This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 38%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJT%3C/text%3E%3C/svg%3E)
We are unable to receive emails from external domains over TLS, they are accepted over non TLS channels. It does not appear the internet receive connector on our on-premises exchange server box is not offering the STARTTLS option. (I am trying to figure out why).
If I check internally using "telnet mail.domain.com 25" then I can see that STARTTLS is offered.
If I check externally I see no STARTTLS offered.
This tells me that the internet email comes over a different connector than what I just tested.
I have checked all my receive connectors on my on-premises exchange server and ALL have the AuthMechanism showing TLS.
What receive connector handles inbound external emails?
What should I look for on that connector to verify that it can handle TLS connections and offer up the STARTTLS option?
Does the FQDN on the receive connector have to match the certification name?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Any update here?
Thank you for the confirmation of the Default Front end connector.
Glad to know the information helpful to you.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
What's your Exchange server version? What NDR message did the sender receive when failed sending the message?
The receive connector Default Frontend <ServerName> accepts anonymous connections from external SMTP servers. This is the common messaging entry point into your Exchange organization.
You could also refer to the official document: Scenarios for custom Receive connectors in Exchange Server
Scenario 2: Receive email from a partner
For this scenario, the Receive connector listens for TLS authenticated SMTP connections on port 25, but only from the specific IP addresses of the partner organization. No default Receive connector is suitable for this scenario; you need to create a custom Receive connector.
And here is a related thread discussed about the issue Receive connector won't work for TLS-enabled domains
You may also check Configuring the TLS Certificate Name for Exchange Server Receive Connectors
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.