TLS Inbound

I am trying to implement TLS between my organization and two others for 
encryption of health-related email content. I set up a routing group with an 
address space of the remote domain and enabled TLS on that routing group. I 
also added a valid Verisign-issued certificate to the SMTP server. Now 
messages that I send to the remote domain are TLS-enabled, but when they send 
messages to us, they get the following errors:

6043:3:2:06282005 07:09:08:Connecting to MX <xxx.xxx.org> ....
6043:3:2:06282005 07:09:08:Connecting to A <xxx.xxx.xxx.xxx> ....
6043:3:2:06282005 07:09:08:Reply: '220 
********************************************************0*2************************2******200**0**0**0***0*00 '
6043:3:2:06282005 07:09:08:Connection Status ------<1>
6043:3:2:06282005 07:09:08:Reply: '500 5.3.3 Unrecognized command'

I have reviewed all the docs I can find about TLS and it looks like it 
should work now that I have the certificate installed on the default SMTP 
virtual server. Do I need to set up a new virtual server, require TLS for 
that, and do some creative routing to get SMTP traffic from certain domains 
to that virtual server?

Ideas?
Thanks!
0
Ryan (208)
7/5/2005 6:56:03 PM
exchange.admin 57650 articles. 2 followers. Follow

4 Replies
823 Views

Similar Articles

[PageSpeed] 17

Hehe - you have a Cisco PIX, don't you?  You'll have to disable the 
Mailguard (SMTP Fixup protocol).  Mailguard basically disables all ESMTP 
verbs, of which STARTTLS would be one.

-- 
Ben Winzenz
Exchange MVP
MessageOne


"Ryan" <Ryan@discussions.microsoft.com> wrote in message 
news:B3073921-E1AF-4007-9692-E42797F5C520@microsoft.com...
>I am trying to implement TLS between my organization and two others for
> encryption of health-related email content. I set up a routing group with 
> an
> address space of the remote domain and enabled TLS on that routing group. 
> I
> also added a valid Verisign-issued certificate to the SMTP server. Now
> messages that I send to the remote domain are TLS-enabled, but when they 
> send
> messages to us, they get the following errors:
>
> 6043:3:2:06282005 07:09:08:Connecting to MX <xxx.xxx.org> ....
> 6043:3:2:06282005 07:09:08:Connecting to A <xxx.xxx.xxx.xxx> ....
> 6043:3:2:06282005 07:09:08:Reply: '220
> ********************************************************0*2************************2******200**0**0**0***0*00 
> '
> 6043:3:2:06282005 07:09:08:Connection Status ------<1>
> 6043:3:2:06282005 07:09:08:Reply: '500 5.3.3 Unrecognized command'
>
> I have reviewed all the docs I can find about TLS and it looks like it
> should work now that I have the certificate installed on the default SMTP
> virtual server. Do I need to set up a new virtual server, require TLS for
> that, and do some creative routing to get SMTP traffic from certain 
> domains
> to that virtual server?
>
> Ideas?
> Thanks! 


0
Ben
7/5/2005 8:27:03 PM
Wow Ben! Yes, we do have a Cisco PIX. We'll disable Mailguard and see how it 
works then!

Thanks!

"Ben Winzenz [Exchange MVP]" wrote:

