Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

IIS SMTP with STARTTLS

2,018 views
Skip to first unread message

dekopolis

unread,
Jul 8, 2009, 9:52:33 AM7/8/09
to
Hi,

I'm using the built-in smtp service in Windows 2003 Server. I want to be
able to use the STARTTLS command to receive email. In the IIS Manager
Console window I have an instance of the Default SMTP Virtual Server. Under
the Access tab of the Properties window for this virtual server I have
installed a Certificate for Secure Communication. I was under the impression
that when a certificate was installed the server would then be able to
receive email with the STARTTLS command, however when I logon to the server
and issue an EHLO command I do not see STARTTLS advertised. ("250-STARTTLS"
is not in the list) How can I get STARTTLS to be advertised?

Thanks.


Daniel Crichton

unread,
Jul 8, 2009, 10:39:20 AM7/8/09
to

> Hi,

> Thanks.

Have you tried just issuing the STARTTLS command from the connection?
According to http://www.rfc-editor.org/rfc/rfc2487.txt there should be 3
possible responses:

220 Ready to start TLS
501 Syntax error (no parameters allowed)
454 TLS not available due to temporary reason

so you should be able to tell if it's working by the response to the
command.

STARTTLS has nothing do with receiving email though - it's the command to
tell the server that you want to set up an encrypted connection over TLS
(formerly known as SSL). If you want to receive email from the server you
will need to look into adding a POP3 or IMAP service, the SMTP service only
receives email or sends it to another server. The only other command I can
think of that you might be looking for is ETRN which tells the SMTP service
to start sending mail out to a specific server, but it still won't let you
actually retrieve the mail directly, it can only be sent to another SMTP
server.

--
Dan


dekopolis

unread,
Jul 8, 2009, 11:41:21 AM7/8/09
to

"Daniel Crichton" <msn...@worldofspack.com> wrote in message
news:ebDRin9$JHA....@TK2MSFTNGP02.phx.gbl...
Thanks for the response Dan.

I think I figured it out. I use a Spam Proxy and it was not showing the
STARTTLS verb even though the underlyig SMTP server was advertising it. In
other words, when I connected directly to the smtp server I was able to see
the STARTTLS verb but not when i used the Spam Proxy. I needed to enable a
setting in the Spam Proxy's config file to allow it to show through. Now
everything works as expected.

Grant Taylor

unread,
Jul 9, 2009, 3:31:56 AM7/9/09
to
On 7/8/2009 9:39 AM, Daniel Crichton wrote:
> STARTTLS has nothing do with receiving email though - it's the
> command to tell the server that you want to set up an encrypted
> connection over TLS (formerly known as SSL).

STARTTLS and SSL are quite different things when it comes to SMTP.

SSL protected SMTP (a.k.a. SMTPS) runs on TCP port 465 and is a full
(read: from start to finish) SSL connection.

Where as STARTTLS is a way for a sending server to tell the receiving
server that it wants to switch to TLS encryption on the current
connection. Usually the current connection is to the MTA on TCP port
25, though it could equally be the the MSA on TCP port 25.

The main fact about STARTTLS is that it starts out cleartext and then
switches to TLS cyphertext on the same connection. Where as SSL is
encrypted from the get go.

Grant. . . .

Daniel Crichton

unread,
Jul 9, 2009, 6:05:04 AM7/9/09
to

I never said they were the same thing from the point of view of SMTP, I was
pointing out that TLS is very similar to SSL (TLS1 was based on SSL3), it's
just an encryption layer and does nothing else.

--
Dan


0 new messages