question

JoshuaThompson-0351 avatar image
0 Votes"
JoshuaThompson-0351 asked joyceshen-MSFT commented

Unable to receive emails from internet via TLS

We are unable to receive emails from external domains over TLS, they are accepted over non TLS channels. It does not appear the internet receive connector on our on-premises exchange server box is not offering the STARTTLS option. (I am trying to figure out why).

If I check internally using "telnet mail.domain.com 25" then I can see that STARTTLS is offered.
If I check externally I see no STARTTLS offered.

This tells me that the internet email comes over a different connector than what I just tested.

I have checked all my receive connectors on my on-premises exchange server and ALL have the AuthMechanism showing TLS.

What receive connector handles inbound external emails?

What should I look for on that connector to verify that it can handle TLS connections and offer up the STARTTLS option?
Does the FQDN on the receive connector have to match the certification name?

office-exchange-server-administration
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for the confirmation of the Default Front end connector.

0 Votes 0 ·
joyceshen-MSFT avatar image joyceshen-MSFT JoshuaThompson-0351 ·

Hi @JoshuaThompson-0351

Glad to know the information helpful to you.


If an Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
 


0 Votes 0 ·

1 Answer

joyceshen-MSFT avatar image
0 Votes"
joyceshen-MSFT answered

Hi @JoshuaThompson-0351

What's your Exchange server version? What NDR message did the sender receive when failed sending the message?

The receive connector Default Frontend <ServerName> accepts anonymous connections from external SMTP servers. This is the common messaging entry point into your Exchange organization.

You could also refer to the official document: Scenarios for custom Receive connectors in Exchange Server

Scenario 2: Receive email from a partner
For this scenario, the Receive connector listens for TLS authenticated SMTP connections on port 25, but only from the specific IP addresses of the partner organization. No default Receive connector is suitable for this scenario; you need to create a custom Receive connector.

And here is a related thread discussed about the issue Receive connector won't work for TLS-enabled domains
You may also check Configuring the TLS Certificate Name for Exchange Server Receive Connectors


If an Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
 

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.