Hi All, One of my client is getting bounced back email, whenever he tried to send emails to my domain. Below are the bounced back message, Email was not delivered to: zeeshan@example.com<mailto:zeeshan@example.com> because: This is a delivery status notification, automatically generated by MTA 19.mail.hsbc.co.uk<http://19.mail.hsbc.co.uk/> on Tue, 04 Sep 2012 12:33:54 +0100 Regarding recipient(s) : zeeshan@example.com<mailto:zeeshan@example.com> Delivery status : Failed. Message could not be delivered to domain <example.com<http://example.com/>> .Your mail administrator requires that all email addressed to this domain <example.com<http://example.com/>> is delivered over a secure channel using SSL. The recipient server does not currently support TLS. Contact your mail administrator to verify that mail to this domain <example.com<http://example.com/>> must be delivered over a secure channel. MTA Response :None The original message headers are included as attachment. Also when i run SMTP test against my domain. I am getting "Warning - Does not support TLS." Can anyone please help me solve this problem.

Hi All, One of my client is getting bounced back email, whenever he tried to send emails to my domain. Below are the bounced back message, Email was not delivered to: zeeshan@example.com<mailto:zeeshan@example.com> because: This is a delivery status notification, automatically generated by MTA 19.mail.hsbc.co.uk<http://19.mail.hsbc.co.uk/> on Tue, 04 Sep 2012 12:33:54 +0100 Regarding recipient(s) : zeeshan@example.com<mailto:zeeshan@example.com> Delivery status : Failed. Message could not be delivered to domain <example.com<http://example.com/>> .Your mail administrator requires that all email addressed to this domain <example.com<http://example.com/>> is delivered over a secure channel using SSL. The recipient server does not currently support TLS. Contact your mail administrator to verify that mail to this domain <example.com<http://example.com/>> must be delivered over a secure channel. MTA Response :None The original message headers are included as attachment. Also when i run SMTP test against my domain. I am getting "Warning - Does not support TLS." Can anyone please help me solve this problem.

On Fri, 7 Sep 2012 10:38:15 +0000, Zeeshan Butt wrote: > > >Hi All, > >One of my client is getting bounced back email, whenever he tried to send emails to my domain. Below are the bounced back message, > >Email was not delivered to: > >zeeshan@example.com<mailto:zeeshan@example.com> > >because: > >This is a delivery status notification, automatically generated by MTA 19.mail.hsbc.co.uk<http://19.mail.hsbc.co.uk/> on Tue, 04 Sep 2012 12:33:54 +0100 Regarding recipient(s) : zeeshan@example.com<mailto:zeeshan@example.com> > >Delivery status : Failed. Message could not be delivered to domain <example.com<http://example.com/>> .Your mail administrator requires that all email addressed to this domain <example.com<http://example.com/>> is delivered over a secure channel using SSL. The recipient server does not currently support TLS. Contact your mail administrator to verify that mail to this domain <example.com<http://example.com/>> must be delivered over a secure channel. > >MTA Response :None > >The original message headers are included as attachment. > >Also when i run SMTP test against my domain. I am getting "Warning - Does not support TLS." Can anyone please help me solve this problem. Run "Get-ReceiveConnector <name> | fl name,fqdn" to get the FQDN used by the receive connector. Use it to see if the name appears in any of the certificates below. When you run "Get-ExchangeCertificate | fl thumbprint,certificatedomains,services" does your FQDN appear in any of the "certificatedomains", and does the "services" for that certificate include "SMTP"? --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Hi, Any more suggestion ? Thanks & Regards,

On Sat, 8 Sep 2012 06:51:17 +0000, Zeeshan Butt wrote: > >Any more suggestion ? Any more information? --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Hi, Thanks for your help. I will check those settings which you suggest me. Can you please elaborate me how TLS will work in exchange 2010 is there any dependency on exchange certificates. Do i need to do any modifications in my exchange server. Waiting for your reply anxiously. Thanks & Regards, Zeeshan Butt

On Sat, 8 Sep 2012 18:12:19 +0000, Zeeshan Butt wrote: >Thanks for your help. I will check those settings which you suggest me. Can you please elaborate me how TLS will work in exchange 2010 is there any dependency on exchange certificates. Do i need to do any modifications in my exchange server. > >Waiting for your reply anxiously. Exchange creates a self-signed certificate during installation and uses that to enable the HT server to add STARTTLS to the set of ESMTP keywords. Since you haven't said what you've done to cause Exchange to *not* offer STARTTLS I was waiting for the results of the two cmdlets before offering any advice. I don't know if you added a 3rd-party certificate to the server or just removed the self-signed certificate. Neither do I know if this is just a problem casued by some device between your Exchange server and the Internet. From the Exchange server, try this: telnet server-name 25 Then, after the 220 banner is displayed, enter "EHLO" and hit the "enter" key. In the list of keywords that are displayed do you see STARTTLS? I'm also assuming that your domain is "example.com" in the original posted data. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Hi, Please find below the snapshots, First Thumbprint is for Internal Certificate, Second thumbprint is third party certificate and the last one comes by default after installing exchange 2010. Waiting for your advice and thanks alot for your support. Thanks & Regards, Zeeshan Butt

