Hey guys. In my environment I encourage anything that needs to use authenticated relay to hit my mail servers over port 587 on the client front end receive connectors. With these clients, I always have them specify the option to use SSL/TLS and everything always goes through fine. Up to this point I have always assumed that these connectors were using the default SMTP certificate to encrypt any communications between clients and the connectors (I can also say I made the same assumption about how the default connectors on port 25 do this)
I stumbled across this article:
http://exchangeserverpro.com/configuring-the-tls-certificate-name-for-exchange-server-receive-connectors/
Which implies that you actually have to set the certificate for each receive connector. When I do a Get-ReceiveConnector it shows the TLSCertificateName as blank (which could very well mean to just use the default certificate).
Could somebody please clarify, are my receive connectors using my default certificate (which I have replaced with a comercial, public CA provided certificate) or are my clients just sending unencrypted traffic? I would find it hard to believe that they are sending unencrypted because I never get any errors when I specify that they need to use encryption, and I am presented with a starttls option when I telnet to my servers over port 587. But all that being said, I would like to get a second opinion. Thanks all