Topic Last Modified: 2007-05-16

You can require that all clients use Transport Layer Security (TLS) encryption, a generic security protocol similar to Secure Sockets Layer (SSL), to connect to a Simple Mail Transfer Protocol (SMTP) virtual server. This option helps secure the connection. However, it is not used for authentication.

When you require Basic authentication on your virtual servers, we strongly recommend that you also use TLS encryption. Without encryption, user names and passwords can be easily intercepted.

To use TLS encryption for the SMTP virtual server, an existing certificate must be present in the trusted certificate store for the Windows Server 2008 computer that is running the SMTP Server feature. The certificate must be issued to the fully qualified domain name (FQDN) for the computer. A certificate that is issued to an IP address or host name cannot be used to provide TLS encryption for SMTP Server communications. By default, the Windows certification authority issues a certificate that uses 128-bit encryption. Clients that connect must also be able to support 128-bit encryption or messages will be returned with a non-delivery report (NDR).

The following procedure enables TLS encryption for all client sessions with the SMTP virtual server and for all sessions with remote servers.


To require TLS encryption for all SMTP virtual server communication

  1. In Microsoft Management Console, select the SMTP virtual server, and then click Properties on the Action menu.

  2. On the Access tab, under Secure communication, select the Require TLS encryption check box.

Two additional TLS options are available. To use TLS for all outgoing connections, click Outbound Security on the Delivery tab, and then click TLS encryption. Also, if a server to which you typically connect requires that you use TLS for all incoming connections, you can create a remote domain, click Outbound Security on the remote domain properties General tab, and then select TLS encryption.