> Hehe - you have a Cisco PIX, don't you?  You'll have to disable the 
> Mailguard (SMTP Fixup protocol).  Mailguard basically disables all ESMTP 
> verbs, of which STARTTLS would be one.
> 
> -- 
> Ben Winzenz
> Exchange MVP
> MessageOne
> 
> 
> "Ryan" <Ryan@discussions.microsoft.com> wrote in message 
> news:B3073921-E1AF-4007-9692-E42797F5C520@microsoft.com...
> >I am trying to implement TLS between my organization and two others for
> > encryption of health-related email content. I set up a routing group with 
> > an
> > address space of the remote domain and enabled TLS on that routing group. 
> > I
> > also added a valid Verisign-issued certificate to the SMTP server. Now
> > messages that I send to the remote domain are TLS-enabled, but when they 
> > send
> > messages to us, they get the following errors:
> >
> > 6043:3:2:06282005 07:09:08:Connecting to MX <xxx.xxx.org> ....
> > 6043:3:2:06282005 07:09:08:Connecting to A <xxx.xxx.xxx.xxx> ....
> > 6043:3:2:06282005 07:09:08:Reply: '220
> > ********************************************************0*2************************2******200**0**0**0***0*00 
> > '
> > 6043:3:2:06282005 07:09:08:Connection Status ------<1>
> > 6043:3:2:06282005 07:09:08:Reply: '500 5.3.3 Unrecognized command'
> >
> > I have reviewed all the docs I can find about TLS and it looks like it
> > should work now that I have the certificate installed on the default SMTP
> > virtual server. Do I need to set up a new virtual server, require TLS for
> > that, and do some creative routing to get SMTP traffic from certain 
> > domains
> > to that virtual server?
> >
> > Ideas?
> > Thanks! 
> 
> 
> 
0
Ryan (208)
7/5/2005 8:36:05 PM
It's not rocket science.  The
220********************************************0*2*** etc.  gives it away 
every time.  PIX's are the only equipment that I know that respond that way.

-- 
Ben Winzenz
Exchange MVP
MessageOne


"Ryan" <Ryan@discussions.microsoft.com> wrote in message 
news:8693F616-BEF1-4185-82E1-50348D99624A@microsoft.com...
> Wow Ben! Yes, we do have a Cisco PIX. We'll disable Mailguard and see how 
> it
> works then!
>
> Thanks!
>
> "Ben Winzenz [Exchange MVP]" wrote:
>
>> Hehe - you have a Cisco PIX, don't you?  You'll have to disable the
>> Mailguard (SMTP Fixup protocol).  Mailguard basically disables all ESMTP
>> verbs, of which STARTTLS would be one.
>>
>> -- 
>> Ben Winzenz
>> Exchange MVP
>> MessageOne
>>
>>
>> "Ryan" <Ryan@discussions.microsoft.com> wrote in message
>> news:B3073921-E1AF-4007-9692-E42797F5C520@microsoft.com...
>> >I am trying to implement TLS between my organization and two others for
>> > encryption of health-related email content. I set up a routing group 
>> > with
>> > an
>> > address space of the remote domain and enabled TLS on that routing 
>> > group.
>> > I
>> > also added a valid Verisign-issued certificate to the SMTP server. Now
>> > messages that I send to the remote domain are TLS-enabled, but when 
>> > they
>> > send
>> > messages to us, they get the following errors:
>> >
>> > 6043:3:2:06282005 07:09:08:Connecting to MX <xxx.xxx.org> ....
>> > 6043:3:2:06282005 07:09:08:Connecting to A <xxx.xxx.xxx.xxx> ....
>> > 6043:3:2:06282005 07:09:08:Reply: '220
>> > ********************************************************0*2************************2******200**0**0**0***0*00
>> > '
>> > 6043:3:2:06282005 07:09:08:Connection Status ------<1>
>> > 6043:3:2:06282005 07:09:08:Reply: '500 5.3.3 Unrecognized command'
>> >
>> > I have reviewed all the docs I can find about TLS and it looks like it
>> > should work now that I have the certificate installed on the default 
>> > SMTP
>> > virtual server. Do I need to set up a new virtual server, require TLS 
>> > for
>> > that, and do some creative routing to get SMTP traffic from certain
>> > domains
>> > to that virtual server?
>> >
>> > Ideas?
>> > Thanks!
>>
>>
>> 


0
Ben
7/5/2005 9:14:10 PM
Ben,

Do you have experience on Fortinet FortiGate Firewall? If I turn on the 
Anti-Virus, which is build-in with this Firewall, incoming email will stop 
after two or three STARTTLS and goes to QUIT. 

Thanks.

