This article was previously published under Q329061
After you configure the SMTP connector to use the Transport Layer Security (TLS) protocol, a server that is running Microsoft Exchange 2000 Server or Microsoft Exchange Server 2003 cannot communicate with domains that do not use TLS. When this issue occurs, you may experience the following symptoms:
SMTP queues that contain messages are in a retry state. When you examine the status of the queues, you see the following:
The remote SMTP service does not support TLS.
Users receive non-delivery reports (NDRs) that contain information that is similar to the following:
The recipient could not be processed because it would violate the security policy in force. #5.7.0 SMTP: 530 5.7.0 Must issue a start TLS command first.
This issue occurs when you use one SMTP connector to route traffic both to domains that are TLS-configured and to domains that are not TLS-configured.
To resolve this issue, remove TLS encryption from the default SMTP connector, and then create a dedicated SMTP connector for TLS-encrypted traffic. To do this, follow these steps:
Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
Remove TLS encryption from the default SMTP connector. To do this:
Click Connectors, right-click the SMTP connector that you use for TLS-encrypted traffic, and then click Properties.
Click the Advanced tab, click Outbound Security, click to clear the TLS encryption check box, and then click OK two times.
Create a connector for TLS-encrypted traffic. To do this:
With the Connectors branch still selected, right-click the right pane of Exchange System Manager, point to New, and then click SMTP Connector.
In the Name box, type a descriptive name for the new connector. For example, type TLS_Dedicated_Connector.
Click Add, click the name of the SMTP virtual server that you want to use with this connector, and then click OK.
Click the Address Space tab, click Add, and then click SMTP if it is not already selected.
Make sure that the Allow messages to be relayed to these domains check box is cleared, and then click OK.
In the Internet Address Space Properties dialog box, accept the default values, and then click OK.
Click the Advanced tab, click Outbound Security, click to select the TLS encryption check box, and then click OK two times.