Enabling TLS
Question asked by mh - 4/30/2020 at 2:26 PM
Answered
Hello -

I cannot seem to get SMTP/IMAP normal ports to use TLS. Normal SMTP sending/receiving works fine, as well as IMAP, but nothing with TLS. The ports through the firewall are forwarded fine.

I have a certificate installed in IIS and the HTTPS side works fine, and have used SSLlabs to check security and everything is reporting as grade 'A'. I used IISCrypto to disable all SSL, and TLS 1.0/1.1 protocols, as well as any weak encryption.

I have the certificate exported as pfx, and this certificate used for TLS/SSL ports in the bindings page, with the password. It gives no errors saving for each.



TLS 1.2 is enabled on the server (Microsoft server 2019), and this is running SM build 7188.  Under Settings>Protocols>Security Protocols I have tried both System Defaults and specifically selecting TLS 1.2
When connecting to the server, STARTTLS is not listed as an option. Using Openssl to connect to try and establish a connection times out after 5 minutes unable to get a TLS connection -

Sending mail from another mail server to this one doesn't show STARTTLS as an option -

[2020.04.30] 15:47:50 [00010] Connection to x.x.x.x:25 from 192.168.2.195:63759 succeeded (Id: 1)
[2020.04.30] 15:47:50 [00010] RSP: 220 mail.domaina.com
[2020.04.30] 15:47:50 [00010] CMD: EHLO mail.domainb.com
[2020.04.30] 15:47:50 [00010] RSP: 250-mail.domaina.com Hello [x.x.x.x]
[2020.04.30] 15:47:50 [00010] RSP: 250-SIZE 104857600
[2020.04.30] 15:47:50 [00010] RSP: 250-AUTH LOGIN CRAM-MD5
[2020.04.30] 15:47:50 [00010] RSP: 250-8BITMIME
[2020.04.30] 15:47:50 [00010] RSP: 250-DSN
[2020.04.30] 15:47:50 [00010] RSP: 250 OK
Am I missing something? I've restarted the server a few times with no change.

Thanks!

4 Replies

Reply to Thread
0
Sébastien Riccio Replied
Marked As Answer
I think the issue is that you have both non-TLS and TLS on same port, for example 25.

AFAIK it's not not how it works with SmarterMail. You should only have the TLS enabled one as it still will accept non-TLS connexions.

It's a bit counter intuitive.

Here is our port binding for fully functionnal TLS (allowing non-tls) and SSL ports.







Sébastien Riccio
System & Network Admin

0
mh Replied
Thanks that seemed to do it. When enabling the TLS port it would enable for both, but in the IP binding it seemed to complain. This is strange also since SM 15.x is setup for each port being able to be with/without TLS to do this. I appreciate the reply!

0
Sébastien Riccio Replied
No problem :)
Sébastien Riccio
System & Network Admin

0
Chris R Wolverton Replied
Thanks, I had same problem, this corrected my problem also.

Reply to Thread