Disable Opportunistic TLS between an Edge Server and a hosted service, such as Exchange Online Protection

I've actually had this exact question come up  in a few different cases lately, so I figured a quick Blog post was in order.  There could be numerous reasons that you may need to disable the Opportunistic TLS on your Edge (or Internet) Send Connector, which is enabled by default in Exchange 2007 and above.  While I won't go into all the details, I will discuss the steps to accomplish this task. 


The first step is to launch the Exchange Management Shell on an Edge server (or Hub if there are no Edge servers). 


Next, use the following commands to view your Send Connectors on your Hub or Edge:



In this Example you can see I only have one Send Connector, but if I had more than one then I would make sure to specify that I want to disable Opportunistic TLS on the appropriate Send Connector with the following command:

Set-SendConnector -Identity "Internet" -IgnoreSTARTTLS $true


After the command finishes you can verify the success by running this command:

Get-SendConnector | fl Name, IgnoreSTARTTLS


That's it!  I can now send outgoing email through the Internet Send Connector, and Exchange will no longer try and negotiate TLS for each connection.   

Note: Naturally in this example, ALL my outgoing messages are affected by this change.  If you had specific email domains that may need Opportunistic TLS, then creating a new Send Connector for those Address Spaces would be required.



Comments (0)

Skip to main content