James,

What is the IP address of your server? Is it possible for you to call us or send us an email. Explaining this over the phone will be a lot easier. Our number is 609-750-0007 - dial 2 for support.

In any case, I am going to try to explain this for other viewers.

The SSL encryption occurs at the network layer. When a sender (checktls.com) tries to connect, a TCP/IP socket is created between CheckTLS and Xeams. This socket has no idea about Exchange. Once the connection is established, Xeams will open another socket to your Exchange. Now Xeams acts as a middleman. Whatever CheckTLS sends, Xeams forwards that request to Exchange. When Exchange replies back, Xeams sends most of the reply back. I say "most of the reply" back because some extensions supported by Exchange are not supported by Xeams and therefore, it hides them. 

This is precisely the reason why you see a 250-STARTTLS as part of the EHLO command. Try opening a connection using telnet directly to your Exchange and you will see additional verbs as part of EHLO that are suppressed by Xeams.

Xeams does not filter the Internal Server Name, SIZE and few other parameters coming back from Exchange and therefore, you see them verbatim on the other side.

This does not mean the SSL communication is between checktls.com and Exchange. The actual encryption is only between checktls and Xeams.