When you say TLS is not working after the upgrade...are you implying that TLS was working prior to the upgrade?

 

Re the transaction times, again, was this faster before the upgrade?  Transaction times can vary depending on server speed.  I would look into why IIS is not working....any errors etc.  The built-in webserver will be slower than IIS especially with the larger environment.

 

Re the RHSBL, this will help you:

 

http://mxtoolbox.com/problem/rhsbl/mailhosts.org-rhsbl

 - Sorry, as you said upgrade I assumed you were using SM before going to 12.x.  Understand now that you have actually migrated from one mail server (MailSite) to SM.  In that case, you need to follow the guide here:

 

http://portal.smartertools.com/kb/a2671/configure-ssl-tls-to-secure-smartermail.aspx

 

The guide will take you through the TLS process.  However, if you are setting up SM 12.x for the first time I suggest you download the antispam guide that Bruce Barnes has written...all off his own back....it not only is one of THE best guides to use but it also takes you through or links to TLS info IIRC:

 

http://portal.smartertools.com/community/a444/smartermail-antispam-settings-document-updated.aspx

 

 - If you supply the domain or mail server FQDN we can have a look for you re the RHSBL.

 

 - One final thing....if I were you I would troubleshoot the issue why you cannot run SM using IIS and then start looking at other issues / setup.  It's much faster and also allows for better troubleshooting IMHO.  I have a funny feeling TLS will not work with the built-in web server too...I might be wrong there though.

Ok I have the professional version...   I read you need the Enterprise edition for support of TLS correct?

Do you have to buy an SSL to enable TLS or can you just use a free (self-signed) SSL certificate?  I'm not following the help article at all http://portal.smartertools.com/kb/a2671/configure-ssl-tls-to-secure-smartermail.aspx  I understand the certificate export process.  However, it tells you to create a port but doesn't tell you want to put in for any of the fields.  Also, is it possible to only use TLS on some of the domains or do all the domains using the mail server have to have their own TLS certificate.  Very confusing help article.

 

Also, settings>>protocol settings has an ssl checkbox...what about that.  The article doesn't address if that has to be clicked on or not.

If this is the first time setting up an SSL cert for an email server it is a learning curve and yes, I do agree there does not seem to be one full document that gives full step by step instructions.  Not that I have found anyway.

 

Re the purchasing of a cert, you can use a self-issued one but then email clients may not trust it...that's in essence why there are known good Certificate Authorities.  You might as well purchase a £($)10 certificate and it's then sorted.  However, if your clients currently use their own domains to connect to the email server, i.e. mail.clientdomain.com, then you will either have to setup SSL certs for each and every domain OR do what is normal practice and make sure all clients use your domain with the certificate.  They can then use mail.yourdomain.com for the mail and then also you can link it to the webmail.yourdomain.com and use https if you decided to use a Wildcard cert.

 

We made the transition last year and even though we were apprehensive it actually was welcomed by the clients as we sold it, rightly so, as a security upgrade.  From an email admin point of view it is FAR easier to administer too!

 

You can't force SSL/TLS on some domains and not others as far as I am aware.  You can implement SSL/TLS and still allow unsecured connections to take place...however even though that is better than nothing it's still leaving a security hole on each connection to the server so better to block 110/143.

 

The SSL check boxes within Security > Protocol Settings are when or if you configure autodiscover for when email clients are being configured.  It's great to use, however it's lower down on your to do list ;-)

 

Re the ports, this will hopefully clarify:

 

Any answers to these last questions concerning the SmarterMail TLS help link?

 

1. If  you block 110/143, what port would they pop too under TLS?
    - Sorry...just taken a second look at what I said, must have been half asleep...the ports we have blocked are for the SSL POP & IMAP, so 993/995.  TLS, as you mentioned, does indeed run on the standard ports.  Here's our overview of ports configured on the test server (note that we have left the old ones and the SSL but we do not have these configured within the IP Bindings):
   
   
    
2. If I setup TLS (as ssl is obsolete) Port 25, 110 and 143 are already configured and the instruction describe setting up a new port from what I read. What NEW ports need to be created?
    - As seen in the above image, you have to recreate the ports but select TLS and also the Certificate:
   
   Note that you have to have already followed the export guide to export your cert and save it within an accessible location such as 'C:\Program Files (x86)\SmarterTools\SmarterMail\MRS\certificates\yourcert.cer'
    
3. What ports just need to be simply changed to make TLS work?
    - New ports created and then bound to the mail server IP address
    
4. What are the normal ports used in email TLS....?
    - See top image, look for TLS
    
5. How do you keep unsecure connections "as is" with TLS turned on?
    - Simple leave the old POP/IMAP/SMTP ports bound to the IP Address.  My best guess for what you want your IP Bindings to be would be something like this: