and look at the headers and see if it was sent via TLS, also send a test email from an external domain to your internal email address and look at the headers and see if it was sent via TLS. If it was then you are fine. Exchange uses opportunistic TLS by default so unless you changed your receive connectors you are ok, but just do the test i mentioned and the email header will tell you if it was sent via TLS or not.
Avatar of Joshua DeLaura

ASKER

Thank you both for your advice. I have found the cause of my issue. My Untangle gateway appliance strips the StartTLS from the session to prevent any encrypted email that would prevent it from filtering for Spam and viruses, that's why i was seeing the StartTLS in the exchange logs but not from outside sources.
ASKER CERTIFIED SOLUTION
Avatar of Joshua DeLaura
Joshua DeLaura
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial