+ Post New Thread
Results 1 to 13 of 13
Enterprise Software Thread, Exchange 2007, Gmail & TLS in Technical; I am a bit confused here. We have Exchange 2007 on site and it has generally run alright for the ...
  1. #1

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,467
    Thank Post
    750
    Thanked 1,210 Times in 852 Posts
    Blog Entries
    45
    Rep Power
    533

    Unhappy Exchange 2007, Gmail & TLS

    I am a bit confused here. We have Exchange 2007 on site and it has generally run alright for the years I've been here (it was in place when I arrived), and every now and then when we have a planned power outage, something seems to go wrong with it when it's powered down.

    This time round, TLS has apaprently stopped working. When I try and email in from my gmail account I get told that "The error that the other server returned was: 454 454 TLS currently unavailable (state 8)." and it takes 24 hours for the message to arrive. This seems to be by design with regards to gmail, to alert to problems, although it was never a problem before.

    When powering back up this time I removed the old domain controllers that had been demoted last week, so that may be relevant. I also deleted an expired Web Server certificate from the email server that had been issued by an enterprise CA that I destroyed a couple of weeks ago (it was easier than moving it from 2003 x86 to 2008R2 x64 given that no valid certificates were out).

    Initially, after power up, Exchange wasn't accepting external emails - I could email around the organisation, I could email out, but nothing was coming in. I had to allow all permission groups on the Default and Client receive connectors to get that working again; no idea how it had worked in the past but this is a common theme with this Exchange server and power outages.

    I've tried running Enable-ExchangeCertificate -service:smtp for the certificate the server currently uses (GoDaddy, for the OWA etc.) and Exchange tells me it is using that certificate for SIP.W (i.e. everything) but the TLS is still not doing anything.

    Can anyone who actually knows something about Exchange shed any light on this? I'm just very confused that it worked before the power outage and doesn't anymore

    (and yes, I am considering Office 365 in the new academic year, funny you should ask)

  2. #2

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,467
    Thank Post
    750
    Thanked 1,210 Times in 852 Posts
    Blog Entries
    45
    Rep Power
    533
    If I telnet to the server (telnet exchange 25) and send an EHLO it does tell me 250-STARTTLS so Exchange, at least, seems to think it's running. Whisky tango foxtrot?

  3. #3

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,137
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    76
    are you saying you dont receive any external email or just email that requires tls?

    up the logging on the default receive connector and repro the issue and check logs

  4. Thanks to sukh from:

    sonofsanta (31st July 2012)

  5. #4
    bart21's Avatar
    Join Date
    Aug 2009
    Location
    peterborough
    Posts
    401
    Thank Post
    77
    Thanked 53 Times in 51 Posts
    Rep Power
    18
    do you use a relay/smart host for incoming mail?

    maybe this has the tls issue?

    nick

  6. Thanks to bart21 from:

    sonofsanta (30th July 2012)

  7. #5

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,467
    Thank Post
    750
    Thanked 1,210 Times in 852 Posts
    Blog Entries
    45
    Rep Power
    533
    Quote Originally Posted by sukh View Post
    are you saying you dont receive any external email or just email that requires tls?

    up the logging on the default receive connector and repro the issue and check logs
    I receive external mail fine now - I wasn't, initially - but if I untick "Anonymous" under the permission groups for the Default Connector I get 530 5.7.1 Client was not authenticated errors from my Exchange server (and it is definitely my server, not the smart host). Authentication was set to TLS (and Mutual Auth TLS) only but adding Basic Auth to the methods still results in an error if Anonymous is unticked, whether or not the sub-option is checked or not (Offer only after starting TLS).

    Gmail does eventually send the message through after 24 hours of trying to send it with TLS but it generates technical error messages first, which will scare people.

    Quote Originally Posted by bart21 View Post
    do you use a relay/smart host for incoming mail?

    maybe this has the tls issue?

    nick
    We use our ISP's smart host but all this worked before, it's just stopped now. I can't see any details on the Gmail warning to give me a clue which server is generating the error, but I strongly suspect it's mine due to the symptoms above and the previous 18 months of no issues.

