Troubleshooter: Enabling TLS for SMTP in Exchange

I wanted to enable Transport Layer Security (TLS) for SMTP, but when I turned it on, mail stopped flowing through our server. What happened?

TLS descended from the Secure Sockets Layer (SSL) protocol and fixes a few flaws in the SSL specification. Many messaging vendors support using TLS to protect SMTP traffic against eavesdropping; an SMTP server that supports TLS is supposed to use the STARTTLS SMTP verb to advertise that fact. Most implementations that support TLS let you use it opportunistically. In other words, if server A sends STARTTLS to server B and server B supports TLS, server B is supposed to respond with a security handshake. Exchange implements this negotiation a bit differently between servers. If you enable TLS in Exchange for inbound mail, the SMTP service will refuse to talk to any SMTP server that doesn't implement TLS. As a result, when you turned on TLS, SMTP began rejecting connections from non-TLS servers and prevented you from receiving mail. If you want to use TLS with Exchange, you must create SMTP connectors for specific domains that you know can support TLS, then turn on TLS for those connectors only.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.