SOLVED

Inbound OnPremises connector seeing significant mail flow without TLS warning

%3CLINGO-SUB%20id%3D%22lingo-sub-2166912%22%20slang%3D%22en-US%22%3EInbound%20OnPremises%20connector%20seeing%20significant%20mail%20flow%20without%20TLS%20warning%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2166912%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EWe%20have%20Office%20365%20email%20licenses%20and%20we%20use%20MS%20Office%2FOutlook%202019%20on%20Microsoft%20Windows%20Servers%20v2019.%26nbsp%3B%20We%20do%20NOT%20have%20an%20OnPrem%20email%20server.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20used%20to%20use%20smtp.office365.com%20as%20an%20smtp%20server%20to%20send%20email%20from%20an%20ERP%20application%20(to%20email%20recipients%20inside%20our%20organization%20as%20well%20as%20outside%20our%20organization)%2C%20but%20the%20ERP%20app%20doesn't%20support%20TLS%201.2%20for%20emailing.%26nbsp%3B%20So%20I%20set%20up%20a%20Connector%20in%20Office%20365%20to%20be%20able%20to%20send%20email%20from%20the%20ERP%20application%20using%20our%20Office%20365%20MX%20record%20and%20an%20Office%20365%20SMTP%20relay.%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EBut%20the%20Connector%20Report%20in%20Office%20365%20is%20warning%20every%20day%20that%20%22Inbound%20OnPremises%20connector%20seeing%20significant%20mail%20flow%20without%20TLS%22.%26nbsp%3B%20I%20don't%20understand%20why%20this%20is%20happening.%26nbsp%3B%20I%20thought%20using%20our%20Office%20365%20MX%20record%20as%20the%20SMTP%20server%20and%20a%20connector%20are%20an%20SMTP%20relay%20would%20ensure%20all%20emails%20would%20be%20processed%20with%20TLS%201.2.%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ECan%20anyone%20explain%20what%20I'm%20missing%3F%26nbsp%3B%20I%20can%20provide%20more%20details%20if%20necessary.%26nbsp%3B%20I%20also%20had%20a%20thought%20that%20maybe%20I've%20covered%20everything%20and%20that%20the%20error%20is%20really%20a%20non-issue%2C%20but%20I%20don't%20know.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2166912%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConnector%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%20Administration%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESMTP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Etls%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2263376%22%20slang%3D%22en-US%22%3ERe%3A%20Inbound%20OnPremises%20connector%20seeing%20significant%20mail%20flow%20without%20TLS%20warning%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2263376%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F230501%22%20target%3D%22_blank%22%3E%40Ginny%20Soyars%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Ginny%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20luck%20with%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20same%20problem%20-%20hard%20to%20know%20how%20concerned%20I%20should%20be%20-%20in%20my%20case%20-%203rd%20party%20ERP%20vendor%20-%20typically%20says%20yeah%20it's%20fine!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

We have Office 365 email licenses and we use MS Office/Outlook 2019 on Microsoft Windows Servers v2019.  We do NOT have an OnPrem email server.

 

We used to use smtp.office365.com as an smtp server to send email from an ERP application (to email recipients inside our organization as well as outside our organization), but the ERP app doesn't support TLS 1.2 for emailing.  So I set up a Connector in Office 365 to be able to send email from the ERP application using our Office 365 MX record and an Office 365 SMTP relay.  

 

But the Connector Report in Office 365 is warning every day that "Inbound OnPremises connector seeing significant mail flow without TLS".  I don't understand why this is happening.  I thought using our Office 365 MX record as the SMTP server and a connector are an SMTP relay would ensure all emails would be processed with TLS 1.2.  

 

Can anyone explain what I'm missing?  I can provide more details if necessary.  I also had a thought that maybe I've covered everything and that the error is really a non-issue, but I don't know.

 

Thanks.

6 Replies

@Ginny Soyars 

 

Hi Ginny :)

 

Any luck with this?

 

I have same problem - hard to know how concerned I should be - in my case - 3rd party ERP vendor - typically says yeah it's fine! 

@LorneC555 No, I haven't made any progress on this. An MS rep private-messaged me for more information, which I provided, but he eventually said he couldn't help and I should open a formal support case with Microsoft, but I don't know how to go about doing that - plus I don't feel confident I would really get anywhere with Microsoft anyway.  So...

best response confirmed by Ginny Soyars (Occasional Contributor)
Solution
If the ERP app doesnt support TLS1.2 then no matter where you send it won't be capable of TLS1.2. The connector would pick up the traffic as it's coming from your on-premises public IP, regardless of if you use smtp.office365.com or the MX record.

Set up an IIS relay on prem, use that as your relay and send from there securely to Exchange Online

@SeanMcAvinue  Thank you so much for your reply Sean, this should head us in the right direction.

Lorne

Yes, thanks for that. I will probably use this as a guide and set up the IIS relay as you suggested: https://adamtheautomator.com/iis-smtp-relay/
I have this issue either coming from on premise Exchange or on premise SMTP relay server. My problem is that I think I will need to split this traffic into separate connectors to figure out what server is sending without TLS. Just FYI, when I had a ticket open for issues with relaying email from on premise I was told that using an on Premise IIS/SMTP replay is not a supported configuration. Since IIS/SMTP relay is an IIS 6.0 protocol that it is no longer supported. You may need to think about looking for a different solution.