Mandatory TLS1.2 - Message Headers report TLS version incorrectly.

Occasional Contributor

We have a large(ish) tenant, 80k+ Mailboxes, with thousands of servers / MFPs connecting using Client Submission. - we recently finished work to verify devices are all showing as "TLS1_2" in the headers, as mentioned on the EHLO Blog.


We have just discovered that the TLS version reported in headers is not accurate, by stumbling across a unix device only capable of TLS1.0 but EXO Headers were reporting it as using TLS1.2 - reviewing the EMT and normal message trace confirmed it is using TLS1.0. - my advice to anyone undertaking similar work is to check message traces instead of Headers - screenshot of the same message, headers vs message trace below.







1 Reply

Is the Unix device using IPv6? (Is your network using IPv6 at all?)


It looks to me that that's a intra-Microsoft network Received header and not the one for the first hop of the Unix-device to EXO. There are normally a few Received hops within Microsoft's network. What other Received headers are there? Is header-analyzer maybe missing the first one?


Ohh and the first hop is normally more obviously an EOP one, e.g.