  8. #6

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,467
    Thank Post
    750
    Thanked 1,210 Times in 852 Posts
    Blog Entries
    45
    Rep Power
    533
    Having said all that... it's now working this morning. God only knows what's happened there, but right now, if it's working I'm happy.

    Definitely time to move to Office 365 or actually start learning Exchange properly...

    Thanks both.

  9. #7

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,137
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    76
    Regardless of the TLS setting you have to have Anonymous ticked, otherwise how will Exch accept emails from the outside world unless you receive email from a hosted relay.

  10. #8

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,467
    Thank Post
    750
    Thanked 1,210 Times in 852 Posts
    Blog Entries
    45
    Rep Power
    533
    Quote Originally Posted by sukh View Post
    unless you receive email from a hosted relay.
    Indeed we do, and Anonymous was never checked previously, but this is not a new songwhen it comes to this Exchange server; every now and then it randomly decides that the current configuration that has worked for years is no longer good enough. I didn't set it up initially, so who knows what's going on with it sometimes...

  11. #9

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,137
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    76
    Quote Originally Posted by sonofsanta View Post
    Indeed we do, and Anonymous was never checked previously, but this is not a new songwhen it comes to this Exchange server; every now and then it randomly decides that the current configuration that has worked for years is no longer good enough. I didn't set it up initially, so who knows what's going on with it sometimes...
    What do you have on the network remote ip ranges? does that cover the hosted relays?

  12. #10
    bart21's Avatar
    Join Date
    Aug 2009
    Location
    peterborough
    Posts
    401
    Thank Post
    77
    Thanked 53 Times in 51 Posts
    Rep Power
    18
    as @sukh says the default recieve connector has to have anonomous setting

    nick

  13. #11

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,467
    Thank Post
    750
    Thanked 1,210 Times in 852 Posts
    Blog Entries
    45
    Rep Power
    533
    Quote Originally Posted by sukh View Post
    What do you have on the network remote ip ranges? does that cover the hosted relays?
    Remote is set to 0.0.0.0-255.255.255.255 which I'm guessing - given that our MX record points to our smarthost - is probably unnecessarily generous and should be tightened up?

    Quote Originally Posted by bart21 View Post
    as @sukh says the default recieve connector has to have anonomous setting
    I'm not doubting that it does - just that it seemed to work without it before, which is why I'm so confused!

  14. #12

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,137
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    76
    Yes you can tighten to that relay server you receive your emails from.

    There seems to have been a change made somewhere for that config to be changed.

  15. Thanks to sukh from:

    sonofsanta (31st July 2012)

  16. #13

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,467
    Thank Post
    750
    Thanked 1,210 Times in 852 Posts
    Blog Entries
    45
    Rep Power
    533
    Tightened that range down to a single IP then, cheers.

    It may be related to the demotion of old DCs or the removal of old CAs but frankly, if it works now, I'm happy, more pressing issues to hand for now I fear!

    Cheers muchly.

SHARE:
+ Post New Thread

Similar Threads

  1. Exchange 2007 public folders
    By everton4europe in forum How do you do....it?
    Replies: 11
    Last Post: 29th March 2008, 11:52 AM
  2. Exchange 2007 costs?
    By tosca925 in forum Windows
    Replies: 6
    Last Post: 6th May 2007, 02:44 PM
  3. Exchange 2007 hardware server spec
    By zag in forum Hardware
    Replies: 4
    Last Post: 5th May 2007, 02:18 PM
  4. Virtual Server 2005 R2 + Exchange 2007
    By Simcfc73 in forum Windows
    Replies: 4
    Last Post: 7th February 2007, 11:04 PM
  5. Exchange 2007 Beta 2 available for download
    By Norphy in forum Windows
    Replies: 3
    Last Post: 25th July 2006, 05:20 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •