UGTS Document #23 - Last Modified: 8/29/2015 3:23 PM
Troubleshooting SMTP Servers

Any SMTP server can be tested simply using telnet, whether it is run using IIS, Exchange, or some other software.
Just telnet to the host and port (usually 25 or 587) of the SMTP server by running on the command telnet [host] 25.  If the connection is not blocked by a firewall or your ISP, then you should immediately get a connection to the server and be shown the banner message of the SMTP server.  You can then enter the command EHLO to get a list of commands that the SMTP server supports.

Note that your ISP might block outbound port 25 to stop spammers.  If this is the case, then you'll have to use a different port number, or connect to the port from a different machine.  If possible, you should try running telnet from the server itself to minimize the things that can go wrong - use telnet localhost 25.

If the SMTP server supports opportunistic TLS, then one of the lines returned will be 250-STARTTLS.  If the server does not support TLS, then this line will not be returned, and you if try to connect to the server using .NET's Net.Mail.SmtpClient class, you will get the error 'Server does not support secure connections'.

If you are seeing this on Exchange Server 2007, and you've done everything that you know how to do to enable TLS (enabled TLS on the recieve connector, installed a trusted certificate, verified that it has not expired, and enabled it for SMTP), but the SMTP server still does not show 250-STARTTLS, then you should verify that the security certificate used on the SMTP server is trusted by the server.

Sometimes the certificate, an intermediate certificate, or the root certificate can be marked as disabled in the Certificates store on the server, and this will prevent Exchange from using the certificate.  If this is the case, enabling the certificate will immediately fix the problem (no need to restart any services, as soon as you make the change, the 250-STARTTLS line should show up).   To do this, run the certificates snap-in in mmc.exe for the Computer account, and go to Personal, Trusted Root Certification Authorities, and Intermediate Certification Authorities.  If any of the certificates installed in the chain show up as Intended Purposes = <none>, then that certificate is disabled.  To enable a certificate, right-click it, Properties, Enable all purposes for this certificate.