none
Using SSL with SMTP outgoing virtual server send fails

    Question

  • Hello,

    I am trying to send secure outgoing email on port 465 by creating an additional SMTP virtual server.  I've installed a certificate on the virtual server.  Email sends OK using port 465 as long as "require secure channel" is not checked on the virtual server poperties and "this server requires a secure connection (SSL)" for outgoing on my email client is not checked.  When I have "require secure channel" and "this server requires a secure connection (SSL)" checked on I receive this error message when sending. 

    Your server has unexpectedly terminated the connection. Possible causes for this include server problems, network problems, or a long period of inactivity.

    Subject '2'
    Server: 'mail.pbssite.com'
    Windows Live Mail Error ID: 0x800CCC0F
    Protocol: SMTP
    Port: 465
    Secure(SSL): Yes

    We are using Exchange Server 2003.  Any ideas why I can't send secure email?


    andyh999

    Wednesday, April 11, 2012 3:09 PM

Answers

  • On Fri, 13 Apr 2012 20:51:55 +0000, andyh999 wrote:
     
    >
    >
    >"If you're using anything except port 25 for server-to-server SMTP you're going to have one heckuva problem. Port 587 is the SMTP Client Submission port, not the SMTP Server port. Since you use port 587 for YOUR clients it isn't a problem to manage communication and configuration. How you'd tell some anonymous SMTP server that they have to use some alternative port to 25 is a task I'd rather not undertake."
    >
    >We are using port 25 for server to server communications and port 587 for client submission. I misworded this in my earlier post.
     
    "I am trying to send secure outgoing email on port 465" seems pretty
    clear. :-)
     
    >"If the information is sensitive then you should encrypt the message, not just the transmission channel. Encrypting the channnel only protects the content "on the wire," but does nothing for the messages "at rest".
    >
    >Perhaps. But for now we want to encrypt outgoing transmission, that is what I'm having troubles with. I am looking for a recommendation on the best way to do this.
     
    Use the standard port 25. TLS is a common usage between servers, even
    on the Internet.
     
    You only need a SMTP connector to send using TLS. Populate its
    "Address Space" tab with the domains that want to use ONLY TLS. Then
    use the "Outbound security..." button on the connector's "Advanced"
    tab and check the "TLS encryption" box.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by Castinlu Friday, April 20, 2012 9:50 AM
    Friday, April 13, 2012 9:26 PM

All replies

  • On Wed, 11 Apr 2012 15:09:36 +0000, andyh999 wrote:
     
    >I am trying to send secure outgoing email on port 465 by creating an additional SMTP virtual server. I've installed a certificate on the virtual server. Email sends OK using port 465 as long as "require secure channel" is not checked on the virtual server poperties and "this server requires a secure connection (SSL)" for outgoing on my email client is not checked. When I have "require secure channel" and "this server requires a secure connection (SSL)" checked on I receive this error message when sending.
    >
    >Your server has unexpectedly terminated the connection. Possible causes for this include server problems, network problems, or a long period of inactivity.
    >
    >Subject '2' Server: 'mail.pbssite.com' Windows Live Mail Error ID: 0x800CCC0F Protocol: SMTP Port: 465 Secure(SSL): Yes
    >
    >
    >
    >We are using Exchange Server 2003. Any ideas why I can't send secure email?
     
    Port 465 is assumed to ALWAYS be secure. There's no STARTTLS and
    there's no need for ESMTP.
     
    Keep in mind that using port 465 isn't really a standardized means of
    sending e-mail. It's more of a loose agreement between sending and
    receiving servers.
     
    http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol
     
    Is there some reason why you're using port 465 instead of 25 or 587?
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Wednesday, April 11, 2012 9:36 PM
  • Thanks for the reply Rich.

    We are using port 25 and 587 to send non-secure messages to external servers.  Since some ISP's block port 25 we setup 587 a while back for those who contract with the ISP's that block 25. 

    At some point I would like to secure port 587 but I believe would have to contact all users who currently use this port to check on "this server requires a secure connection (SSL)" once I check on "require a secure channel" on the virtual server properties.  If this is incorrect please let me know.

    Due to the sensitive nature of information that passes through our Exchange server we want to at the least encrypt the username and password for outgoing messages. If you have other recommendations on how to do this please share. 

    So if I want to send secure email on port 465 what do I need to do? 

    Regards,
    Andy


    andyh999

    Thursday, April 12, 2012 1:53 PM
  • On Thu, 12 Apr 2012 13:53:24 +0000, andyh999 wrote:
     
    >We are using port 25 and 587 to send non-secure messages to external servers. Since some ISP's block port 25 we setup 587 a while back for those who contract with the ISP's that block 25.
     
    Anyone that's running a SMTP server can find an alternative to using
    port 25. Have a look at http://www.dyndns.com as an example. What's
    required is a SMTP relay server.
     
    >At some point I would like to secure port 587 but I believe would have to contact all users who currently use this port to check on "this server requires a secure connection (SSL)" once I check on "require a secure channel" on the virtual server properties. If this is incorrect please let me know.
     
    If you're using anything except port 25 for server-to-server SMTP
    you're going to have one heckuva problem. Port 587 is the SMTP Client
    Submission port, not the SMTP Server port. Since you use port 587 for
    YOUR clients it isn't a problem to manage communication and
    configuration. How you'd tell some anonymous SMTP server that they
    have to use some alternative port to 25 is a task I'd rather not
    undertake.
     
    >Due to the sensitive nature of information that passes through our Exchange server we want to at the least encrypt the username and password for outgoing messages. If you have other recommendations on how to do this please share.
     
