Re: Configuring SSL in IIS SMTP

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: "Sanford Whiteman" <swhitemanlistens-software@xxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 02 Oct 2007 02:30:40 -0400

I've verified that the SMTP stack is configured correctly and
accepting messages on the port I've designated (I'm using a
non-standard port). I successfully transferred a message through it
before I started trying to turn on the SSL part. I'm requiring
authentication and that works OK too.

OK -- although I would go back to allowing anonymous submission during
a testing period (obvs. not exposing the test server any more than you
need to).

Using the wizard, I generated a cert request, purchased a cert from
Verisign, and installed the cert. Restarted the SMTP service.

Yep.

When I attempted to send from a client (Agent) where I am able to
specify the correct port, and specify that the server requires SSL,
I get the error:

Unable to negotiate an SSL connection with server xxx.xxx.xxx (error
80090308)

Outlook Express yields a similar, but different, error.

OE is a particularly bad MUA to test this setup with, unless it is
your sole corporate standard. This is because OE does STARTTLS on port
25 only, assuming you mean start-to-finish encryption (SMTPS) if you
run on another port. And since IIS expects a STARTTLS session, not an
SMTPS session, this means having a test bed that is broken from the
get-go!

I'm a little confused between the Require TLS checkbox on the
Authentication tab (I've got that unchecked right now) and the
"Require secure channel" option in the Communication tab (sorry, if
I'm remembering this slightly incorrectly; this is from memory from
work today).

'Require TLS' in the AUTH portion of the GUI means that at least the
credentials themselves must be wrapped in a STARTTLS/STOPTLS encrypted
portion of the conversation, if credentials are passed (if anonymous
is off, then creds are always passed, of course). In other words, this
requires encryption of the authentication stage without necessarily
encrypting any other part of the SMTP convo (MAIL, RCPT, DATA). If you
do any web development... this is like having an HTTPS page for
username/password, but possibly passing users back to HTTP for the
rest of their session. [Plenty of arguments for and against, by the
way; I'm not passing judgment on it.]

'Require secure channel' is broader in that it requires a STARTTLS
wrapper around both auth _and_ the following parts of the SMTP convo,
including DATA. The setting's name is somewhat of a misnomer in that
the secure channel cannot be built until after plain-text EHLO: this
is, in encryption terms, a far cry from having the entire conversation
encrypted from the very first handshake (which is what SMTPS
dictates). Nonetheless, since SMTPS isn't an option here, the _most_
secure channel you are offered is a STARTTLS around as much of the
convo as possible -- and this checkbox requires that broadest use of
STARTTLS.

From the sound of it, I'd bet you have a certificate trust issue. It
is often good to first test from an MUA the server itself, since it
may have more certs from the CA chain available. I know it sounds
crazy, but even if you buy a commercial cert, it may not be in the
default trusted CAs for the OS and/or MUA you're testing (and on that
note, realize that some MUAs don't use the OS cert store, but rather
use their own, which may be more or less populated than the OS'). And
either don't test STARTTLS using OE, or make sure port 25 is
listening.

Also, you might check a bit in this thread:

http://groups.google.com/group/microsoft.public.inetserver.iis.smtp_nntp/browse_thread/thread/822f62085c3cfa85/eeaa643a3666dccf?hl=en&lnk=st&q=iis++smtps&rnum=21#eeaa643a3666dccf

--Sandy

------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
------------------------------------
.

Follow-Ups:
- Re: Configuring SSL in IIS SMTP
  - From: Kevin

References:
- Configuring SSL in IIS SMTP
  - From: Kevin

Prev by Date: Configuring SSL in IIS SMTP
Next by Date: Re: My Default SMTP Virtual Server does sometimes not send out my emails
Previous by thread: Configuring SSL in IIS SMTP
Next by thread: Re: Configuring SSL in IIS SMTP
Index(es):
- Date
- Thread

Relevant Pages

Re: Solaris 8 - Configuring sendmail relay (NoAuth inbound -> SSL outbound)
... STARTTLS on the normal port 25. ... since sendmail has no client-side support for SMTPS (server-side it ...
(comp.mail.sendmail)
Re: sendmail as relay client over port 465 with SSL
... STARTTLS doesn't really require any config - and it doesn't deal at all ... difficult to get sendmail to to what outlook does or any other relay ... a separate port, which is at least the de facto standard for HTTP ... equivalent for HTTP too these days), but for SMTP, the "wrapping" SMTPS ...
(comp.mail.sendmail)
Re: sendmail as relay client over port 465 with SSL
... STARTTLS doesn't really require any config - and it doesn't deal at all ... difficult to get sendmail to to what outlook does or any other relay ... a separate port, which is at least the de facto standard for HTTP ... equivalent for HTTP too these days), but for SMTP, the "wrapping" SMTPS ...
(comp.mail.sendmail)
Re: sendmail smtp auth and stunnel
... I am running stunnel to wrap SSL smtp ... >> standard STARTTLS on port 25? ... for SSL/TLS:-) (this is needed both for STARTTLS and for SMTPS, ...
(comp.unix.bsd.freebsd.misc)
SSL Port Clarification
... When using any other port than 25, starttls does not assume encryption from ... For example in using Port 465 the session would begin clear text ...
(microsoft.public.outlook.general)