Unable to send TLS mails to external domains – E2k7

Topology: Exchange 2007 > Watch Guard firewall > Microsoft ForeFront > Internet

Send connector is smart-hosted to Microsoft ForeFront

Exchange 2007 exhibits a feature known as ‘Opportunistic TLS’ > if the remote domain accepts TLS mails Exchange would send in TLS, else Exchange will send in non-TLS format

Inspite of this, his Exchange server is sending non-TLS mails to remote domains which accept TLS


–          From the Exchange server, ran a telnet to ForeFront (mail.messaging.microsoft.com) on port 25, and there was no STARTTLS verb/blob advertised

–          So ideally, Exchange would send mail only in non-TLS format

–          However, when we do a telnet to ForeFront (elnet mail.messaging.microsoft.com 25), we see STARTTLS verb

–          Thus, though ForeFront advertises STARTTLS verb, it’s not seen when running a telnet from the Exchange server

Suspected Watch Guard to be running ESMTP Proxy, which is stripping off the verbs from being displayed

Though Cx confirmed that the firewall did not proxy any SMTP, logged in to the console and found ESMTP outbound settings

ESMTP was enabled, and there was a check mark for 8-BITMIME (this was the only verb displayed when Cx ran a telnet to ForeFront)

We checked BINARYMIME (from that list), saved the firewall config, and then ran a telnet to ForeFront > now we could see BINARYMIME verb also displayed (along with 8-BITMIME)

Thus it was confirmed that it was indeed the firewall which was stripping off the verbs, the following link which discusses about issues with TLS and Encryption caused by Watchguard Firebox Firewall:


Resolution: The Watchguard firewall has two options for SMTP mail: SMTP Proxy and SMTP Packet Filter. The default choice, when a user first sets up mail, is the SMTP Proxy. Change to SMTP Packet Filter, and that should resolve the issue.

2 thoughts on “Unable to send TLS mails to external domains – E2k7

  1. This problem is also exhibited with the [now outdated] Watchguard X550e. Until encountering this, there was no reason to replace our firewall appliance. In order to use the subscription SpamBlocker service (which relies on the SMTP proxy), one must use the proxy rule as opposed to a packet-filter rule or the filtering cannot take place. We’ve unfortunately had to disable our spam blocker & simply port-forward 25 directly to the mail server temporarily because of this. The newest firmware that addresses this problem is not available for this particular model so we’re stuck until the unit is replaced. Because it’s proxy strips the TLS headers & causes delivery problems between certain SMTP servers & our own.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.