Yao Hung

"Ben Winzenz [Exchange MVP]" wrote:

> It's not rocket science.  The
> 220********************************************0*2*** etc.  gives it away 
> every time.  PIX's are the only equipment that I know that respond that way.
> 
> -- 
> Ben Winzenz
> Exchange MVP
> MessageOne
> 
> 
> "Ryan" <Ryan@discussions.microsoft.com> wrote in message 
> news:8693F616-BEF1-4185-82E1-50348D99624A@microsoft.com...
> > Wow Ben! Yes, we do have a Cisco PIX. We'll disable Mailguard and see how 
> > it
> > works then!
> >
> > Thanks!
> >
> > "Ben Winzenz [Exchange MVP]" wrote:
> >
> >> Hehe - you have a Cisco PIX, don't you?  You'll have to disable the
> >> Mailguard (SMTP Fixup protocol).  Mailguard basically disables all ESMTP
> >> verbs, of which STARTTLS would be one.
> >>
> >> -- 
> >> Ben Winzenz
> >> Exchange MVP
> >> MessageOne
> >>
> >>
> >> "Ryan" <Ryan@discussions.microsoft.com> wrote in message
> >> news:B3073921-E1AF-4007-9692-E42797F5C520@microsoft.com...
> >> >I am trying to implement TLS between my organization and two others for
> >> > encryption of health-related email content. I set up a routing group 
> >> > with
> >> > an
> >> > address space of the remote domain and enabled TLS on that routing 
> >> > group.
> >> > I
> >> > also added a valid Verisign-issued certificate to the SMTP server. Now
> >> > messages that I send to the remote domain are TLS-enabled, but when 
> >> > they
> >> > send
> >> > messages to us, they get the following errors:
> >> >
> >> > 6043:3:2:06282005 07:09:08:Connecting to MX <xxx.xxx.org> ....
> >> > 6043:3:2:06282005 07:09:08:Connecting to A <xxx.xxx.xxx.xxx> ....
> >> > 6043:3:2:06282005 07:09:08:Reply: '220
> >> > ********************************************************0*2************************2******200**0**0**0***0*00
> >> > '
> >> > 6043:3:2:06282005 07:09:08:Connection Status ------<1>
> >> > 6043:3:2:06282005 07:09:08:Reply: '500 5.3.3 Unrecognized command'
> >> >
> >> > I have reviewed all the docs I can find about TLS and it looks like it
> >> > should work now that I have the certificate installed on the default 
> >> > SMTP
> >> > virtual server. Do I need to set up a new virtual server, require TLS 
> >> > for
> >> > that, and do some creative routing to get SMTP traffic from certain
> >> > domains
> >> > to that virtual server?
> >> >
> >> > Ideas?
> >> > Thanks!
> >>
> >>
> >> 
> 
> 
> 
0
YaoHung (1)
10/17/2006 3:21:02 PM
Reply:

Similar Artilces:

track ALL inbound email
I feel brain dead that I can't think of how to do this or turn it on but such is life. In 3.0 how do I tell CRM to track ALL inbound email regardless of token? I have it set to track ALL outbound and that works great. Inbound with a token works great. I want ALL tracked regardless. Email is being forwarded from my crm deployed rule to the exchange system but I think it is disregarding it if it doesn't have a token. I am sure I am missing something obvious. Please point me in the right direction. -- Thanks, Brian This is a user profile setting inside CRM. The settings you ar...

TLS problem
Hi! We deployed Exchange 2003 (front-end and back-end). We configured front-end Exchange as SMTP bridgehead server and created a SMTP connector. We enabled TLS on the SMTP connector. Exchange server can send/receive mails without any proble, if the remote SMTP server supports also TLS. But If the remote system does not suppoert TLS, the mails cannnot delivery from Exchnage to remite SMTP. EventView on front-end has an Warning log like that: "Event ID: 4007 Source: MSExchangeTransport Message delivery to the host 'xxx.xxx.xxx.xxx' failed while delivering to the remote doma...

TLS
I need to configure our firewall to accept TLS from Exchange 2003; I already have a 1-1 NAT which works great but the mail that is going out using TLS is just sitting in the mail queue and will not go out. According to the MS website (http://support.microsoft.com/default.aspx?scid=kb;en-us;q278339) TLS works over port 25 and since this is an OUTGOING MAIL ONLY problem (we can get mail from the client over TLS without a problem) I'm at a loss. The problem started when we put the firewall (sonicwall 3060) in place and works fine if I turn TLS off on that connector but it won't go when TL...