    If the information is sensitive then you should encrypt the message,
    not just the transmission channel. Encrypting the channnel only
    protects the content "on the wire," but does nothing for the messages
    "at rest".
     
    >So if I want to send secure email on port 465 what do I need to do?
     
    Just send the mail on that port. Since there's no negotiation expected
    the data should only be accepted if your server exchanges its
    certificate with the target server.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Thursday, April 12, 2012 9:43 PM
  • "If you're using anything except port 25 for server-to-server SMTP you're going to have one heckuva problem. Port 587 is the SMTP Client Submission port, not the SMTP Server port. Since you use port 587 for YOUR clients it isn't a problem to manage communication and configuration. How you'd tell some anonymous SMTP server that they have to use some alternative port to 25 is a task I'd rather not undertake."

    We are using port 25 for server to server communications and port 587 for client submission.  I misworded this in my earlier post.

    "If the information is sensitive then you should encrypt the message, not just the transmission channel. Encrypting the channnel only protects the content "on the wire," but does nothing for the messages "at rest".

    Perhaps. But for now we want to encrypt outgoing transmission, that is what I'm having troubles with. I am looking for a recommendation on the best way to do this.

    Thanks for the feedback.

    Andy


    andyh999

    Friday, April 13, 2012 8:51 PM
  • On Fri, 13 Apr 2012 20:51:55 +0000, andyh999 wrote:
     
    >
    >
    >"If you're using anything except port 25 for server-to-server SMTP you're going to have one heckuva problem. Port 587 is the SMTP Client Submission port, not the SMTP Server port. Since you use port 587 for YOUR clients it isn't a problem to manage communication and configuration. How you'd tell some anonymous SMTP server that they have to use some alternative port to 25 is a task I'd rather not undertake."
    >
    >We are using port 25 for server to server communications and port 587 for client submission. I misworded this in my earlier post.
     
    "I am trying to send secure outgoing email on port 465" seems pretty
    clear. :-)
     
    >"If the information is sensitive then you should encrypt the message, not just the transmission channel. Encrypting the channnel only protects the content "on the wire," but does nothing for the messages "at rest".
    >
    >Perhaps. But for now we want to encrypt outgoing transmission, that is what I'm having troubles with. I am looking for a recommendation on the best way to do this.
     
    Use the standard port 25. TLS is a common usage between servers, even
    on the Internet.
     
    You only need a SMTP connector to send using TLS. Populate its
    "Address Space" tab with the domains that want to use ONLY TLS. Then
    use the "Outbound security..." button on the connector's "Advanced"
    tab and check the "TLS encryption" box.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by Castinlu Friday, April 20, 2012 9:50 AM
    Friday, April 13, 2012 9:26 PM
  • hi,

    How about your issue now, any update?

    Please remember to mark as answer.

    thanks,


    CastinLu

    TechNet Community Support

    Monday, April 16, 2012 1:10 AM
  • We had a similar problem here in Germany recently as all the ISP's are now requiring SSL connections from the beginning of the next year (2014).

    For us the following workaround has worked:

    We are running a Microsoft Small Business Server 2003 (wich includes Exchange). Since the Exchange 2003 Server does not support SSL encryption natively we had to install stunnel (free download from http://www.stunnel.org) and to configure the Exchange Server to send outgoing mail to stunnel rather than directly to the ISP. stunnel then encrypts the email with SSL and passes it on to the ISP.

    This is what we did:

    1. stunnel

    The software needs to be configured to listen to a (free) port different from the standard port 25 (as port 25 is still needed for the Exchange Server to accept emails). In this example we are using port 259. Furthermore, stunnel needs to know to which ISP and port the emails have to be passed on after encryption. In order to provide this information the file "stunnel.conf" has to be customized using an editor (e.g. Notepad). Here are the contents of the customized file (whereas [yourisp:port] has to be replaced by the fully qualified domain name and port specified by your ISP for SMTP connections):

    ; Global options                                                         

    ; Debugging (activate for troubleshooting)

    ; debug = 7

    ; output = stunnel.log

    ; Service defaults                                                                          

    ; Disable support for insecure SSLv2 protocol

    options = NO_SSLv2

    ; Show stunnel icon on taskbar

    taskbar = yes

    ; Service definitions (accepting emails for Exchange 2003

    ; and passing it on to the ISP)                                 

    [SSLsmtp]

    client = yes

    accept = 127.0.0.1:259

    connect = [yourisp:port]

    ; example: connect = smtp.live.com:587

    protocol = smtp

    2. Exchange Server 2003

    The Exchange Server 2003 then has to be configured to send all outgoing email to stunnel on port 259 rather than to your ISP. This requires modifications in two places:

    a) Internet Mail SMTP-Connector

    In the tree of the Exchange System Manager navigate to "Administrative Groups", "[First] Administrative Group", "Routing Groups", "[First] Routing Group", "Connectors", "Internet Mail SMTP Connector". Open the properties of the Internet Mail SMTP Connector. On the "General" tab under "Forward all mail through this connector to the following smart hosts" specify "[127.0.0.1]" instead of the address of your ISP. Make sure to include the square brackets as they are required by Exchange to accept an IP-address as destination.

    b) Default SMTP Virtual Server

    In the tree of the Exchange System Manager navigate to "Administrative Groups", "[First] Administrative Group", "Servers", "[Name of your Server]", "Protocols", "SMTP", "Default SMTP Virtual Server". Open the properties of the Default SMTP Virtual Server and go to the "Delivery" tab. Click on "Outbound connections". Under "TCP port" specify port 259 instead of port 25.

    Make sure to start the stunnel service and to specify the stunnel service as to be started automatically on startup of the system so that stunnel is activated also after a reboot.

    Wednesday, December 18, 2013 10:43 AM