Announcement

Collapse
No announcement yet.

SMTP Connectors for TLS

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • SMTP Connectors for TLS

    I am looking at an exchange 2003 configuration with 2 configured SMTP connectors. One is configured for TLS encryption, domains added to it are assigned a cost of 10. The other connector is configured with an address space entry of * and assigned a cost of 1.
    I have seen that emails sent to a domain thats noted in the address space of the connector configured for TLS, do go out requiring TLS. I dont understand how this is working, since the lower cost connector should be selected first, which seems that all mail would flow via the connector that is not configured for TLS.
    Is there something I am missing that would cause this configuration to work?

    thanks,
    Dave

  • #2
    Re: SMTP Connectors for TLS

    Possibly that the TLS domains are refusing non-encrypted connections?
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: SMTP Connectors for TLS

      Thanks for replying Ossian, I dont think thats the case. I can review the SMTP logs and see that the first attempt to send out a test message to one of the domains requiring TLS was sent via TLS. If an initial non-tls send was attempted and refused I think I would see that in the SMTP log.

      Comment


      • #4
        Re: SMTP Connectors for TLS

        Costs are wrong.
        Change the costs round. The * should always be the highest cost.

        Failing that, it could be SMTP interference. A Cisco PIX or similar for example can stop TLS because it hides the instruction.

        From the server, telnet to port 25 of the remote server and issue a ehlo. Look through the commands. STARTTLS should be listed. If it isn't, then TLS isn't enabled.

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment


        • #5
          Re: SMTP Connectors for TLS

          Thanks for the reply Simon, I thought as well that the * connector should be the highest cost, I dont understand how this appears to be working. There is no problem with TLS working, it is working as they intended, I just cant figure out why it isnt sending everything via the lowest cost connector.

          Comment


          • #6
            Re: SMTP Connectors for TLS

            It may well be doing closest match first, then cost. From memory cost only becomes involved when there is an equal match.

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment

            Working...
            X