My SSL/TLS is bad?
When I start my Vista Windows Mail, it has recently has been warning me: "Avast! has detected a secure connection from your mail program (process WinMail.exe) to SMTP server 204.127.217.16 (att.net). This type of connection cannot be checked for viruses. Please disable SSL/TLS in your mail client so that the Mail Scanner can scan your mail. The mail scanner will provide the SSL/TLS security itself." Recently it has changed to : "The server you are connected to is using a security certificate that could not be verified. The certificate's CN name does not...

TLS: Question re. Outbound TLS Behavior
I cannot find any documentation as to the behavior of this specific aspect of Microsoft's implimentation TLS... If the box for TLS is checked in the Outbound Security options on an SMTP connector, will it attempt TLS and fall back to non-TLS if the receiving server does not respond to TLS? Or, to put it another way, can both outbound TLS-encrypted messages and outbound non-TLS-encrypted messages by handled by the same SMTP connector? Does checking the box mean "Attempt" oubound TLS or does it mean "Require" outbound TLS? Here is my problem. My customer has sever...

403 4.7.0 TLS Handshake failed
I have a E2K3 server running on a Win2K3 platform. It is also running Symantec Mail Security for Exchange v4.6.1. Here is my issue..... Every so often, one of my users will complain that some of their messages are not getting through ot their Inboxes. As an example, my boss had someone from Bank of America try to e-mail him and he recieved an error stating "Deferred: 403 4.7.0 TLS handshake failed. There was also another user that said the sender of their message got a TLS-related NDR So, I did a bit of research and determined that my e-mail server was advertising TLS to the world. ...

TLS Support
Hi Folks, My server supports TLS but Outlook 2003 only give me a checkbox for "SSL" -- which is close, but not quite the same thing. As a result, the server logs show only confusion when I select this option. On the other hand, if I clear this SSL option, then I can see the successful initial negotiation but authentication fails because on a non-encrypted channel, the server only permits encrypted authentication, like CRAM-MD5, DIGEST-MD5 and GSSAPI none of which seems to be SPA. So, I either need Outlook 2003 to support TLS or one of the generally recognized encryption ...

TLS or SSL for SMTP
Hi, I am currently using VPOP3 standard edition for my external incoming/outgoing smtp emails. However, VPOP3 by itself does not support TLS or SSL in standard edition. My query : Now, if i set TLS or SSL encryption on my SMTP Virtual server level (on exchange server at back-end)) then will it work as normal ? Any help appreciated please. Regards, You can't just encrypt all mail traffic. The destination servers won't accept it. You can do TLS on a per-domain basis with companies you have worked out (and swapped) SSL certs with. That's it. So your question of "w...

Anyway to stop advertising TLS??
Hi, I'm wondering if there is anyway I can stop SMTP from advertising TLS capabilities to other servers on my Exchange 2003 box? I've set the SMTP to only accept basic authentication and I do NOT require TLS or a secure channel, but my mail from several domains is delayed by hours or days and their admins say that I'm advertising TLS so they are trying to establish a secure session and that is delaying my mail. Any help greatly appreciated. Thanks -- Karan "Karan Mavai" <karan_m.stopspam@hotmail.dot.com> wrote: >I'm wondering if there is anywa...

** TLS
I do not believe a cert is installed on the SMTP Virtual server, but how do I verify it? We have a cert installed for OWA but have disabled it. Jeff >-----Original Message----- > >Did you install a cert on the SMTP Virtual Server? Is it still there? > >If no cert is instlled the STARTTLS keyord shouldn't be advertised. > >-- >Rich Matheisen >MCSE+I, Exchange MVP >MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm >. > We have an Exchange 2003 server which is also running as our SMTP server. A number of users have reported that some...

