Track and Trace show that Inbound emails are stuck in a Retrying Delivery state with a TLS error message.

or

An outbound mail queue builds on the sending server-side with a TLS error message.

453 TLS Connection Renegotiation failed.

Email Security.cloud

• The sender MTA server is using a weak or unsupported TLS cipher suite (see TLS ciphers supported by Email Security.cloud).
• You have set up a TLS Business Partner using Forced encryption but are not using a cipher from the “Enforced cipher set” (see View your Encryption Enforcements and Business Partners).
• You are using a SHA1 certificate (deprecated, see SHA1 Deprecation: What You Need to Know).

To continue using TLS Business Partners with Enforced encryption, you will need to ensure you are using TLS 1.1 or higher as well as using a SHA2 certificate.

Be aware that the information below is for guidance only. You must retrieve up-to-date information from your mail server vendor to ensure accuracy, for instructions to any other on-premise mail server solution, contact the software vendor.

Microsoft Exchange users

• Ensure your MTA is up-to-date with the latest available Cumulative Update (CU) patch.
• TLS1.0 does not support the “Enforced cipher set”. Microsoft plans to disable TLS 1.0 and 1.1 in a future CU patch. Migrating to TLS 1.2 now will resolve this issue and ensure you are current with the latest security practices.

Warning: Before proceeding with the following steps,  ensure your Exchange environment has the latest CU patches installed. Failing to do and continuing to the next steps can negatively affect your mail flow.

Enable TLS 1.2

To enable TLS 1.2 for both server (inbound) and client (outbound) connections on an Exchange Server, perform the following.

1. From Notepad.exe, create a text file named TLS12-Enable.reg.
2. Copy and paste the following text into the file.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]

"DisabledByDefault"=dword:00000000

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]

"DisabledByDefault"=dword:00000000

"Enabled"=dword:00000001

3. Save TLS12-Enable.reg.
4. Double-click the TLS12-Enable.reg file.
5. Click Yes to update your Windows Registry with these changes.
6. Restart the machine for the changes to take effect.
    

Disable TLS 1.0

To disable TLS 1.0 for both Server (inbound) and Client (outbound) connections on an Exchange Server perform the following:

1. From Notepad.exe, create a text file named TLS10-Disable.reg.
2. Copy and paste the following text into the file.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

3. Save TLS10-Disable.reg.
4. Double click the TLS10-Disable.reg file.
5. Click Yes to update your Windows Registry with these changes.
6. Restart the machine for the changes to take effect.
    

Disable TLS 1.1

To disable TLS 1.1 for both Server (inbound) and Client (outbound) connections on an Exchange Server, perform the following:

1. From Notepad.exe, create a text file named TLS11-Disable.reg.
2. Copy and paste the following text into the file.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

3. Save TLS11-Disable.reg.
4. Double click the TLS11-Disable.reg file.
5. Click Yes to update your Windows Registry with these changes.
6. Restart the machine for the changes to take effect.

For more information about TLS best practices, see the following articles:

Exchange Server TLS guidance, part 1: Getting Ready for TLS 1.2
Exchange Server TLS guidance Part 2: Enabling TLS 1.2 and Identifying Clients Not Using It
Exchange Server TLS guidance Part 3: Turning Off TLS 1.0/1.1