Enabling RequireTLS on Exchange Send Connectors

Dashrender

We talked about this on ML back in the summer here

https://mangolassi.it/search?term=TLS&in=titlesposts&timeRange=7776000&timeFilter=older&showAs=posts

Considering the new discussion, https://mangolassi.it/topic/11669/how-to-require-tls-for-outbound-smtp-connections-with-mdaemon/78, I've come back to this and managed to solve the issue I was having.

From the Exchange management shell run

Set-SendConnector -Identity <name of send connector> -RequireTLS:$true

Like Linux, if it works you get no response, just a new prompt.

Time to test send some emails.

I sent to my O365 account with no issues, to gmail, again no issues. Tried sending one to my Cox.net account - nothing. Looked in the Mail Queue in Exchange - there sits my message with an error

451 4.4.0 Primary target IP address responded with: "451 5.7.3 Must issue a STARTTLS command first." attempted failover to alternate host, but that did not succeed.  Either there is no alternate host, or delivery failed to all alternate hosts.

I brought up powershell and telneted to gmail's and Cox's email servers and got the following.

https://i.imgur.com/QeZZ7jb.png

As we can see, Cox is not offering TLS connections for email receipt.

I guess I get to make a phone call in the morning.

scottalanmiller

Probably best to not have business emails going to Cox home freebie accounts.

Dashrender

Does anyone have a yahoo.com email account I can test?

JaredBusch

@Dashrender check telegram

Dashrender

While there appears to be a delay at times it is working.

Here's yahoo's ehlo reply

https://i.imgur.com/XI7wxKz.png

Dashrender

And hotmail.com

https://i.imgur.com/1MLSTcf.png

scottalanmiller

Looks like only some silly home user freebie email addresses likely to be an issue. Those people all have the option of good, free secure email if they need access like that, too.

Dashrender

@scottalanmiller said in Enabling RequireTLS on Exchange Send Connectors:

Looks like only some silly home user freebie email addresses likely to be an issue. Those people all have the option of good, free secure email if they need access like that, too.

What's weird is that Cox requires the use of TLS to download your email through pop or IMAP.

scottalanmiller

@Dashrender said in Enabling RequireTLS on Exchange Send Connectors:

@scottalanmiller said in Enabling RequireTLS on Exchange Send Connectors:

Looks like only some silly home user freebie email addresses likely to be an issue. Those people all have the option of good, free secure email if they need access like that, too.

What's weird is that Cox requires the use of TLS to download your email through pop or IMAP.

That is odd for sure.

scottalanmiller

@Dashrender said in Enabling RequireTLS on Exchange Send Connectors:

@scottalanmiller said in Enabling RequireTLS on Exchange Send Connectors:

Looks like only some silly home user freebie email addresses likely to be an issue. Those people all have the option of good, free secure email if they need access like that, too.

What's weird is that Cox requires the use of TLS to download your email through pop or IMAP.

No wait, that's not odd. SMTP doesn't pass credentials, IMAP does. They are protecting the log in.

Dashrender

@scottalanmiller said in Enabling RequireTLS on Exchange Send Connectors:

@Dashrender said in Enabling RequireTLS on Exchange Send Connectors:

@scottalanmiller said in Enabling RequireTLS on Exchange Send Connectors:

Looks like only some silly home user freebie email addresses likely to be an issue. Those people all have the option of good, free secure email if they need access like that, too.

What's weird is that Cox requires the use of TLS to download your email through pop or IMAP.

No wait, that's not odd. SMTP doesn't pass credentials, IMAP does. They are protecting the log in.

They require logon for sending too.

scottalanmiller

@Dashrender said in Enabling RequireTLS on Exchange Send Connectors:

@scottalanmiller said in Enabling RequireTLS on Exchange Send Connectors:

@Dashrender said in Enabling RequireTLS on Exchange Send Connectors:

@scottalanmiller said in Enabling RequireTLS on Exchange Send Connectors:

Looks like only some silly home user freebie email addresses likely to be an issue. Those people all have the option of good, free secure email if they need access like that, too.

What's weird is that Cox requires the use of TLS to download your email through pop or IMAP.

No wait, that's not odd. SMTP doesn't pass credentials, IMAP does. They are protecting the log in.

They require logon for sending too.

Wrong part of the connection, though. The SMTP to the other serves doesn't have the creds even if you enter them earlier.