Redirecting Inbound SMTP email
Here is the scenerio, There is two companies that are related but maintain completly seperate infrastructures. The first company has a domain of domain.com and the second has a domain of domain.us Say userx has an address of userx@domain.us and there is no userx@domain.com, someones decides to send an email to userx@domain.com Is there a way to forward that smtp message to userx@domain.us without creating an AD user for userx in domain.com Thanks Hi Ron, There sure is. You can just add the domain.us address space in your Recipient Policy and set it so that Exchange is not Author...

TLS/SSL
I'am using exchange 2003 with SSL authentication, but i can't get anny e-mail from extern e-mail servers using TLS. How should i resolve the problem and is that correct that a server with ssl can't receive messages with TLS authentication? Kind regards, "HY" <HY@discussions.microsoft.com> wrote: >I'am using exchange 2003 with SSL authentication, but i can't get anny e-mail >from extern e-mail servers using TLS. >How should i resolve the problem and is that correct that a server with ssl >can't receive messages with TLS authentication? ...

TLS on exchange 2003
A recipient from company A told me his mail server said mail "is failing because your mail server is requesting a TLS connection (Secure SMTP)". I have TLS required for company B only, not all, and not his. I noticed that someone else mentioned http://support.microsoft.com/kb/823019/en-us which says to create a separate SMTP virtual server. I used only the default domain for which TLS is NOT required. Then I created a connector under routing groups that includes the several domains used by company B. Mail to that connector requires TLS for outbound mail. this worked OK u...

* TLS
We have an Exchange 2003 server which is also running as our SMTP server. A number of users have reported that some e-mails sent to them were returned to senders (only some companies) with the following message "403 4.7.0 TLS handshake failed". I checked our SMTP server and it indicates that it broadcast TLS, although the TLS option is not enabled. ehlo 250-exch2003svr.domain.com Hello [123.12.123.123] 250-TURN 250-SIZE 8290304 250-ETRN 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-8bitmime 250-BINARYMIME 250-CHUNKING 250-VRFY 250-TLS 250-STARTTLS 250-X-LINK2STATE 250...

Problem sending mails after migration. Ciphers used in TLS with SM
Hi. Last week I migrated our email accounts to a new server, linux with sendmail 8.14.3 running on 64 bits fedora 12. Aparently all was working fine. Clients using Macs and windows 7 cant both send and receive e-mail when authentication is used. But this is not working using either windows live mail, outlook or outlook express when running over Windows XP. The accounts I have setup in those clients still work for other email servers installed not long ago. So I think this must have something to do with new ciphers used bye default within this new server. Is the default cipher use...

Copy one inbound email to two email boxes
Exchange 2003 SP1; W2K3 Server - all patched up to date. Have an inbound email "toemail@company.com" which is collectted by auser. I want to be able to get this email autoforwarded to buser's mailbox from the exchange server even if auser is NOT logged on or has his machine running. auser has a laptop so wont always be in the office. Already have ALL inbound & outbound email autocopied to a Monitor box. Can this be done within Exchange ? Many Thanks. -- TerryF TerryF wrote: > Exchange 2003 SP1; W2K3 Server - all patched up to date. > Have an inbound email "t...

TLS, 5.7.0
Hi There is one "customer" who appears to have set their email server up to REQUIRE us to talk TLS with them. Fair enough. If I TELNET to their Mail server I get:- 220 customer.com -- Server ESMTP (customer ESMTP) helo 251 customer.com system name not given in HELO command, [212.xxx.xxx.xxx]. mail from: me@here.com 530 5.7.0 No STARTTLS command has been given. starttls 220 2.5.0 Go ahead with TLS negotiation. -------- So - it looks like they require TLS, and we can, if required, send a STARTTLS command as necessary. (e.g. firewall not blocking it and filtering SMTP). We do h...

your TLS experience??
Your experience using TLS with Exchange 2003 SP2? Our environment: 2 Exchange 2003SP2 front-end servers which facilitate OWA (SSL and *TLS-enabled) 2 back-end Exchange 2003SP2 clusters Our SMTP connector routes all outbound messages via our FE (bridgehead servers) to FrontBridge (spam & queuing service - which claims to support TLS) incoming messages are routed via FrontBridge (as in the MX value) My predecessor installed a certificate on the front-end servers which allegedly supports SSL and *TLS some questions: 1. is an x.509 cert required? 2. what happens to a TLS-enabled...

