1
Does SmarterMail support SMTP TLS?
Question asked by William Vasu - 8/14/2014 at 8:56 AM
Answered
Security requires that mail between SMTP servers be encrypted as well. Does SmarterMail use TLS when it forwards the email message to the recipient's SMTP server?

5 Replies

Reply to Thread
1
Derek Curtis Replied
Employee Post Marked As Answer
Yes, as long as TLS is set up on the SMTP Out tab. (Log in as the System Admin and go go Settings -> Protocol Settings and click the SMTP Out tab.) On that tab there's a setting for "Enable TLS if supported by the remote server" - so with that checked the message will use TLS when being sent. 
Derek Curtis COO SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
William Vasu Replied
Will this work with a self-signed certificate?
0
Bruce Barnes Replied
For best results, use a commercial certificate, make certain you have SmarterMail running under IIS, and have all of your internal, SmarterMail ports and hostnames properly configured. I will edit this post later today to include a couple of my resource documents to give you more detail on how to accomplish this.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
2
Bruce Barnes Replied
Here's a document on the ports which we have setup for SSL / TLS in SmarterMail  This requires SmarterMail ADMIN level access:
 
 
You will also need to setup your IP to HOSTNAME mappings, map those ports to the IP ADDRESSES which will use them and make certain your DNS has the proper "A" or HOST RECORDS listed for the MX records.
 
SmarterMail BINDINGS Meny
SmarterMail BINDINGS Menu
 
Remember, CNAMES ARE PROHIBITED for use with MX or E-MAIL records.  Everything must be designated via "A" or "HOST" records.
 
Here's the IETF citation which mandates A or HOST records [they are one in the same, but some people know them by different names]:
 
  • RFC 2181, section 10.3 says that host name must map directly to one or more address record (A or AAAA) and must not point to any CNAME records.
     
  • RFC 1034, section 3.6.2 says if a name appears in the right-hand side of RR (Resource Record) it should not appear in the left-hand name of CNAME RR, thus CNAME records should not be used with NS and MX records.
I mention this only because the use of CNAMES for MX servers in DNS will almost always BREAK SSL, TLS, and AUTODISCOVERY DNS records because of the additional lookup time required.

Additional DNS lookup time is caused by the fact that the CNAME usually refers to an A record which then refers to an IP address and, between the additional timing lookup, the fact that many MX servers time out too quickly, and the fact that many interconnects are overloaded with traffic, the use of CNAMES is causing failures more frequently than ever.

The problem is exacerbated when CNAMES refer to other CNAMES and DNS lookup times are extended further.
 
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Dennis Ameling Replied
Good to know this. I thought that SMTP Out TLS was always enabled when you have SMTP TLS activated. Immediately activated it!

Reply to Thread