Re: Configuring SSL in IIS SMTP

I've been playing around with different combinations of things
today, but not much success. I thought perhaps that the problem was
the lack of the Verisign intermediate cert that is now required when
using their certs...

That's exactly the kind of missing CA trust I was talking about. You
added it to the computer account store, but are you sure that Agent
uses any MS cert store at all? To name a couple of notable third-party
clients, Opera and The Bat! both have their own stores.

Also make sure you are connecting using the same hostname the cert was
issued for. Some clients are very sensitive to this.

The one combination of things I did get to work was having TLS on
Authentication and Require Secure Channel on the Communications
button both checked, and then using a Forte Agent 4.2 client with
the option set to "Use TLS, and fail if not available".

Reasonable enough combo of settings: that means the client has the
same restrictions as the server.

Stupid question: Does this rule out any problems with the cert, or
does TLS not use the cert at all? I really get confused about TLS
vs. SSL since TLS is SSL 3.0, isn't it?

TLS absolutely uses the cert.

TLS = SSL. If you are using a start-to-finish secure connection, such
as HTTPS and SMTPS, there's no reason to discriminate between the two
technologies.

TLS goes beyond legacy SSL expectations when STARTTLS/STOPTLS is used,
however. SSL users are accustomed to a single point-to-point
connection being either secure or plain. With STARTTLS/STOPTLS, the
same connection can carry plain traffic, then switch to secure, then
switch back to plain. It's advanced, and confusing.

I tried using ports 465 and 443 instead of the one I'd chosen, but
it didn't matter. Any client set to "use SSL" to talk to this server
gave an error that it could not negotiate an SSL connection.

Right, because by "SSL" the client 'lmost inevitably means SMTPS, and
the IIS server doesn't support SMTPS. Only a client that uses the
generic term "secure", the variable term "TLS" (which could mean SMTPS
or STARTTLS) or the explicit term "STARTTLS" has any chance of
working.

Any additional advice would be great.

Re: Agent, it seems to be currently working without any
counterintuitive settings on either side.

Re: OE, remember that you will have to be connecting on port 25, as OE
only does STARTTLS on 25. Any other port and it thinks you mean
implicit/full TLS, a.k.a. SMTP over SSL, a.k.a. SMTPS.

I've been setting up mail servers for 15 years, but never struggled
with this stuff before. I'm sure this is going to turn out to be a
misunderstanding on my part of the difference betwee TLS/SSL as used
on the server, and "Use SSL" in the terminology of the clients. The
Forte Agent help so much as says to try the "Use SSL" and "Use TLS"
settings until you figure out which is the one that works.

Yes, it's not your fault on the client side. The MUA vendors obviously
are trying to offer users the most streamlined experience, while on
the other hand they can't safely and automatically run through a whole
slew of possible security mechanisms (you risk getting disconnected,
and maybe even IDS/IPS-denied, if the server doesn't like your
trial-and-error methods). So the MUAs offer these partially-technical,
partially-dumbed-down settings. Also, most MUA vendors know there's
some kind of security they can't do (just as most MTA vendors do), so
the vaguer you are, the easier it is to blame the other side.

--Sandy



------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
------------------------------------
.