Event ID 4007 may be logged in the Application log when you enable Transport Layer Security (TLS) connections for one or more specific domains in Exchange Server 2003: "The remote SMTP service does not support TLS"

Consider the following scenario:

• You enable Transport Layer Security (TLS) connection for one or more specific domains.
• You use Cisco ASA firewall in a mail environment.
• You send an e-mail message.

In this scenario, the following event may be logged in the Application log:

Event ID : 4007
Raw Event ID: 4007
Record Nr. : 3524
Category : Connection Manager
Source : MSExchangeTransport
Type : Warning
Message : Message delivery to the host 'xx.xx.xx.xx' failed while delivering to the remote domain 'domain.com' for the following reason: The remote SMTP service does not support TLS.

The SMTP verb which caused the error is 'STARTTLS'. The response from the remote server is
'250-mail01.domain.com
250-PIPELINING
250-SIZE 20480000
250-VRFY
250-ETRN
250-XXXXXXXA'.

Data:
E5

This issue occurs because the Cisco ASA firewall has an SMTP protocol feature for checking SMTP communication. By default, his check function is enabled. When this issue occurs, the check function correctly removes the Extended Set of Simple Mail Transfer Protocol (ESMTP) command that includes the STARTTLS verb from the SMTP communication.

To work around this issue, follow these steps:

1. Disable the default check function for the ESMTP command on the Cisco ASA firewall.
2. Force a connection to the destination mail server. Or, restart the SMTP virtual server. To force a connection, right-click the failed message in the Exchange System Manager queue, and then click Force Connection.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.