Enable TLS On Your IIS 6.0 SMTP Virtual Server← Back
For this you’ll need an IIS 6.0 server with the web and SMTP components installed, as well as the IIS 6.0 Resource Kit Tools.
Install the SelfSSL component from the IIS 6.0 Resource Kit Tools.
Create a new web site in IIS and note it’s site ID by clicking on the Web Sites parent in the tree on the left and looking for the number under the Identifier column. Open the properties of your new site and set a port for SSL (I chose 442 to avoid conflicts with any pre-existing SSL sites)
Open Start -> Programs -> IIS Resource Kit -> SelfSSL and at the command prompt run (replacing variables to suit your environment):
selfssl /S:<site-ID> /V:3650 /N:CN=<hostname> /P:<site-ssl-port>
So for example I ran:
selfssl /S:87257621 /V:3650 /N:CN=SMTPGWY /P:442
You should make sure that the <hostname> is the same as that of the server on which you are running the SMTP virtual server.
Open your new site and export the certificate as a PFX file.
Delete the web site.
Open the SMTP virtual server properties and open the Access tab.
Click the Certificate button and follow the wizard to import your PFX.
You can check that TLS has been enabled for receiving email by telnetting to your SMTP virtual server on port 25 and, after the SMTP banner has been displayed, enter
EHLO testserverIn the list of data returned there should be two lines reading TLS and STARTTLS which mean your SMTP server is ready to use TLS security when receiving emails.
To send email to remote hosts with TLS enabled:
- Open the Delivery tab in the properties of your SMTP virtual server
- Select Outbound Security
- Tick TLS Encryption to enable TLS when sending email to remote servers.
NB: Enabling this option means the SMTP virtual server will require TLS support on ALL remote hosts it tries to send mail to. If TLS is not available, mail will sit in the outbound queue until it expires, an event log entry will be generated under the System event log and an NDR will be sent to the original sender of the email.
You can work around this issue by using 2 SMTP virtual servers, one with TLS enabled, the other without, and setting up routing groups on your Exchange server to route outbound email via the TLS-enabled SMTP virtual server only if you are certain that the target domain supports TLS.