Re: Configuring SSL in IIS SMTP

OK, so since I have the combination of IIS with Auth/TLS and Secure
Channel required working with the offsite client that requires TLS,
then I'm certain the connectivity and certificate issues are solved.

My real test for this is enabling an iPhone to send using this as an
authenticated, encrypted outbound SMTP relay. The only thing I know
about the iPhone configuration for outgoing email is that it has a
checkbox that says "Use Secure Sockets Layer (SSL)". If this means it
will enjoy a TLS conversation, then I'm done. If it means something
else, then I'm toast.

The iPhone's options for authentication are:

none
Password
MD5 Challenge Response
Kerberos Version 4
NTLM
Kerberos Version 5 (GSSAP)

My assumption here is that we are talking simple Password
authentication (but over TLS).

If the SSL checkbox means SSL .. that is legacy SSL .. can this be
done with IIS 6 SMTP stack? Maybe I should have asked that in the
first place. I have complete control over what the server is doing and
the firewall allows. This MTA will be used for nothing else, so I
don't really have to worry about the general case except I'd like it
to work for other clients to the extend possible. I just have no idea
what this particular client is expected "SSL" to be, and little access
to one to play with.

[Don't get me started on the wisdom of using iPhone for corporate
email access. I've fought the battle based on security and
functionality, and have lost. Not even AT&T support their employees
using iPhones. My job now is to make it work as securely as I can.]

Again, thanks for the assistance!

"Sanford Whiteman" <swhitemanlistens-software@xxxxxxxxxxxxxxxxxxxxx>
wrote:

I've been playing around with different combinations of things
today, but not much success. I thought perhaps that the problem was
the lack of the Verisign intermediate cert that is now required when
using their certs...

That's exactly the kind of missing CA trust I was talking about. You
added it to the computer account store, but are you sure that Agent
uses any MS cert store at all? To name a couple of notable third-party
clients, Opera and The Bat! both have their own stores.

Also make sure you are connecting using the same hostname the cert was
issued for. Some clients are very sensitive to this.

The one combination of things I did get to work was having TLS on
Authentication and Require Secure Channel on the Communications
button both checked, and then using a Forte Agent 4.2 client with
the option set to "Use TLS, and fail if not available".

Reasonable enough combo of settings: that means the client has the
same restrictions as the server.

Stupid question: Does this rule out any problems with the cert, or
does TLS not use the cert at all? I really get confused about TLS
vs. SSL since TLS is SSL 3.0, isn't it?

TLS absolutely uses the cert.

TLS = SSL. If you are using a start-to-finish secure connection, such
as HTTPS and SMTPS, there's no reason to discriminate between the two
technologies.

TLS goes beyond legacy SSL expectations when STARTTLS/STOPTLS is used,
however. SSL users are accustomed to a single point-to-point
connection being either secure or plain. With STARTTLS/STOPTLS, the
same connection can carry plain traffic, then switch to secure, then
switch back to plain. It's advanced, and confusing.

I tried using ports 465 and 443 instead of the one I'd chosen, but
it didn't matter. Any client set to "use SSL" to talk to this server
gave an error that it could not negotiate an SSL connection.

Right, because by "SSL" the client 'lmost inevitably means SMTPS, and
the IIS server doesn't support SMTPS. Only a client that uses the
generic term "secure", the variable term "TLS" (which could mean SMTPS
or STARTTLS) or the explicit term "STARTTLS" has any chance of
working.

Any additional advice would be great.

Re: Agent, it seems to be currently working without any
counterintuitive settings on either side.

Re: OE, remember that you will have to be connecting on port 25, as OE
only does STARTTLS on 25. Any other port and it thinks you mean
implicit/full TLS, a.k.a. SMTP over SSL, a.k.a. SMTPS.

I've been setting up mail servers for 15 years, but never struggled
with this stuff before. I'm sure this is going to turn out to be a
misunderstanding on my part of the difference betwee TLS/SSL as used
on the server, and "Use SSL" in the terminology of the clients. The
Forte Agent help so much as says to try the "Use SSL" and "Use TLS"
settings until you figure out which is the one that works.

Yes, it's not your fault on the client side. The MUA vendors obviously
are trying to offer users the most streamlined experience, while on
the other hand they can't safely and automatically run through a whole
slew of possible security mechanisms (you risk getting disconnected,
and maybe even IDS/IPS-denied, if the server doesn't like your
trial-and-error methods). So the MUAs offer these partially-technical,
partially-dumbed-down settings. Also, most MUA vendors know there's
some kind of security they can't do (just as most MTA vendors do), so
the vaguer you are, the easier it is to blame the other side.

--Sandy



------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
------------------------------------
.