Resolving TLS and other problems on upgrade
Problem reported by Michael Barber - 2/6/2015 at 5:44 PM
Submitted
I just upgraded our mail server to version 12 and running checks now to make sure it is working.  I went to http://mxtoolbox.com and these errors or problems were detected.  What do I need to do to support TLS?  Why is the transaction time so long. I'm currently running the smartermail mail server...so I'm wondering if that is the reason?  I tried getting my IIS to work after the upgrade and it doesn't seem to be working so I left it on the SmarterMail server for now. 
 
Also, under the server blacklist check it says TRUE for RHSBL. I don't see this showing up on mxtoolbox.com.  How do I get off of RHSBL?
 
SMTP TLS Warning - Does not support TLS.  
SMTP Transaction Time 16.910 seconds - Not good! on Transaction Time

33 Replies

Reply to Thread
0
CCWH Replied
When you say TLS is not working after the upgrade...are you implying that TLS was working prior to the upgrade?
 
Re the transaction times, again, was this faster before the upgrade?  Transaction times can vary depending on server speed.  I would look into why IIS is not working....any errors etc.  The built-in webserver will be slower than IIS especially with the larger environment.
 
Re the RHSBL, this will help you:
 
0
Michael Barber Replied
No, I don't believe version 4 of Mailsite even supported TLS. I'm asking generically how do I solve these problems? Transaction time was faster before but yes, I was using IIS.
0
Michael Barber Replied
As to RHSBL, you are also not following me. Mailsite says there is a problem with RHSBL; however, Mxtoobox.com says there is NO problem with RHSBL. Which is it? Also, if you go to your link, it says to go to http://mailhosts.org/ ; however, there is NO SUCH website?
0
Michael Barber Replied
And, if you Google Mailhosts, it simply sends you back to MxToolbox in a round robin fashion.
0
CCWH Replied
 - Sorry, as you said upgrade I assumed you were using SM before going to 12.x.  Understand now that you have actually migrated from one mail server (MailSite) to SM.  In that case, you need to follow the guide here:
 
 
The guide will take you through the TLS process.  However, if you are setting up SM 12.x for the first time I suggest you download the antispam guide that Bruce Barnes has written...all off his own back....it not only is one of THE best guides to use but it also takes you through or links to TLS info IIRC:
 
 
 - If you supply the domain or mail server FQDN we can have a look for you re the RHSBL.
 
