Supporting TLS on my SmarterMail 17 (7125)
Question asked by Michael Muller - October 23 at 7:41 AM
Unanswered
I am working with a client's consultant helping him help them get their emails set up on new machines in a new building.

He tells me that he "checked MX record for "mail.montaguewebworks.com" and no TLS."

At first I thought he meant I wasn't indicating support for TLS in my DNS, but then I realized he must be running a test connection to my mail server to see if it broadcasts support for TLS.

Found this on LuxSci.com: "Mail servers do this by starting an SMTP connection with a server found in the MX records of the recipient’s domain and then issuing a command called “elho”. Once the “elho” command is given to the recipient’s server it will send back the list of the options that it supports. If you see “STARTTLS” in the list of options supported, then the server does support TLS."

So I went to MXtoolbox.com and did the SMTP test, albeit on port 25:

220 mail.MontagueWebWorks.com [609 ms]
EHLO keeper-us-east-1b.mxtoolbox.com
250-mail.MontagueWebWorks.com Hello [xxx.ip.num.xxx]
250-SIZE 31457280
250-AUTH LOGIN CRAM-MD5
250-8BITMIME
250-DSN
250 OK [642 ms]

I don't see STARTTLS in there. Could it be because I was testing on 25?

Found this on a MailGun.com blog page:

> telnet smtp.mailgun.org 587
220 ak47 ESMTP ready
> ehlo blog.mailgun.com
250-ak47
250-AUTH PLAIN LOGIN
250-SIZE 52428800
250-8BITMIME
250-ENHANCEDSTATUSCODES
250-SMTPUTF8
250 STARTTLS

So, I connected to my mail server via telnet and got this...

> telnet smtp.mailgun.org 587
220 mail.MontagueWebWorks.com
> ehlo mail.webworksserver.com
250-mail.MontagueWebWorks.com Hello [xxx.ip.num.xxx]
250-SIZE 31457280
250-AUTH LOGIN CRAM-MD5
250-8BITMIME
250-DSN
250 OK

No STARTTLS. 

What am I doing wrong?

Thanks,
Mik
---
Montague WebWorks
Powered by RocketFusion

10 Replies

Reply to Thread
0
Sébastien Riccio Replied
Hello, in your bindings you have to set STARTTLS (or TLS, i don't remember exactly) for your port 25 smtp binding.

This should resolve this problem.
0
Kyle Kerst Replied
Employee Post
In addition to Sebastien's comments above (this is correct) you will also need to navigate to Settings>Protocols>SMTP OUT and enable the TLS option there as well. 
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Michael Muller Replied
I wen to Bindings from the top-level list of domains page, clicked the IP number of the public IP, and checked all of these:

SMTP (25)
POP (110)
IMAP (143)
LDAP (389)
SMTP SSL (465)
SMTP (587)
IMAP SSL (993)
POP SSL (995)
XMPP Client Port (5222)

TLS is not specifically listed.

On the Protocols page, I have "Enable TLS if supported by the remote server" set to yes under SMTP Out.

I did a follow-up telnet check and noticed that I get a response on 587, but not 465. It's open in the firewall, so, I don't know what's up with that.
---
Montague WebWorks
Powered by RocketFusion
0
Michael Muller Replied
Ah! I didn't click on the "Ports" heading on the Bindings page. I see now that I can add TLS but I need a Certificate Path... which means I need to install the SSL/TLS Certificate on the server first. Ugh... another thing to keep track of.

Ok, I'm on the trail now.
---
Montague WebWorks
Powered by RocketFusion
0
Kyle Kerst Replied
Employee Post
Correct Michael. If you need a simple way to get the SSL done check out this article here: 


Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Michael Muller Replied
See... that's the weird thing. I have been using SSL in my connections to the server for a long time, with no problems, yet... I need to install one for TLS?
---
Montague WebWorks
Powered by RocketFusion
0
Sébastien Riccio Replied
If you already have a certificate installed for SSL you can use the same for tls on port 25.

0
Kyle Kerst Replied
Employee Post
No you should not need a new certificate at all. Just export the one you have and add this to the port binding. PFX format is best with a strong password. 
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Richard Frank Replied
when you use https for your site with a working certificate, then you have obtained a certificate from your ssl provider. You probably have that cert somewhere on the server in a folder.
Just enter the path to that certificate.
example from my server

And yes it's an extra administrative reminder you have to set when you renew the certificate.

0
Richard Frank Replied
@Kyle
Didn't know that pfx is supported too.
the path can be to the pfx with password. 
Is there an advantage to do it like this? Because creating a pfx is an extra step.

Reply to Thread