Securing an SMTP Virtual Server with TLS

Although SSL and TLS are most popularly used with websites, the nature of TLS allows it to be used to secure many other protocols as well. The Microsoft SMTP server supplied with Windows Server operating systems has supported TLS for many years now.

TLS can be used to secure both inbound traffic and outbound traffic separately. The encryption offered by TLS can be useful especially if requiring users to authenticate using Basic authentication, because without TLS, the user's credentials would be passed in cleartext across the network or Internet.

Securing connections using TLS requires a suitable server authentication certificate to be installed on the local IIS 8.0 machine. Generating a certificate request suitable for securing an SMTP virtual server is the same as generating a certificate suitable for securing a website, except that a self-signed certificate should not be used because e-mail clients typically do not have an option to present a prompt to the user about certificates issued by untrusted CAs.

Unlike HTTP/HTTPS, which provides a separate port (port 443) for SSL/TLS secured communications, the Microsoft SMTP server requires only port 25 to be available. Clients should use the START TLS command to initiate a TLS-secured session over port 25.

After installing a suitable server authentication certificate, you should perform the following steps to secure transmissions: