Share via

Sending through port 25

Mikhail Firsov 1,881 Reputation points
2023-07-14T11:23:39.0866667+00:00

Hello!

...for testing purposes needed to enable IMAP/SMTP for internal client and was puzzled by the following: as I didn't want to use TLS I had configured the imap-client (Thunderbird) to use ports 143 and 25, nevertheless I saq this this error:

01

Thunderbird was complaining that the certificated presented by mail server was not trusted - this was the Exchange Server's "auto-generated" certificate so the two question arise:

Q1: Why does the sending to port 25 - not secured by SSL/TLS! - lead to Exchange sending its internal certificate to the client?

Q2: If the server does really need to use its certificate even for unecrypted connections on port 25 why didn't it use its "real" configured certificate from my local CA?

02

Thank you in advance,
Michael

Exchange Exchange Server Other
Exchange Exchange Server Management
Accepted answer
  1. Kael Yao 37,746 Reputation points Moderator
    2023-07-17T06:04:51.5866667+00:00

    Hi @Mikhail Firsov

    Q1: Why does the sending to port 25 - not secured by SSL/TLS! - lead to Exchange sending its internal certificate to the client?

    By default Exchange uses Opportunistic TLS:

    Exchange would always first try to establish TLS connection with the client.

    If the connection fails, Exchange would fall back to not using TLS.

    Since TLS connection needs a certificate and the Exchange self-signed certificate was not trusted by the client, it caused the TLS connection to fail, thus the connection did not use TLS.

    Q2: If the server does really need to use its certificate even for unecrypted connections on port 25 why didn't it use its "real" configured certificate from my local CA?

    Have you configured the server FQDN (mail.contoso1.net) on the receive connector (Default Frontend EXCH1)?

    01

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  2. Mikhail Firsov 1,881 Reputation points
    2023-07-24T14:51:07.2966667+00:00

    Hi Kael Yao-MSFT,

    First - sorry for the delay (was on a short vacation), second - thank you very much for your explanations:

    Q1: - ok, I got it (I used to think TLS is used only for port 587)

    Q2: "Have you configured the server FQDN (mail.contoso1.net) on the receive connector (Default Frontend EXCH1)?" - no, I haven't - seems this is the explanation for Q2.

    I tried to change exch1.contoso1.net to mail.contoso1.net and got this:

    03-1

    04

    Removing Exchange servers from the Authentication section does solve the problem but this window - Security tab for Default FrontEnd connector - was always starnge to me: this connector is primarily used for receiving anonymous email from internet servers - what's the purpose of having so many different authentication mechanisms for anonymous email?

    Regards,
    Michael

  3. Mikhail Firsov 1,881 Reputation points
    2023-07-26T12:41:13.6633333+00:00

    "These authentication (except TLS) are not used by anonymous senders as by default Exchange would accept emails from anonymous senders on port 25, which doesn't require the senders to be authenticated." - this is exactly what I can't understand: if they are not needed why are they there?

    Thank you for your help once again!

    Regards,
    Michael

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.