Topology: Exchange 2007 > Watch Guard firewall > Microsoft ForeFront > Internet

Send connector is smart-hosted to Microsoft ForeFront

Exchange 2007 exhibits a feature known as ‘Opportunistic TLS’ > if the remote domain accepts TLS mails Exchange would send in TLS, else Exchange will send in non-TLS format

Inspite of this, his Exchange server is sending non-TLS mails to remote domains which accept TLS

Troubleshooting:

–          From the Exchange server, ran a telnet to ForeFront (mail.messaging.microsoft.com) on port 25, and there was no STARTTLS verb/blob advertised

–          So ideally, Exchange would send mail only in non-TLS format

–          However, when we do a telnet to ForeFront (elnet mail.messaging.microsoft.com 25), we see STARTTLS verb

–          Thus, though ForeFront advertises STARTTLS verb, it’s not seen when running a telnet from the Exchange server

Suspected Watch Guard to be running ESMTP Proxy, which is stripping off the verbs from being displayed

Though Cx confirmed that the firewall did not proxy any SMTP, logged in to the console and found ESMTP outbound settings

ESMTP was enabled, and there was a check mark for 8-BITMIME (this was the only verb displayed when Cx ran a telnet to ForeFront)

We checked BINARYMIME (from that list), saved the firewall config, and then ran a telnet to ForeFront > now we could see BINARYMIME verb also displayed (along with 8-BITMIME)

Thus it was confirmed that it was indeed the firewall which was stripping off the verbs, the following link which discusses about issues with TLS and Encryption caused by Watchguard Firebox Firewall:

http://www.google.com/support/appsecurity/bin/answer.py?hl=en&answer=138468

Resolution: The Watchguard firewall has two options for SMTP mail: SMTP Proxy and SMTP Packet Filter. The default choice, when a user first sets up mail, is the SMTP Proxy. Change to SMTP Packet Filter, and that should resolve the issue.