Do Exchange self-signed certificates normally work with external TLS connections?
When external mail systems connect to our external Edge servers (to send incoming email), we broadcast a 250-X-ANONYMOUSTLS, but not a 250-STARTTLS. Not exactly sure of the difference of those two, but it seems that STARTTLS must be there for opportunistic TLS, although I've seen posts that suggest the ANONYMOUSTLS entry is for allowing other self-signed certificates on the other end. Perhaps both are required. Would a cert being self-signed on my end alone prevent the STARTTLS command from being available? Or could the issue be that the certificate does not contain the same name that is broadcast by EHLO and visible by an external PTR record? Currently the self-signed cert contains a local machine name that does not match the externally visible pointer name. Does the name have to match either the PTR record or the EHLO broadcast name to list the STARTTLS? Are both issues a problem or only the latter (cert that is self-signed vs. cert that doesn't match external name)?