Dashrender

@scottalanmiller said in Enabling RequireTLS on Exchange Send Connectors:

@Dashrender said in Enabling RequireTLS on Exchange Send Connectors:

@scottalanmiller said in Enabling RequireTLS on Exchange Send Connectors:

@Dashrender said in Enabling RequireTLS on Exchange Send Connectors:

@scottalanmiller said in Enabling RequireTLS on Exchange Send Connectors:

Looks like only some silly home user freebie email addresses likely to be an issue. Those people all have the option of good, free secure email if they need access like that, too.

What's weird is that Cox requires the use of TLS to download your email through pop or IMAP.

No wait, that's not odd. SMTP doesn't pass credentials, IMAP does. They are protecting the log in.

They require logon for sending too.

Wrong part of the connection, though. The SMTP to the other serves doesn't have the creds even if you enter them earlier.

I might not understand how email from a client device (like Outlook, Thunderbird) works with regards to SMTP, not MAPI/ActiveSync.

My understanding is that authentication is required to keep spammers from relaying through them.

Dashrender

Good news, 5 days so far, and only Cox.net has failed.

brianlittlejohn

@Dashrender said in Enabling RequireTLS on Exchange Send Connectors:

@scottalanmiller said in Enabling RequireTLS on Exchange Send Connectors:

@Dashrender said in Enabling RequireTLS on Exchange Send Connectors:

@scottalanmiller said in Enabling RequireTLS on Exchange Send Connectors:

@Dashrender said in Enabling RequireTLS on Exchange Send Connectors:

@scottalanmiller said in Enabling RequireTLS on Exchange Send Connectors:

Looks like only some silly home user freebie email addresses likely to be an issue. Those people all have the option of good, free secure email if they need access like that, too.

What's weird is that Cox requires the use of TLS to download your email through pop or IMAP.

No wait, that's not odd. SMTP doesn't pass credentials, IMAP does. They are protecting the log in.

They require logon for sending too.

Wrong part of the connection, though. The SMTP to the other serves doesn't have the creds even if you enter them earlier.

I might not understand how email from a client device (like Outlook, Thunderbird) works with regards to SMTP, not MAPI/ActiveSync.

My understanding is that authentication is required to keep spammers from relaying through them.

They require credentials to relay outgoing messages to external domains, but incoming messages for cox.net the smtp server accepts without authentication.

Dashrender

spoke to soon, just people aren't reporting issues.

https://i.imgur.com/Z0O4DcO.png

This is a lawfirm.

Dashrender

@brianlittlejohn said in Enabling RequireTLS on Exchange Send Connectors:

@Dashrender said in Enabling RequireTLS on Exchange Send Connectors:

@scottalanmiller said in Enabling RequireTLS on Exchange Send Connectors:

@Dashrender said in Enabling RequireTLS on Exchange Send Connectors:

@scottalanmiller said in Enabling RequireTLS on Exchange Send Connectors:

@Dashrender said in Enabling RequireTLS on Exchange Send Connectors:

@scottalanmiller said in Enabling RequireTLS on Exchange Send Connectors:

Looks like only some silly home user freebie email addresses likely to be an issue. Those people all have the option of good, free secure email if they need access like that, too.

What's weird is that Cox requires the use of TLS to download your email through pop or IMAP.

No wait, that's not odd. SMTP doesn't pass credentials, IMAP does. They are protecting the log in.

They require logon for sending too.

Wrong part of the connection, though. The SMTP to the other serves doesn't have the creds even if you enter them earlier.

I might not understand how email from a client device (like Outlook, Thunderbird) works with regards to SMTP, not MAPI/ActiveSync.

My understanding is that authentication is required to keep spammers from relaying through them.

They require credentials to relay outgoing messages to external domains, but incoming messages for cox.net the smtp server accepts without authentication.

Right - I understand this for normal server to server SMTP, but I'm talking about client to server SMTP.
could they be, sure, and if they are, well then SMTP doesn't need to be authenticated unless the sending side is trying to have Cox act as a relay.

JaredBusch

@Dashrender said in Enabling RequireTLS on Exchange Send Connectors:

spoke to soon, just people aren't reporting issues.

But are people handling it with the recipient another way? If so, win.

JaredBusch

@Dashrender said in Enabling RequireTLS on Exchange Send Connectors:

https://i.imgur.com/Z0O4DcO.png

This is a lawfirm.

With a local server not behind some spam service I bet.

Dashrender

@JaredBusch said in Enabling RequireTLS on Exchange Send Connectors:

@Dashrender said in Enabling RequireTLS on Exchange Send Connectors:

spoke to soon, just people aren't reporting issues.

But are people handling it with the recipient another way? If so, win.

Well the boss just called and said - I have a problem - fix it. Sooooo, no they aren't handling it another way, at least not yet.

I've sent a message to their whois listed technical contact.