SSL and TLS on the same server: Outbound IPV4
Question asked by Martin Schaible - 5/20/2022 at 3:49 AM
So finally i have added a second Ip-address, hostname, bindings and everything else to support TLS additionally to SSL.

If a customers like to change, we will replace the hostname of the domain with the new one.
The value of the Outbound IPv4 is set to "Automatic".

Do i need to change this value to the new ip address for TLS or does SmarterMail use automatically the right ip address?


2 Replies

Reply to Thread
Douglas Foster Replied
On the port settings, "TLS" actually means "StartTLS is enabled", so encryption is optional.   This setting is necessary for incoming Internet messages on port 25.    For client connections, mandatory encryption is recommended, and this is implemented by choosing "SSL", which means "StartTLS is disabled" and "unencrypted is disabled".  This configuration choice is actually independent of whether you are using weak or strong encryption protocols.

The protocol development sequence was SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, and finally TLS 1.3.   Protocols prior to TLS 1.2 are deprecated because of white hat research which indicates that they are vulnerable.   The choice of encryption level is is controlled by" Admin settings... Protocols... Security Protocols".   From there, you can specify a minimum encryption level for SmarterMail alone, or choose the "System Defaults" option and configure the settings with Windows registry keys. 

For inbound and outbound traffic, you may want to allow weak encryption, because there are still a few senders and receivers that cannot do TLS 1.2, and you cannot be sure that a failed encryption connection will cause a reattempt with no encryption.    This possibility creates an incentive to implement both incoming and outgoing gateways, because client connections to your main server should only use strong protocols. 

All of this means that you probably do not need two identities for one server.   You can use different ports with different settings to accomplish the same thing.

Hope this helps. 

Martin Schaible Replied
Thank you very much for this very useful information. This helps very much. It is a bit tricky to implement something new without harming the existing configuration.

I will go for a relaxed configuration that older connection partner will have a chance. We need to accomplish this step for simple reasons: Many mail server are refusing non-TLS Mails now. So SSL only could make problems nowadays.

Two entitites or two ip addresses with unique are needed. SmarterMail refuses a binding for eg. POP SSL and POP TLS. But: how do i deal with Port 25 unsecured? This port is allready bound to the ip address for SSL and of course can not be used also on a second ip address.
Still i don't know, if have to choose the matching ip address for outbound traffic or can i leave it on "automatic"

Fortunately i'm not under pressure and i can test everything with my private domain.

Many thanks!

Reply to Thread