1
Resolving TLS and other problems on upgrade
Problem reported by Michael Barber - February 6, 2015 at 5:44 PM
Submitted
I just upgraded our mail server to version 12 and running checks now to make sure it is working.  I went to http://mxtoolbox.com and these errors or problems were detected.  What do I need to do to support TLS?  Why is the transaction time so long. I'm currently running the smartermail mail server...so I'm wondering if that is the reason?  I tried getting my IIS to work after the upgrade and it doesn't seem to be working so I left it on the SmarterMail server for now. 
 
Also, under the server blacklist check it says TRUE for RHSBL. I don't see this showing up on mxtoolbox.com.  How do I get off of RHSBL?
 
SMTP TLS Warning - Does not support TLS.  
SMTP Transaction Time 16.910 seconds - Not good! on Transaction Time

7 Replies

Reply to Thread
0
CCWH Replied
February 8, 2015 at 12:07 PM
When you say TLS is not working after the upgrade...are you implying that TLS was working prior to the upgrade?
 
Re the transaction times, again, was this faster before the upgrade?  Transaction times can vary depending on server speed.  I would look into why IIS is not working....any errors etc.  The built-in webserver will be slower than IIS especially with the larger environment.
 
Re the RHSBL, this will help you:
 
0
CCWH Replied
February 9, 2015 at 12:09 PM
 - Sorry, as you said upgrade I assumed you were using SM before going to 12.x.  Understand now that you have actually migrated from one mail server (MailSite) to SM.  In that case, you need to follow the guide here:
 
 
The guide will take you through the TLS process.  However, if you are setting up SM 12.x for the first time I suggest you download the antispam guide that Bruce Barnes has written...all off his own back....it not only is one of THE best guides to use but it also takes you through or links to TLS info IIRC:
 
 
 - If you supply the domain or mail server FQDN we can have a look for you re the RHSBL.
 
 - One final thing....if I were you I would troubleshoot the issue why you cannot run SM using IIS and then start looking at other issues / setup.  It's much faster and also allows for better troubleshooting IMHO.  I have a funny feeling TLS will not work with the built-in web server too...I might be wrong there though.
0
Michael Barber Replied
February 10, 2015 at 12:16 PM
Ok I have the professional version...   I read you need the Enterprise edition for support of TLS correct?
0
Michael Barber Replied
February 10, 2015 at 2:45 PM
Do you have to buy an SSL to enable TLS or can you just use a free (self-signed) SSL certificate?  I'm not following the help article at all http://portal.smartertools.com/kb/a2671/configure-ssl-tls-to-secure-smartermail.aspx  I understand the certificate export process.  However, it tells you to create a port but doesn't tell you want to put in for any of the fields.  Also, is it possible to only use TLS on some of the domains or do all the domains using the mail server have to have their own TLS certificate.  Very confusing help article.
 
Also, settings>>protocol settings has an ssl checkbox...what about that.  The article doesn't address if that has to be clicked on or not.
0
CCWH Replied
February 11, 2015 at 11:59 AM
If this is the first time setting up an SSL cert for an email server it is a learning curve and yes, I do agree there does not seem to be one full document that gives full step by step instructions.  Not that I have found anyway.
 
Re the purchasing of a cert, you can use a self-issued one but then email clients may not trust it...that's in essence why there are known good Certificate Authorities.  You might as well purchase a £($)10 certificate and it's then sorted.  However, if your clients currently use their own domains to connect to the email server, i.e. mail.clientdomain.com, then you will either have to setup SSL certs for each and every domain OR do what is normal practice and make sure all clients use your domain with the certificate.  They can then use mail.yourdomain.com for the mail and then also you can link it to the webmail.yourdomain.com and use https if you decided to use a Wildcard cert.
 
We made the transition last year and even though we were apprehensive it actually was welcomed by the clients as we sold it, rightly so, as a security upgrade.  From an email admin point of view it is FAR easier to administer too!
 
You can't force SSL/TLS on some domains and not others as far as I am aware.  You can implement SSL/TLS and still allow unsecured connections to take place...however even though that is better than nothing it's still leaving a security hole on each connection to the server so better to block 110/143.
 
The SSL check boxes within Security > Protocol Settings are when or if you configure autodiscover for when email clients are being configured.  It's great to use, however it's lower down on your to do list ;-)
 
Re the ports, this will hopefully clarify:
 
0
Michael Barber Replied
February 12, 2015 at 10:15 AM
Any answers to these last questions concerning the SmarterMail TLS help link?
 
  1. If  you block 110/143, what port would they pop too under TLS?
  2. If I setup TLS (as ssl is obsolete) Port 25, 110 and 143 are already configured and the instruction describe setting up a new port from what I read. What NEW ports need to be created?
  3. What ports just need to be simply changed to make TLS work?
  4. What are the normal ports used in email TLS....?
  5. How do you keep unsecure connections "as is" with TLS turned on?
1
CCWH Replied
February 12, 2015 at 11:41 AM
  1. If  you block 110/143, what port would they pop too under TLS?
     - Sorry...just taken a second look at what I said, must have been half asleep...the ports we have blocked are for the SSL POP & IMAP, so 993/995.  TLS, as you mentioned, does indeed run on the standard ports.  Here's our overview of ports configured on the test server (note that we have left the old ones and the SSL but we do not have these configured within the IP Bindings):

     
  2. If I setup TLS (as ssl is obsolete) Port 25, 110 and 143 are already configured and the instruction describe setting up a new port from what I read. What NEW ports need to be created?
     - As seen in the above image, you have to recreate the ports but select TLS and also the Certificate:

    Note that you have to have already followed the export guide to export your cert and save it within an accessible location such as 'C:\Program Files (x86)\SmarterTools\SmarterMail\MRS\certificates\yourcert.cer'
     
  3. What ports just need to be simply changed to make TLS work?
     - New ports created and then bound to the mail server IP address
     
  4. What are the normal ports used in email TLS....?
     - See top image, look for TLS
     
  5. How do you keep unsecure connections "as is" with TLS turned on?
     - Simple leave the old POP/IMAP/SMTP ports bound to the IP Address.  My best guess for what you want your IP Bindings to be would be something like this:

Reply to Thread