TLS, 5.7.0 - far end requires TLS !?

ryanjjones_at_mail.com
Date: 03/03/05

• Next message: Khimji: "Re: Mailbox Calender"
• Previous message: FastEddie: "Domain account change/move from a trusted account for an exchange mailbox"
• Next in thread: Ben Winzenz [Exchange MVP]: "Re: TLS, 5.7.0 - far end requires TLS !?"
• Reply: Ben Winzenz [Exchange MVP]: "Re: TLS, 5.7.0 - far end requires TLS !?"
• Messages sorted by: [ date ] [ thread ]

---

Date: 3 Mar 2005 09:28:39 -0800

Hi

There is one "customer" who appears to have set their email server up
to REQUIRE us to talk TLS with them. Fair enough.

If I TELNET to their Mail server I get:-

220 customer.com -- Server ESMTP (customer ESMTP)
helo
251 customer.com system name not given in HELO command,
[212.xxx.xxx.xxx].
mail from: me@here.com
530 5.7.0 No STARTTLS command has been given.
starttls
220 2.5.0 Go ahead with TLS negotiation.

--------

So - it looks like they require TLS, and we can, if required, send a
STARTTLS command as necessary. (e.g. firewall not blocking it and
filtering SMTP). We do have SSL and TLS enabled. A telnet to my email
server says:-

220 mycompany.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.211
ready
at Thu, 3 Mar 2005 17:23:27 +0000
ehlo
250-smtp.mycompany.com Hello [10.1.20.31]
250-TURN
250-SIZE
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-TLS
250-STARTTLS
250-X-EXPS GSSAPI NTLM LOGIN
250-X-EXPS=LOGIN
250-AUTH GSSAPI NTLM LOGIN
250-AUTH=LOGIN
250-X-LINK2STATE
250-XEXCH50
250 OK

-----------

So for some Reason IT APPEARS (!!), Exchange 2003 isn't trying to start
a TLS conversation. I thought it would always try, and then just
resort to normal if TLS wasn't supported at teh far end. Oops.

Can you point me in the right direction please?

RJ

(PS - we do not want to REQUIRE TLS - just use it if it is available)

---

• Next message: Khimji: "Re: Mailbox Calender"
• Previous message: FastEddie: "Domain account change/move from a trusted account for an exchange mailbox"
• Next in thread: Ben Winzenz [Exchange MVP]: "Re: TLS, 5.7.0 - far end requires TLS !?"
• Reply: Ben Winzenz [Exchange MVP]: "Re: TLS, 5.7.0 - far end requires TLS !?"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages RE: 802.1x and PEAP ... I disagree with your comment about TKIP and MIC being proprietary. ... Broadcast key rotation can only be done with an authentication server. ... > the TLS - thus providing the necessary security. ... > protected by the TLS session or a protected error. ... (Security-Basics) RE: 802.1x and PEAP ... Broadcast key rotation can only be done with an authentication server. ... IOS a different vendors card will not work with TKIP and MIC, ... > protected by the TLS session or a protected error ... (Security-Basics) Re: radtest ok, xsupplicant fails (was : Problem compiling Freeradius on RH 9.0) ... The radius server compiles and installs now, ... tls: rsa_key_exchange = no ... Module: Loaded preprocess ... Module: Loaded radutmp ... (comp.os.linux.misc) OWA works, RPC over HTTP does not ... we have an Exchange 2003 server running as front end and back end server at once. ... The server is behind NAT and port 443 is forwarded to the Exchange server. ... 194.35.207.125 TLS Client Hello ... (microsoft.public.exchange.admin) OWA works, RPC over HTTP does not ... we have an Exchange 2003 server running as front end and back end server at once. ... The server is behind NAT and port 443 is forwarded to the Exchange server. ... 194.35.207.125 TLS Client Hello ... (microsoft.public.exchange.connectivity)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)