Share via


Requiring TLS Encryption

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

You can require that all clients use Transport Layer Security (TLS) encryption, a generic security protocol similar to Secure Sockets Layer (SSL), to connect to the default Simple Mail Transfer Protocol (SMTP) virtual server. This option secures the connection, but it is not used for authentication.

When requiring Basic authentication on your virtual servers, it is strongly recommended that you also use TLS encryption. Without encryption, user names and passwords can be easily intercepted.

To use TLS encryption for the virtual server, you must create key pairs and configure key certificates. Clients can then use TLS to encrypt the session with the SMTP service, therefore, all messages sent. The SMTP service can also use TLS to encrypt sessions with remote servers.

Important

You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc".

Procedures

To create and manage key certificates

  1. In IIS Manager, right-click the SMTP virtual server, and then click Properties.

  2. Click the Access tab, and under Secure communication, click Certificate to set up new key certificates and manage installed key certificates for the SMTP virtual server.

Key pairs consist of a number of bits that indicate the key's security level. You can strengthen security by increasing the encryption level from 40 bits (the default) to 128 bits. The greater the number of bits, the more difficult the item is to decrypt. Users attempting to secure access must use the same encryption level that you set or messages will be returned with a non-delivery report (NDR).

To set TLS encryption levels for the server

  1. In IIS Manager, right-click the SMTP virtual server, and then click Properties.

  2. Click the Access tab, and under Access control, click Authentication.

  3. Click Basic authentication.

  4. Select the Require TLS encryption check box.

Note

There are two additional TLS options available. To use TLS for all outgoing connections, click Outbound Security on the Delivery tab, and then click TLS encryption. Also, if a server you commonly connect to requires the use of TLS for all incoming connections, you can create a remote domain and click TLS encryption when creating the domain.