SMTP STARTTLS offload

I set up SMTP STARTTLS offload when I started loadbalancing Exchange 2010 a couple of years ago, and I could swear it worked when I tested it then. Recently we’ve gotten reports that it doesn’t work, and testing with ‘openssl s_client -connect webmail:587 -starttls smtp’ shows the certificate chain and seems to get through the handshake, but as soon as I send any SMTP command other than QUIT I get this error:

924:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s3_pkt.c:293:
I’m using an AX2500 running 2.4.3-p12 (also checked on 2.4.3-p9, same error). The SMTP template has ‘starttls optional’, and the service does work just fine if I don’t do STARTTLS (e.g., plain telnet to port 587).

Has anyone else gotten this to work, seen the same error, or have any other suggestions? Thanks.

It looks like it does work if I add the ‘-crlf’ flag to my openssl command, but there’s no equivalent flag I can set in a client like Thunderbird. Thunderbird users are getting a ‘connection was lost in the middle of the transaction’ error when using STARTTLS.