 - One final thing....if I were you I would troubleshoot the issue why you cannot run SM using IIS and then start looking at other issues / setup.  It's much faster and also allows for better troubleshooting IMHO.  I have a funny feeling TLS will not work with the built-in web server too...I might be wrong there though.
0
Michael Barber Replied
Mail server is .: mail (dot) comcity [dot] com. Thanks for checking out the RHSBL. Agreed, I need to get IIS running...working on that next.
0
CCWH Replied
I have checked the normal lists and your mail server IP address is not showing. However, it is showing in a few lessor known lists. You can check here: http://mail-blacklist-checker.online-domain-tools.com/ Useful tool that should also link you to the Delist or FAQs for the corresponding blacklists. Just hover over the (?) on any lists. In all honesty though, I would look at the IIS issue and then pretty quickly start securing your email server. As it's got no SSL cert I cannot verify much else for you. You will need an SSL cert to support TLS too.
0
Michael Barber Replied
Well one problem with the TLS/SSL is that we need to be able to do some relaying via Cdonts/Cdosys, and asp.net system.net.mail calls. Is it possible for all the mail to require TLS EXCEPT for some emails addresses or some ip addresses? In other words, does TLS work with only some email clients because we need to be able to send email programmatically from applications that are "client-less"?
0
CCWH Replied
You can add whitelists to allow relay from certain IP addresses/gateways I believe. Go to Security > SMTP Authentication Bypass > Add the incoming IP Address(es) - However we have never used it....not best practice I wouldn't have thought. Just found this which might help for your Transaction Times: http://portal.smartertools.com/kb/a2912/slow-250-response-after-mail-from-command-is-issued-during-an-smtp-session_.aspx Before going through the troubleshooting points I would go through the antispam guide first as slow DNS/Spam checks could be a major issue along with not using IIS. **EDIT** You can still implement TLS but not force it until you have sorted the other relay issues.
0
Michael Barber Replied
Ok, I got IIS working but it still has a response time of 16.4 seconds so something is still slow. I changed the DNS to the Google DNS settings and it went from 16 seconds to 14 seconds so its NOT the DNS.
0
Michael Barber Replied
It looks like the problem is the spam check for RBL: NJABL-Proxy, it says Needs Attention, 14,400 mseconds
0
CCWH Replied
Great news re IIS...far more robust than the built-in server. If the response time has gone down but only by two seconds and you have also tried changing the DNS then I would suggest disabling all spam checks and see if it changes. Sometimes if there is a slow response from an RBL check then it can cause response delays. Might be worth going through the antispam guide mentioned above.
0
CCWH Replied
As if by magic ;-) That's a good start.
0
Michael Barber Replied
Ok, disabling that spam check seems to have solved that issue as to speed. Now on to the rest of the issues.
0
Michael Barber Replied
Thanks for your help. I'm going to tackle the TLS next but I fear this might be a problem because I don't understand how this relates to programmatic/automatic emailing by asp and asp.net application services of which we heavily rely on for business processes.
0
CCWH Replied
No worries. Re the asp relay requirement...it's pretty straightforward to code in AspEmail (it supports TLS). If you are the mail server admin it should be a pre-requisite to use authentication for sites, no matter php or asp, to use a secure authentication method. From a business perspective, it's their clients data being put at risk...important stuff and well worth pushing for.
0
Michael Barber Replied
No we can't require customers to use a 3rd party product (aspemail). asp.net has built-in email capabilities via system.net.mail. Will this work with TLS?
0
Michael Barber Replied
It looks like it does...? The problem is some of our clients are probably using FrontPage still...I bet that doesn't support it. http://stackoverflow.com/questions/2057227/c-sharp-asp-net-send-email-via-tls
0
CCWH Replied
Yes, to enable TLS you just need to add enableSsl="true" into the code if using the web.config. Re not expecting clients to support third party, yes, that's right. However, from a business security perspective it really should be expected that if a client is building or has created the code then they should be responsible to make it secure....some clients will not do it willingly and need a helpful nudge!
0
Michael Barber Replied
Well aspemail is not free...so we have to push them to something that is free and asp.net's system.net.mail is free.
0
Michael Barber Replied
Ok I have the professional version...   I read you need the Enterprise edition for support of TLS correct?
0
CCWH Replied
All versions of SmarterMail support SSL/TLS
0
CCWH Replied
https://help.smartertools.com/SmarterMail/v13/Default.aspx?qq=%2fSmarterMail%2fv13%2fTopics%2fGeneral%2fEditionComparison.aspx
0
Michael Barber Replied
Ok, I was reading https://www.chicagonettech.com/docs/pdf/Antispam%20Settings%20-%20SmarterMail.pdf and it said only the Enterprise edition supports TLS. I think I need to get the DKIM and Domain Keys going first.
0
Michael Barber Replied
Do you have to buy an SSL to enable TLS or can you just use a free (self-signed) SSL certificate?  I'm not following the help article at all http://portal.smartertools.com/kb/a2671/configure-ssl-tls-to-secure-smartermail.aspx  I understand the certificate export process.  However, it tells you to create a port but doesn't tell you want to put in for any of the fields.  Also, is it possible to only use TLS on some of the domains or do all the domains using the mail server have to have their own TLS certificate.  Very confusing help article.
 
