Exchange Server cannot communicate with non-TLS domains

Article translations Article translations
Article ID: 329061 - View products that this article applies to.
This article was previously published under Q329061
Expand all | Collapse all

SYMPTOMS

After you configure the SMTP connector to use the Transport Layer Security (TLS) protocol, a server that is running Microsoft Exchange 2000 Server or Microsoft Exchange Server 2003 cannot communicate with domains that do not use TLS. When this issue occurs, you may experience the following symptoms:
  • SMTP queues that contain messages are in a retry state. When you examine the status of the queues, you see the following:
    The remote SMTP service does not support TLS.
  • Users receive non-delivery reports (NDRs) that contain information that is similar to the following:
    The recipient could not be processed because it would violate the security policy in force. #5.7.0 SMTP: 530 5.7.0 Must issue a start TLS command first.

CAUSE

This issue occurs when you use one SMTP connector to route traffic both to domains that are TLS-configured and to domains that are not TLS-configured.

RESOLUTION

To resolve this issue, remove TLS encryption from the default SMTP connector, and then create a dedicated SMTP connector for TLS-encrypted traffic. To do this, follow these steps:
  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. Remove TLS encryption from the default SMTP connector. To do this:
    1. Click Connectors, right-click the SMTP connector that you use for TLS-encrypted traffic, and then click Properties.
    2. Click the Advanced tab, click Outbound Security, click to clear the TLS encryption check box, and then click OK two times.
  3. Create a connector for TLS-encrypted traffic. To do this:
    1. With the Connectors branch still selected, right-click the right pane of Exchange System Manager, point to New, and then click SMTP Connector.
    2. In the Name box, type a descriptive name for the new connector. For example, type TLS_Dedicated_Connector.
    3. Click Add, click the name of the SMTP virtual server that you want to use with this connector, and then click OK.
    4. Click the Address Space tab, click Add, and then click SMTP if it is not already selected.
    5. Make sure that the Allow messages to be relayed to these domains check box is cleared, and then click OK.
    6. In the Internet Address Space Properties dialog box, accept the default values, and then click OK.
    7. Click the Advanced tab, click Outbound Security, click to select the TLS encryption check box, and then click OK two times.

Properties

Article ID: 329061 - Last Review: October 25, 2007 - Revision: 3.3
APPLIES TO
  • Microsoft Exchange Server 2003 Enterprise Edition
  • Microsoft Exchange Server 2003 Standard Edition
  • Microsoft Exchange 2000 Server Standard Edition
  • Microsoft Exchange 2000 Enterprise Server
Keywords: 
kbprb KB329061

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com