configuring Exchange 2003 SMTP virtual server to accept mail from mail clients on port 587 with SSL

I've got a 2003 SBS box.  Exchange is on it, and it runs fine - though I have a consultant who needs/wants to access her mail via POP3 and send via SMTP.  I've got a standard/turbo SSL certificate from godaddy, which works fine for everything I need it to.

Setting up POP3 to require SSL is easy.

But now, I want to configure the mail server to accept mail from mail clients (Outlook, Outlook Express, Eudora, etc) over port 587 and require a secure channel.  

I understand that I start by creating a new SMTP virtual server in ESM.  Easy.  For the IP address of this virtual server, I set it as "all unassigned."  After creating it, I got into the new virtual server's properties and change the TCP port to 587.  Then I go to the Access tab and choose certificate and select my godaddy SSL certificate.

And I can click communication on the access tab and choose "require secure channel."

When trying to send an email from outside the LAN to that server over port 587 with SSL, I get this error:

The connection to the server has failed. Account: '', Server: '', Protocol: SMTP, Port: 587, Secure(SSL): Yes, Socket Error: 10060, Error Number: 0x800CCC0E

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

In the SMTP Virtual Server Properties goto access > Authentication > Allow annoymous access (don't worry this isn't the same as annoymous relay)

Tick Basic authetication

Default domain = your domain (

Tick intergrated windows authetication

Click users > Ensure autheticated users are allowed Submit permission & Relay permission
dmessmanAuthor Commented:
This ensures that users must authenticate - but the text password info is still sent in clear text.  That's why I want to require that the connection use SSL.
Sorry yeah, ignore that part, the important part was the latter. Ensuring autheticated users are allowed to submit permission & relay permissions
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Alan HardistyCo-OwnerCommented:
Silly question - have you opened up port 587 on your firewall to forward to the Exchange server?
If you have, have you tested using telnet to your mail server from outside on port 587?
Syntax - telnet 587
dmessmanAuthor Commented:
Not a silly question apparently.  Due to some stupidity on my part, there was an issue.  I had allowed port 587 through my firewall, but my new SMTP virtual server for port 587 was stopped.

Anyway, that is now up and running.  I can telnet to the server on port 587.  And in Outlook Express, messages successfully leave the outbox and seem to successfully send.

However, looking at the queue on my SBS box, I see the messages stuck in the queue.  The remote server says "the connection was dropped by the remote host"

I wonder if my local server is trying to communinicate with the remote server via port 587?  Or is there some kind of certificate, security issue between the two servers?  Below is screen shot of the queue and my port 587 setup.

Alan HardistyCo-OwnerCommented:
Check your domain for Reverse DNS on
If there is no reverse DNS setup - call your ISP and ask then to set it up on your IP Address.
dmessmanAuthor Commented:
yes, I have reverse DNS setup.  I am able to send to these addresses under normal circumstances (not this port 587 business)
Alan HardistyCo-OwnerCommented:
Can you please test your domain on and perform a domain report.
Report back any Fails or Warnings please.
Alternatively - please let me know your domain so that I can check it for you.
dmessmanAuthor Commented:
domain is

if you'd like to run the test, thanks
Alan HardistyCo-OwnerCommented:
Your 3 MX records are:

30 [TTL=21600] IP= [TTL=21600] [US]
10 [TTL=21600] IP= [TTL=21600] [US]
20 [TTL=21600] IP= [TTL=21600] [US]
3 Problems:
ERROR: The IP of one or more of your mail server(s) have no reverse DNS (PTR) entries/* (if you see "Timeout" below, it may mean that your DNS servers did not respond fast enough)*/. RFC1912 2.1 says you should have a reverse DNS for all your mail servers. It is strongly urged that you have them, as many mailservers will not accept mail from mailservers with no reverse DNS entry. You can double-check using the 'Reverse DNS Lookup' tool on our site if you recently changed your reverse DNS entry (it contacts your servers in real time; the reverse DNS lookups in the DNS report use our local caching DNS server). The problem MX records are: [Timeout (check it)]
Setup RDNS on IP
WARNING: I could not complete a connection to 66% of your mailservers. This could lead to a performance issue in your reception of mail: Timed out [Last data sent: [Did not connect]] Timed out [Last data sent: [Did not connect]]
2 of your mailservers are down - non contactable on port 25 (not an issue if you are using port 587 as the test does not test port 587)
WARNING: One or more of your mailservers is claiming to be a host other than what it really is (the SMTP greeting should be a 3-digit code, followed by a space or a dash, then the host name). If your mailserver sends out E-mail using this domain in its EHLO or HELO, your E-mail might get blocked by anti-spam software. This is also a technical violation of RFC821 4.3 (and RFC2821 4.3.1). Note that the hostname given in the SMTP greeting should have an A record pointing back to the same server. Note that this one test may use a cached DNS record. claims to be host [but that host is at (may be cached), not]. <br />
Change your FQDN name to be in the default SMTP Virtual Server Properties (Delivery Tab - Advanced Button)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dmessmanAuthor Commented:
All changes made as requested.

I have sent a test message from this account using Outlook Express over port 587 with SSL to another Exchange server that I control.  The email sits in the queue of the local server.  The remote server doesn't seem to receive the email (at least not that I can tell in message tracking center).  

The local server still says "the connection was dropped by the remote host"

Alan HardistyCo-OwnerCommented:
Can you test the connection from a DOS prompt to the server you just emailed and report back with the rejection message please. 
dmessmanAuthor Commented:
ok - so it works now.  Dammit.

Here's basically what I did - for those who follow these steps.  I did this on an SBS 2003 box.

Right click on SMTP and choose new SMTP Virtual Server
Name it 587, for IP address "all unassigned" is fine and say YES
Right click on 587 and choose properties
Click advanced, click edit
change the TCP port to 587
Click OK
Go to the access tab
Click certificate and choose your certificate (ideally you've already added a third party cert)
Click Communication and choose "require secure channel"

Click delivery and click advanced, make sure the FQDN matches the FQDN of your certificate

Click OK
Right click on 587 and choose START

Make sure your firewall allows port 587 incoming

And that should be it.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.