Can a kemp load balancer cause issues to mail delivery when SSL offload is enabled for port 25 and domain secure is enabled on receive connector?

Chris M 0 Reputation points

I wonder if someone is able to confirm this for me please?

We had a recent issue where emails from our M365 to our on-prem Exchange were being delayed, and we found that one of our 2 Exchange servers had domain secure enabled. This caused mail to not go to one of the servers and had to timeout and be directed to the server without domain secure enabled. Disabling this setting allowed our emails to flow without delay to on-prem again. The issue is this should be enabled.

While looking we have a load balancer in front of the Exchange doing SSL offload for port 25 for incoming mail. From what I read domain secure needs to have a direct route from M365 to on-prem without anything in between that can packet share or modify certificates. Is this still the case and could the SSL offload cause the issue when domain secure is enabled?

Many thanks

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,428 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,951 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Noah Ma-MSFT 1,615 Reputation points Microsoft Vendor

    Hi @Chris M,

    Based on your description, I understand you had a concern about if enable SSL offload load balancer and domain secure connector meantime make a difference to the delay of email.

    Offloading should only be enabled when you're running a hardware load balancer, and you're happy with how you've got your network secured, and your Exchange Servers would benefit from the reduced overhead of not having to perform SSL decryption.

    However, the Offloading should be disabled when you need connect directly to an Exchange Server over HTTPS and it is not supported with a TLS protected connection.

    You could kindly disable the SSL offload and then enable the domain secure connector to see if it works.

    Hope the information helps and if you have any questions, please feel free to contact me.