Setting up TLS/SSL on MailSite
Document #:10512
Applies To:
Synopsis:
This document outlines how to setup MailSite to accept TLS/SSL connections.
More Information:
First you must identify or change the HostName that MailSite uses. Based on the HostName, you can then obtain the certificate (the CN name of the certificate will need to match the HostName).
MailSite does not currently support wildcard certificates.
How to find/set the hostname
You can telnet to your SMTP service on port 25 and see the greeting i.e 'telnet mail.server.com 25'. The banner there will give you the hostname. For example if you telnet mail.rockliffe.com on port 25 you get:
220 mail.rockliffe.com MailSite ESMTP Receiver Version 9.2.0.1 Ready
This tells us the HostName MailSite is using is mail.rockliffe.com.
You can either obtain a certificate where the CN name matches this (mail.rockliffe.com), or you can change the HostName then get a certificate that matches the new hostname. You can use the HOSTS file in Windows to change the hostname, eg:
- Open Windows Explorer and navigate to
'C:\Windows\System32\Drivers\Etc' or 'C:\Winnt\System32\Drivers\Etc'
- Open the file called 'HOSTS' with a text editor
- Add an entry below 127.0.0.1 Localhost similar to:
192.168.1.100 mail.newserver.com
- You need to replace the above with the IP address that is bound to your NIC card
- Save the file
- Restart the Services
- Now when you perform a telnet you should see:
220 mail.newserver.com MailSite ESMTP Receiver Version 9.0.2.1 Ready
When a client connects using TLS, MailSite will take the hostname and look in the certificate store for a certificate that matches the hostname.
You can now obtain a certificate where the CN name is 'mail.newserver.com'.
Installing the certificate
You can obtain TLS/SSL certificates from any Certificate vendor. It is also possible to generate your own certificate, however when users connect, the desktop clients will return errors to the end user that the certificate isn't trusted. For this reason, it is recommend to purchase a certificate. The cost associated with the certificate can be offset by the better user experience. Once you have obtained/purchased the certificate, the certificate needs to be installed in the Personal Store for the Computer Account in the MMC snapin:
- Start > Run > MMC
- File > Add/Remove Snapin > Add > Certificates > Add
- Select 'Computer Account' > Next > Finish
- Within the Console you will see 'Personal'. Right click > All Tasks > Import. Follow the wizard to import the certificate. The certificate vendor may also have provided instructions on how to install the certificate. Simply ensure the certificate is saved under the Personal Store of the Computer account.
Configuring MailSite
In the MailSite console under > Security > Security Properties > TLS, you can turn on TLS for the various services.
Note that TLS isn't port specific. SSL is port specific. You will need to open the ports at your firewall.
Verifying TLS
Once the certificate has been installed and you have restarted the servers, you can once again telnet to your server on port 25. Then issue the EHLO command. You should see '250-STARTTLS' in the response. This is a sign that the server was able to find the certificate and will accept TLS connections. If you do NOT see STARTTLS, then this suggests MailSite was not able to find the certificate. An example response to the EHLO command is:
250-rockliffe.com
250-SIZE 20000000
250-ETRN
250-ENHANCEDSTATUSCODES
250-X-IMS 3 3
250-DSN
250-VRFY
250-AUTH LOGIN NTLM SCRAM-MD5 CRAM-MD5
250-AUTH=LOGIN
250-X-AVU 1267633208
250-STARTTLS
250 8BITMIME
More information
A comprehensive guide is available via the following link:
MailSite TLS SSL Guide
Related:
See these other knowledge base documents:
Last revised 2013-9-19