How SMTP over TLS Works
• SMTP servers may advertise the STARTTLS keyword in their EHLO response.
• A client that wants to use TLS issues the STARTTLS command.
• The server typically replies: 220 Ready to start TLS.
• The client and server then execute a TLS handshake as per the TLS protocol standards.
• Same network connection, no change of port.
• Unlike HTTPS, client authentication may be required at this time.
• If the handshake result is satisfactory to both sides, the SMTP session starts over under a TLS secured connection. Otherwise, either side may refuse to continue.
Setting up TLS
• A third party certificate needs to be imported
• The name in the certificate needs to be domain name for SMTP/TLS instead of an email address which is needed for S/MIME
• The Certificate request (CSR) can be generated from IIS
• Once the request complete the certificate needs to be exported as a key pair (public and private key) using PKCS#12 (.pfx or .p12) format and then import the key to the e-mail gateway or proxy device.
Posts
