Re: Configuring SSL in IIS SMTP

OK, so since I have the combination of IIS with Auth/TLS and Secure
Channel required working with the offsite client that requires TLS,
then I'm certain the connectivity and certificate issues are solved.

I'd agree that you've made IIS SMTP as adaptive as it can be to client
requirements at this point, although (see below) there are 3rd-party
pieces you can add in to make it work within additional client
restrictions.

My real test for this is enabling an iPhone to send using this as an
authenticated, encrypted outbound SMTP relay. The only thing I know
about the iPhone configuration for outgoing email is that it has a
checkbox that says "Use Secure Sockets Layer (SSL)". If this means
it will enjoy a TLS conversation, then I'm done. If it means
something else, then I'm toast.

I intuit, as I mentioned before, that an app that uses the terminology
"SSL" can be assumed to _not_ mean SSL v3 = TLS, and therefore that it
does not support STARTTLS/STOPTLS. There may be exceptions, but
generally speaking, if an SMTP app says "SSL" in this day and age,
they are conspicuously _not_ saying "TLS."

The iPhone's options for authentication are:

none
Password
MD5 Challenge Response
Kerberos Version 4
NTLM
Kerberos Version 5 (GSSAP)

My assumption here is that we are talking simple Password
authentication (but over TLS).

I wish I agreed with you, but I don't. Though only testing can tell
you for sure, I would predict the SSL checkbox means legacy SSL,
and...

If the SSL checkbox means SSL .. that is legacy SSL .. can this be
done with IIS 6 SMTP stack?

....no.

But you can use an SSL proxy in front of IIS SMTP to do this (this is,
by counterexample, at least easier than the reverse, trying to make an
MTA support advanced STARTTLS/STOPTLS when it only speaks legacy SSL).

Maybe I should have asked that in the first place. I have complete
control over what the server is doing and the firewall allows. This
MTA will be used for nothing else, so I don't really have to worry
about the general case except I'd like it to work for other clients
to the extend possible. I just have no idea what this particular
client is expected "SSL" to be, and little access to one to play
with.

Well, the biggest problem here is that you are trying to support a
client that you don't own a copy of. That's the real support disaster
-- forget the iPhone-as-corporate problem, it's the
supporting-iPhone-without-having-one problem!

--Sandy


------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
------------------------------------
.

Loading