Search This Blog

Thursday 10 November 2011

Disable StartTLS on EX2010 Send Connectors - Quick Fix

In your Exchange Hub Transport Server event viewer you may see a repeated TransportService Error 12014 on a regular basis.

This is typically because you do not have a certificate installed on the HT server with a FQDN that matches the FQDN entered into the send connector or the local computer FQDN if the send connector FQDN is empty.

When you check the properties of the Send Connector you see that TLS is NOT required but you still get the error.

This is because the receiving server has requested TLS so your exchange server tries to start TLS but this fails and the message is sent without TLS in the normal fashion. Everything works but you see the annoying errors!

Even when you have disabled TLS on a send connector this does not stop the receiving server from requesting TLS. If you examine the send connector using the EMS - get-sendconnector [connectorname] | fl you will probably see an entry called "IgnoreSTARTTLS" set to false.

This is the default and allows the Exchange server to provide TLS when requested. But if the following are true then the solution is simple:
  • If you dont have a certificate installed and bound to the SMTP service
  • If your certificate does not have the correct names
  • You just dont want to provide or use TLS ever
Solution:

Use the Exchange Management Shell (EMS) and change the IgnoreSTARTTLS value to $true as shown below:

Open the EMS
  1. get-SendConnector -identity [send connector name] | set-SendConnector -IgnoreSTARTTLS: $true
  2. Restart the Microsoft Exchange Transport Service (restart-service msexchangetransport).
Important Note:

If you have configured your server to Require TLS this procedure will not work and you will need to sort your certificates out.

2 comments:

  1. Turning Opportunistic TLS off when you get this error is a terrible recommendation. Administrators should be getting their certificates properly assigned and validated. Not turning off email encryption entirely.

    That said, there is a major flaw in your first statement. If you get this error, it is a warning that your certificates can't be validated for STARTTLS. Messages will be encrypted using any available certificate if this message is showing up in the logs. The warning message can be safely ignored if it is not possible to resolve certificate validity errors.

    ReplyDelete
  2. Thanks so much for posting a lot of this awesome content! Looking forward to checking out more.

    warehouse Streamlining & Air freight services

    ReplyDelete