No announcement yet.


  • Filter
  • Time
  • Show
Clear All
new posts

  • IIS SMTP with TLS

    I'm working with a client trying to setup TLS email encryption between us and them and I'm having some issues.

    I'm not sure of the mail server on their end other than it's a hosted solution.

    On my end, I have a Windows 2008 server running GFI Mail Essentials/Security acting as a smart host in front of an Exchange 2010 SP1 machine. The GFI software utilizes IIS SMTP to send/receive email to/from the internet and the Exchange server.

    On the GFI server, I created a self signed certificate (I plan to purchase one later) and gave it the same name as on my MX record ( based on some research. From an outside network, I can telnet to ' 25', issue an EHLO command see 250-STARTTLS and 250-TLS. If I then issue the STARTTLS command it responds with '220 2.0.0 SMTP Server Ready'. From what I've read, this is the proper response from IIS SMTP. So, it looks like my server is ready and able to do a TLS session.

    The client configured TLS on their end. I sent a test message to them but when they send a test to me I never get it. They say that in their logs it says something to the effect of "TLS not supported for domain -".

    I'm sure I have something incorrect on my side but I'm just not sure what it might be. I've been googling quite a bit and I've found plenty of information for doing this on Exchange but not so much for IIS SMTP.

    Anybody have any ideas or suggestions?

    Thanks in advance.

    Robin H.

  • #2
    Re: IIS SMTP with TLS

    AFAIK TLS is not supported with self signed certificates - you'll need to use a trusted 3rd party certificate. Looks to me like the remote end isn't trusting your certificate, which I would expect.

    BTW TLS normally transmits on port 587, so I doubt telnet-ing to 25 proves anything. I've never set up TLS in a production environment though.
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    Cruachan's Blog


    • #3
      Re: IIS SMTP with TLS

      The use of a self signed certificate is going to be a problem, because the certificate isn't trusted.
      You need to switch to a trusted certificate. The other side cannot establish an SSL session so the session fails.

      Simon Butler
      Exchange MVP

      More Exchange Content:
      Exchange Resources List:
      In the UK? Hire me:

      Sembee is a registered trademark, used here with permission.


      • #4
        Re: IIS SMTP with TLS

        as these guys have pointed out - it'll fail because it's self signed

        the reason it probably worked for your telnet session is you may already trust the certificate...
        Please do show your appreciation to those who assist you by leaving Rep Point


        • #5
          Re: IIS SMTP with TLS

          Thanks for the responses. I had a feeling but I was just hoping to get it tested first with the self signed cert.

          Just to make sure I order the right thing...I just need an SSL certificate and I should make the name on it match what my MX record says ( or should it be just the domain name (

          Thanks again for your help.

          Robin H.


          • #6
            Re: IIS SMTP with TLS

            I have a similar issue: GFI Mail Essentials on SMTP gatway, then forwards to my Exchange 2007.

            Cert installed on the SMTP gateway. Once I force TLS authentication on the SMTP properties of the SMTP Virtual Server, no email comes through.

            Any ideas?



            • #7
              Re: IIS SMTP with TLS


              I did finally get mine working but it was a firewall issue on my end. I'll run thru my steps so maybe something will help you.

              I installed the certificate on the smtp server just as you did. I did not check the box to enforce TLS authentication on the properties of the virtual server. The way I understood that option was that by enforcing TLS, every sending server was required to use TLS to send you email. Since that wasnt what I was after, I left it unchecked. By doing so, it allows my server to offer it as an option to the sending server but it doesnt prevent messages if TLS isnt used.

              I didnt make any changes on my Exchange server.

              In the end, my issue was with my Watchguard firewall. The smtp handling policies I had setup were 'proxy' policies. I found out that those would block TLS authentication so I needed to use a 'packet filter' policy instead (inbound and outbound). Once I did this, it worked like a charm - it uses TLS when requested and doesnt when it's not.

              Hopefully something there will help. If you have any more questions let me know and I'll try to help.