Also, settings>>protocol settings has an ssl checkbox...what about that.  The article doesn't address if that has to be clicked on or not.
0
Michael Barber Replied
There's mixed info on whether you need to buy a cert or not. Please read this: https://luxsci.com/blog/do-i-need-to-buy-an-ssl-certificate-to-use-secure-email.html
0
Michael Barber Replied
Will this ssl work? https://www.startssl.com/?app=37
0
CCWH Replied
If this is the first time setting up an SSL cert for an email server it is a learning curve and yes, I do agree there does not seem to be one full document that gives full step by step instructions.  Not that I have found anyway.
 
Re the purchasing of a cert, you can use a self-issued one but then email clients may not trust it...that's in essence why there are known good Certificate Authorities.  You might as well purchase a £($)10 certificate and it's then sorted.  However, if your clients currently use their own domains to connect to the email server, i.e. mail.clientdomain.com, then you will either have to setup SSL certs for each and every domain OR do what is normal practice and make sure all clients use your domain with the certificate.  They can then use mail.yourdomain.com for the mail and then also you can link it to the webmail.yourdomain.com and use https if you decided to use a Wildcard cert.
 
We made the transition last year and even though we were apprehensive it actually was welcomed by the clients as we sold it, rightly so, as a security upgrade.  From an email admin point of view it is FAR easier to administer too!
 
You can't force SSL/TLS on some domains and not others as far as I am aware.  You can implement SSL/TLS and still allow unsecured connections to take place...however even though that is better than nothing it's still leaving a security hole on each connection to the server so better to block 110/143.
 
The SSL check boxes within Security > Protocol Settings are when or if you configure autodiscover for when email clients are being configured.  It's great to use, however it's lower down on your to do list ;-)
 
Re the ports, this will hopefully clarify:
 
0
Michael Barber Replied
The thing I'm missing is if I go TLS (as ssl is obsolete) Port 25, 110 and 143 are already configured and the instruction describe setting up a new port from what I can understand. Also, you say block 110/143, what port would they pop too then? I'm not clear of what ports to create, what ports to simple change and what are the normal ports used in email TLS....
0
Michael Barber Replied
Also, how do you keep unsecure connections "as is"? I'm not seeing this stuff in that link.
0
Michael Barber Replied
Any answers to these last questions concerning the SmarterMail TLS help link?
 
  1. If  you block 110/143, what port would they pop too under TLS?
  2. If I setup TLS (as ssl is obsolete) Port 25, 110 and 143 are already configured and the instruction describe setting up a new port from what I read. What NEW ports need to be created?
  3. What ports just need to be simply changed to make TLS work?
  4. What are the normal ports used in email TLS....?
  5. How do you keep unsecure connections "as is" with TLS turned on?
1
CCWH Replied
  1. If  you block 110/143, what port would they pop too under TLS?
     - Sorry...just taken a second look at what I said, must have been half asleep...the ports we have blocked are for the SSL POP & IMAP, so 993/995.  TLS, as you mentioned, does indeed run on the standard ports.  Here's our overview of ports configured on the test server (note that we have left the old ones and the SSL but we do not have these configured within the IP Bindings):

     
  2. If I setup TLS (as ssl is obsolete) Port 25, 110 and 143 are already configured and the instruction describe setting up a new port from what I read. What NEW ports need to be created?
     - As seen in the above image, you have to recreate the ports but select TLS and also the Certificate:

    Note that you have to have already followed the export guide to export your cert and save it within an accessible location such as 'C:\Program Files (x86)\SmarterTools\SmarterMail\MRS\certificates\yourcert.cer'
     
  3. What ports just need to be simply changed to make TLS work?
     - New ports created and then bound to the mail server IP address
     
  4. What are the normal ports used in email TLS....?
     - See top image, look for TLS
     
  5. How do you keep unsecure connections "as is" with TLS turned on?
     - Simple leave the old POP/IMAP/SMTP ports bound to the IP Address.  My best guess for what you want your IP Bindings to be would be something like this:
0
Michael Barber Replied
I see...now it makes sense...thanks.

Reply to Thread