TLS Port
What port do I need to open up on the firewall for TLS? Hi, SMTPS historically and under RC is Port 465. However you can implement SMTP over TLS also on Port 587, which is what I have implemented where I work. You can of course specify any port so you desire - it's configurable under the SMTP VS properties. By default once you have installed a cert and enabled TLS it will continue to run under Port 25. Check out RFC2487 and 3207 Oliver "Tyson" <Tyson@discussions.microsoft.com> wrote in message news:E950074C-87F7-4269-991E-323FF1180B80@microsoft.com... > What p...

TLS not required
When I telnet in to my server it shows 250 - TLS and StartTLS, but I have no TLS enabled on smtp virrtual server. I have error messages from other domains showing "403 4.7.0 TLS handshake failed" errors. I think I need to turn this off from telnet, but so far no luck. It's possible to have TLS and StartTLS enabled on telnet and disabled on virtual smtp server in ESM !? "MMC" <ryuken_26@yahoo.it> wrote: >When I telnet in to my server it shows 250 - TLS and StartTLS, but I have no >TLS enabled on smtp virrtual server. I have error messages from other...

Not receiving any inbound email, outbound works fine.
I have new Comcast hi speed service and new computer with Vista Home Premium, Office Pro 2007 and MS Outlook. Everything works but my inbound email. Comcast has tried to help and their messages get through and so do MS Outlook test messages, but nothing else. Have turned off anti-virus email scanning on both in and outbound emails. Firewall still running. Ports re-set to Comcast's specs. Still can't receive ANY inbound email from anyone else. JournalistJane <JournalistJane@discussions.microsoft.com> wrote: > I have new Comcast hi speed service and new computer with Vist...

domain to domain TLS
Hello, In Exchange 2003 is there an easy way to enforce TLS between my domain and one or two specific external domains? I know there are some overriding, more global settings but in the case of just a few domains is what I'm more curious about. If possible, what would I need to do on my end and what would the recipient domain require to be done? Thanks for any help! Scroll down to: Enable Transport Layer Security Encryption for a Specific Remote Domain in an Exchange Organization in the following KBA: http://support.microsoft.com/kb/829721 The remote domain would also need to co...

TLS issue
Exchange 2003 SP1 We have a spam protection vender (Postini) which requires us to use TLS or will we will have probelms recieving emails. From what I"ve read enabling this in SMTP could cause us to not be able to recieve email. The vendor says "Either disabling TLS transactions on this mailserver or configuring the server to properly accept TLS transactions will allow these messages to be delivered." So would it be better to disable TLS on Exchange 2003 and if so how? Or to properly enable it? If you do not have TLS configured, it is in essence disabled. TLS would requi...

Adding proper X-Received: headers for inbound messages?
Hello all, In Exchange 2003 (running on SBS2003) with the Outlook client, there doesn't seem to be any way to tell which email address was used to route a given message into my mailbox unless this appears in a literal To/Cc header (which hardcore SMTP people like me consider the "body" of the message). I'm on staff at a network consultancy supporting a small number of very large customers, and each one has its own support alias that expands to a distribution list including the proper engineers, and normally it's no problem because the visible To: header tells us. ...

Inbound Messages Are Sitting in the 'inbound awaiting delivery' qu
I was wondering if anyone out there has seen this before. We are running a mixed Exchange 5.5 and E2K3 messaging environment. The Exchange 5.5 box is a bridgehead server. I have noticed that in the last 4 days, messages sit in the 'inbound awaiting delivery' queue of the Internet Mail Service (Connector) on the 5.5 box for about 15 minutes, before they are delivered to the respective mailboxes. For the most part the recipients are on th same LAN. I have followed Q193862, but that has not solved my problem. Any ideas someone? Thanks. Do you have antispam on E2K3? TD wrote: >...