Unable to receive emails from internet via TLS

asked 2021-03-11T17:54:19.263+00:00
Joshua Thompson 171 Reputation points

We are unable to receive emails from external domains over TLS, they are accepted over non TLS channels. It does not appear the internet receive connector on our on-premises exchange server box is not offering the STARTTLS option. (I am trying to figure out why).

If I check internally using "telnet mail.domain.com 25" then I can see that STARTTLS is offered.
If I check externally I see no STARTTLS offered.

This tells me that the internet email comes over a different connector than what I just tested.

I have checked all my receive connectors on my on-premises exchange server and ALL have the AuthMechanism showing TLS.

What receive connector handles inbound external emails?

What should I look for on that connector to verify that it can handle TLS connections and offer up the STARTTLS option?
Does the FQDN on the receive connector have to match the certification name?

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
6,064 questions
{count} votes

1 answer

Sort by: Most helpful
  1. answered 2021-03-12T02:35:22.343+00:00
    Joyce Shen - MSFT 16,306 Reputation points Microsoft Employee

    Hi @Joshua Thompson

    What's your Exchange server version? What NDR message did the sender receive when failed sending the message?

    The receive connector Default Frontend <ServerName> accepts anonymous connections from external SMTP servers. This is the common messaging entry point into your Exchange organization.

    You could also refer to the official document: Scenarios for custom Receive connectors in Exchange Server

    Scenario 2: Receive email from a partner
    For this scenario, the Receive connector listens for TLS authenticated SMTP connections on port 25, but only from the specific IP addresses of the partner organization. No default Receive connector is suitable for this scenario; you need to create a custom Receive connector.

    And here is a related thread discussed about the issue Receive connector won't work for TLS-enabled domains
    You may also check Configuring the TLS Certificate Name for Exchange Server Receive Connectors

    If an Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    No comments