Search This Blog

Thursday, 10 November 2011

Disable StartTLS on EX2010 Send Connectors - Quick Fix

In your Exchange Hub Transport Server event viewer you may see a repeated TransportService Error 12014 on a regular basis.

This is typically because you do not have a certificate installed on the HT server with a FQDN that matches the FQDN entered into the send connector or the local computer FQDN if the send connector FQDN is empty.

When you check the properties of the Send Connector you see that TLS is NOT required but you still get the error.

This is because the receiving server has requested TLS so your exchange server tries to start TLS but this fails and the message is sent without TLS in the normal fashion. Everything works but you see the annoying errors!

Even when you have disabled TLS on a send connector this does not stop the receiving server from requesting TLS. If you examine the send connector using the EMS - get-sendconnector [connectorname] | fl you will probably see an entry called "IgnoreSTARTTLS" set to false.

This is the default and allows the Exchange server to provide TLS when requested. But if the following are true then the solution is simple:
  • If you dont have a certificate installed and bound to the SMTP service
  • If your certificate does not have the correct names
  • You just dont want to provide or use TLS ever
Solution:

Use the Exchange Management Shell (EMS) and change the IgnoreSTARTTLS value to $true as shown below:

Open the EMS
  1. get-SendConnector -identity [send connector name] | set-SendConnector -IgnoreSTARTTLS: $true
  2. Restart the Microsoft Exchange Transport Service (restart-service msexchangetransport).
Important Note:

If you have configured your server to Require TLS this procedure will not work and you will need to sort your certificates out.