Hi, Please find below the snapshots, First Thumbprint is for Internal Certificate, Second thumbprint is third party certificate and the last one comes by default after installing exchange 2010. Waiting for your advice and thanks alot for your support. Thanks & Regards, Zeeshan Butt

On Sun, 9 Sep 2012 07:06:49 +0000, Zeeshan Butt wrote: >Please find below the snapshots, But what about the results of the "telnet"? Do you, or don't you, see the STARTTLS in the advertised keywords? >First Thumbprint is for Internal Certificate, Second thumbprint is third party certificate and the last one comes by default after installing exchange 2010. > >Waiting for your advice and thanks alot for your support. The certificates look okay -- provided that they haven't expired. Try this: Enable-ExchangeCertificate 2D48D...... -Services IMAP,POP,SMTP You can also see what your server is getting from, and sending to, the other server by looking at the SMTP Receive protocol logs. Do you see your server sending the STARTTLS keyword after receiving the EHLO command from that other company's server? How about other servers that send you e-mail, if they send the EHLO command your server shold send the STARTTLS keyword if there's a valid certificate on your server. If you advertise the STARTTLS keyword and the other server (or servers) never use it it may be that you have some device (e.g. a Cisco firewall) that prevents the STARTTLS from reaching them, or from reaching your server. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Hi Rich, I have run the above command. After that i run smtp test from mxtoolbox site and below is the result, EHLO please-read-policy.mxtoolbox.com 250-NEXUSDUAPPBDA01.nexusadvice.com Hello mxtb-pws3.mxtoolbox.com [64.20.227.133], pleased to meet you 250-SIZE 20000000 250-PIPELINING 250-8BITMIME 250 HELP [250 ms] MAIL FROM: <supertool@mxtoolbox.com> 250 Sender <supertool@mxtoolbox.com> OK [265 ms] RCPT TO: <test@example.com> 550 No such domain at this location [265 ms] QUIT 221 NEXUSDUAPPBDA01.nexusadvice.com Goodbye mxtb-pws3.mxtoolbox.com, closing connection [250 ms] Please note the when i run telnet from my exchange server it shows STARTTLS ok but from external it is not showing STARTTLS you can also try to telnet my smtp server "mail.nexusadvice.com" waiting for your reply. Thanks & Regards, ZB

On Sun, 9 Sep 2012 15:50:25 +0000, Zeeshan Butt wrote: >Hi Rich, I have run the above command. After that i run smtp test from mxtoolbox site and below is the result, EHLO please-read-policy.mxtoolbox.com 250-NEXUSDUAPPBDA01.nexusadvice.com Hello mxtb-pws3.mxtoolbox.com [64.20.227.133], pleased to meet you 250-SIZE 20000000 250-PIPELINING 250-8BITMIME 250 HELP [250 ms] MAIL FROM: <supertool@mxtoolbox.com> 250 Sender <supertool@mxtoolbox.com> OK [265 ms] RCPT TO: <test@example.com> 550 No such domain at this location [265 ms] QUIT 221 NEXUSDUAPPBDA01.nexusadvice.com Goodbye mxtb-pws3.mxtoolbox.com, closing connection [250 ms] Please note the when i run telnet from my exchange server it shows STARTTLS ok but from external it is not showing STARTTLS you can also try to telnet my smtp server "mail.nexusadvice.com" waiting for your reply. Thanks & Regards, ZB So I guess the obvious question is "what machine is NEXUSDUAPPBDA01.nexusadvice.com"? It's not your Exchange server. Are you using some security appliance between your Exchange server and the Internet? A smart host? Whatever it is, it's not advertising the STARTTLS keyword. You need to move your investigation to that machine to remedy you problem. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

On Sun, 9 Sep 2012 15:50:25 +0000, Zeeshan Butt wrote: >Hi Rich, I have run the above command. After that i run smtp test from mxtoolbox site and below is the result, EHLO please-read-policy.mxtoolbox.com 250-NEXUSDUAPPBDA01.nexusadvice.com Hello mxtb-pws3.mxtoolbox.com [64.20.227.133], pleased to meet you 250-SIZE 20000000 250-PIPELINING 250-8BITMIME 250 HELP [250 ms] MAIL FROM: <supertool@mxtoolbox.com> 250 Sender <supertool@mxtoolbox.com> OK [265 ms] RCPT TO: <test@example.com> 550 No such domain at this location [265 ms] QUIT 221 NEXUSDUAPPBDA01.nexusadvice.com Goodbye mxtb-pws3.mxtoolbox.com, closing connection [250 ms] Please note the when i run telnet from my exchange server it shows STARTTLS ok but from external it is not showing STARTTLS you can also try to telnet my smtp server "mail.nexusadvice.com" waiting for your reply. Thanks & Regards, ZB So I guess the obvious question is "what machine is NEXUSDUAPPBDA01.nexusadvice.com"? It's not your Exchange server. Are you using some security appliance between your Exchange server and the Internet? A smart host? Whatever it is, it's not advertising the STARTTLS keyword. You need to move your investigation to that machine to remedy you problem. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Yes you are right we are using firewall device for exchange server. All incoming and outgoing emails are going through that firewall device. Many thanks for your support.