Exchange 2013 - Make sure that TLS 1.2 is enabled

Jack Chuong 856 Reputation points
2021-10-05T09:26:59.543+00:00

Hi all,
My environment : 3 Exchange 2013 CU23 (CAS + Mailbox roles) servers (Windows server 2008 R2) in 1 DAG.
My user send mail to customer (Exchange online, I guess), sometimes successful, sometimes unsuccessful , this is feedback from recipient :

unsuccessful
Mon Oct 4 13:33:46 2021 Info: ICID 5493853 address 1.2.3.4 dns host mail.mydomain.com sbrs 5.1
Mon Oct 4 13:33:46 2021 Info: ICID 5493853 >> 220 mx1.customer.com ESMTP
Mon Oct 4 13:33:46 2021 Info: ICID 5493853 mail.mydomain.com
Mon Oct 4 13:33:46 2021 Info: ICID 5493853 >> 250-mx1.customer.com\r\n250-8BITMIME\r\n250-SIZE 20971520\r\n250 STARTTLS
Mon Oct 4 13:33:47 2021 Info: ICID 5493853 
Mon Oct 4 13:33:47 2021 Info: ICID 5493853 >> 220 Go ahead with TLS
Mon Oct 4 13:33:47 2021 Info: ICID 5493853 >> 454 TLS not available due to a temporary reason
Mon Oct 4 13:33:47 2021 Info: ICID 5493853 
Mon Oct 4 13:33:47 2021 Info: ICID 5493853 >> 500 #5.5.1 command not recognized
Mon Oct 4 13:33:47 2021 Info: ICID 5493853 
Mon Oct 4 13:33:47 2021 Info: ICID 5493853 >> 500 #5.5.1 command not recognized
Mon Oct 4 13:33:47 2021 Info: ICID 5493853 close

successful
However when sending from ex01.mydomain.com, the emails are working fine.

Mon Oct 4 16:39:48 2021 Info: ICID 5503648 address 1.2.3.4 dns host ex01.mydomain.com sbrs 5.1
Mon Oct 4 16:39:48 2021 Info: ICID 5503648 >> 220 mx1.customer.com ESMTP
Mon Oct 4 16:39:48 2021 Info: ICID 5503648 mail.mydomain.com
Mon Oct 4 16:39:48 2021 Info: ICID 5503648 >> 250-mx1.customer.com\r\n250-8BITMIME\r\n250-SIZE 20971520\r\n250 STARTTLS
Mon Oct 4 16:39:48 2021 Info: ICID 5503648 myuser@mydomain.com> SIZE=203438
Mon Oct 4 16:39:48 2021 Info: ICID 5503648 >> 250 sender myuser@mydomain.com> ok
Mon Oct 4 16:39:48 2021 Info: ICID 5503648 mycustomer@mycustomer.com>
Mon Oct 4 16:39:48 2021 Info: ICID 5503648 >> 250 recipient mycustomer@mycustomer.com> ok
Mon Oct 4 16:39:49 2021 Info: ICID 5503648 
Mon Oct 4 16:40:04 2021 Info: ICID 5503648 >> 354 go ahead
Mon Oct 4 16:40:07 2021 Info: ICID 5503648 >> 250 ok: Message 3234043 accepted
Mon Oct 4 16:40:07 2021 Info: ICID 5503648 
Mon Oct 4 16:40:07 2021 Info: ICID 5503648 >> 221 mx1.customer.com
Mon Oct 4 16:40:07 2021 Info: ICID 5503648 close

They suggest us to check the TLS encryption settings on our servers as one is working and the other is not.
I tried to check with https://www.checktls.com/TestSender , this is result

SUCCESSFUL //email/test From:
Your email was sent securely using TLS.
SSLDeprecated:  SSL Version is insecure/deprecated (NIST 800-52)
(this email intentionally has limited formatting)

I read this article : https://kemptechnologies.com/blog/enabling-tls-1-2-on-exchange-server-2013-2016-part-1/
and check my servers registry

Schannel
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server --> enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client --> this key does not exist, I have to create it manually ?

WinHTTP

  1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
  2. HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
    DefaultSecureProtocols key does not exist, I have to create it manually ?

.NET Framework

  1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319
  2. HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v4.0.30319
    SystemDefaultTlsVersions key does not exist, I have to create it manually ?

It seems my OS Windows server 2008 R2 is too old so TLS 1.2 is not enable by default and I have to force it ?
Please give me some advice, thank you very much.

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,497 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andy David - MVP 145.1K Reputation points MVP
    2021-10-05T11:40:48.057+00:00

    Follow this official guidance

    https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-server-tls-guidance-part-1-getting-ready-for-tls-1-2/ba-p/607649

    Windows Server 2008 R2 SP1
    TLS 1.2 is supported by the OS but is disabled by default.
    Ensure your server is current on Windows updates.
    This should include security update KB3161949 for the current version of WinHTTP.
    This should include optional recommended update KB3080079 which adds TLS 1.2 capability to Remote Desktop Services if you intend to connect to 2008 R2 SP1 based Exchange Servers via Remote Desktop. Also install this update on any Windows 7 machines you intend to connect from.
    If you rely on SHA512 certificates; please see KB2973337.
    Exchange 2010 Installs Only: Install 3154518 for .NET Framework 3

    2 people found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Jack Chuong 856 Reputation points
    2021-10-11T08:00:12.723+00:00

    I enabled TLS 1.2 on Exchange servers by :
    2. Follow instructions in this article : https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-server-tls-guidance-part-2-enabling-tls-1-2-and/ba-p/607761 for editing registry and reboot server
    Our servers are using TLS 1.2 for outgoing message now.
    This is message header of test mail to gmail

    version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128

    This is result with https://www.checktls.com/TestSender

    SUCCESSFUL //email/test From:
    Your email was sent securely using TLS.

    I have not disabled TLS 1.0/1.1 yet since I think it should be kept to support other legacy mail system, just in case.

    1 person found this answer helpful.
    0 comments No comments

  2. Jack Chuong 856 Reputation points
    2021-10-06T13:13:03.417+00:00

    Our customer tried to add our domain and our mail server ip addresses into white list, for temporary but I still get problem when sending email to them, this is log from their side, when my mail server try to delivery message

    IP  1.2.3.4 (my mail server IP)
    Wed Oct  6 12:34:02 2021 Info: ICID 5643934 address 1.2.3.4 dns host mail.mydomain.com sbrs 5.1
    Wed Oct  6 12:34:02 2021 Info: ICID 5643934 >> 220 mx1.customer.com ESMTP
    Wed Oct  6 12:34:02 2021 Info: ICID 5643934 << EHLO mail.mydomain.com
    Wed Oct  6 12:34:02 2021 Info: ICID 5643934 >> 250-mx1.customer.com\r\n250-8BITMIME\r\n250-SIZE 20971520\r\n250 STARTTLS
    Wed Oct  6 12:34:02 2021 Info: ICID 5643934 << STARTTLS
    Wed Oct  6 12:34:02 2021 Info: ICID 5643934 >> 220 Go ahead with TLS
    Wed Oct  6 12:34:03 2021 Info: ICID 5643934 >> 454 TLS not available due to a temporary reason
    

    Is there anything they can do to fix this problem temporarily until the end of this week ?
    Can I disable TLS on emails sent to a specific customer's domain ?