Topic Last Modified: 2007-07-12

This topic explains how to install a server certificate to provide Transport Layer Security (TLS) encryption for the Windows Server 2008 SMTP Server feature. You can require that all clients use TLS encryption to connect to a Simple Mail Transfer Protocol (SMTP) virtual server. TLS is a protocol that provides communications privacy and security between two applications communicating over a network. TLS encrypts communications and enables clients to authenticate servers and, optionally, servers to authenticate clients. TLS is a more secure version of the Secure Sockets Layer (SSL) protocol.

To use TLS encryption for the SMTP virtual server, a certificate must be present in the trusted certificate store for the Windows Server 2008 computer that is running the SMTP Server feature. The certificate must be issued to the fully qualified domain name (FQDN) for the computer. A certificate that is issued to an IP address or host name cannot be used to provide TLS encryption for SMTP Server communications. By default, the Windows certification authority (CA) issues a certificate that uses 128-bit encryption. Clients that connect must also be able to support 128-bit encryption or messages will be returned with a non-delivery report (NDR).

Use one of the following procedures to install a server certificate. If you have an online CA, such as a Windows Server 2008 enterprise CA, the certificate is issued immediately. If you have an offline CA, such as a Windows Server 2008 stand-alone CA or a third-party CA, you must request the certificate and then install the certificate file. You can create a self-signed certificate for SMTP over TLS transactions if the server with which you are communicating does not require CA verification. If CA verification is required, use of a self-signed certificate will cause TLS negotiation to fail.

Procedure

To request and install a server certificate to provide TLS encryption for all SMTP virtual server communication when you have an online CA

  1. Click Start, click Run, type MMC in the Open text field and press Enter. A default Microsoft Management Console (MMC) opens.

  2. Click the File menu, and then click Add/Remove Snap-in.

  3. Select Certificates from the Available snap-ins menu, and then click Add>. On the Certificates snap-in dialog box, select Computer account, and then click Finish. Click OK.

  4. Expand Certificates (Local Computer). Select Personal. Right-click, and then select All Tasks and Request New Certificate. The Certificate Enrollment wizard starts.

  5. On the Before You Begin page, click Next.

  6. On the Request Certificates page, select the box next to Computer. Click the double chevron icon next to Details, and then select Properties.

  7. On the General tab, type a friendly name and description for the certificate.

  8. On the Subject tab, in the Subject name section, use the Type drop-down menu to select Common name. In the Value field, type the FQDN of the server. Click Add>. In the Alternative name section, use the Type drop-down menu to select DNS. In the Value field, type the FQDN of the server. Click Add>.

  9. On the Extensions tab, click the double chevron icon next to Extended Key Usage (application policies). Verify that Server Authentication is a selected option.

  10. On the Certification Authority tab, select the CA that will issue the certificate.

  11. Click OK to save all changes and close Certificate Properties.

  12. Click Enroll on the Request Certificates dialog box. Click Finish to close the Certificate Enrollment wizard.

To request and install a server certificate to provide TLS encryption for all SMTP virtual server communication when you have an offline CA

  1. Click Start, click Administrative Tools, and select Internet Information Services (IIS) Manager to open the IIS 7.0 Manager.

  2. Select the server node.

  3. In the Features pane, select Server Certificates. In the Actions pane, select Open Feature.

  4. In the Actions pane, select Create Certificate Request. The Certificate Request wizard starts.

  5. On the Distinguished Name Properties page, complete all fields, and then click Next.

  6. On the Cryptographic Service Provider Properties page, verify that Microsoft RSA SChannel Cryptographic Provider is selected and that Bit Length is set to 1024. Click Next.

  7. On the File Name page, locate where you want to save the file, and provide a name for the file. The file will have a .txt extension. Click Finish.

  8. Submit the file to your CA. When the administrator has issued the certificate, a file that has the .cer extension is returned to you.

  9. In IIS Manager, select the server node. In the Features pane, select Server Certificates. In the Actions pane, select Complete Certificate Request.

  10. On the Specify Certificate Authority Response page, type the file path and name of the *.cer file or browse to the file location, select the file, and then click Open. Click OK to install the certificate.

To create and install a self-signed server certificate to provide TLS encryption for all SMTP virtual server communication

  1. Click Start, click Run, type cmd in the Open text field, and then press Enter. A command shell window opens.

  2. Type the following command, and then press Enter.

    Copy Code 
    makecert -r -pe -n "CN=ServerName" -sky exchange -ss my -sr LocalMachine
    Note:
    For more information about the makecert.exe program, at a command prompt, type makecert -? to view basic options or makecert -! to view extended options.

To verify that the certificate is installed correctly and recognized by the SMTP virtual server

  1. Click Start, click Administrative Tools, and select Internet Information Services (IIS) 6.0 Manager to open the IIS 6.0 Manager.

  2. Select an SMTP virtual server, right-click, and select Properties.

  3. In the SMTP virtual server properties, select the Access tab. If the certificate is installed correctly, in the Secure Communications section, the message A TLS certificate is found with expiration date: MM/DD/YYYY appears and the Require TLS encryption check box is available.

  • Requiring TLS Encryption
  • Setting IP Access Restrictions to the Server