Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3767
  • Last Modified:

Require TLS Encryption Option Greyed Out of IIS 6 SMTP Relay Outbound Security Interface

Hello,

I’m trying to enable TLS authentication on an IIS 6 SMTP relay virtual host, without success.  Although I’ve installed a self-signed cert, the option to “Require TLS Encryption” is greyed out.


To review, here are the steps I took.


1.)      Using IIS 7, I created a self-signed cert
2.)      I exported this cert to a folder on the server
3.)      I imported the cert into the Personal Cert store
4.)      I then tried to fully enable TLS but, the option to “Require TLS Encryption” is greyed out, suggesting the cert is either incorrectly formed, or, the virtual relay host does not see it.



Visuals of the steps I took...


Step One. Create Self-signed Cert via IIS 7 Manager

create self signed cert windows 2008
 

Step Two. Export the cert

export the certificate
 

Step Three. Import the Cert into the Personal Certificate Store

import the cert
 

Step Four. Secure IIS SMTP Virtual Host Using TLS

Require TLS option greyed out
0
drmonoe
Asked:
drmonoe
  • 6
  • 6
1 Solution
 
Chris HIT DirectorCommented:
Quote from here:

http://forums.iis.net/t/1155280.aspx/1

'When the IIS6 SMTP Server module looks for a certificate to use for TLS encryption, it seems checks the 'Local_Machine\my' store. I'm not sure where the OpenSSL certificate was placed by the system, but if it's not in the Personal certificates section, then the SMTP server won't be able to find it, and will therefore provide the error listed here.'
1
 
drmonoeAuthor Commented:
Yes, I found that during my Google searches but it wasn't immediately helpful.


So I suppose the next question is: how does Local Machine/My Store correspond to a drive location? Or does this refer to the HKLM reg hive?

I'll take a look in the reg to see if it reveals a location.
0
 
Chris HIT DirectorCommented:
It refers to the certificate store.  You need to click start, type mmc , push enter.

file, add/remove snap-in.

add certificates

local computer

then look at picture as to what it's referencing.  (local machine should be local computer)

My store is personal
Untitled.png
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
drmonoeAuthor Commented:
Yes, overnight I reached that conclusion and added the cert to the correct store.

Cert Store
Unfortunately, this hasn't made the TLS encryption option available.  I've also tried resetting the virtual SMTP host individually and even an iisreset with no success.
0
 
Chris HIT DirectorCommented:
Investigate the registry keys this article says to disable TLS in IIS.  I'm wondering if an admin before you disabled.

http://support.microsoft.com/kb/187498
0
 
Chris HIT DirectorCommented:
Also, maybe unrelated/non-correlated (but I've seen MS do worse).  Check your ie options listed here:

http://superuser.com/questions/342148/why-are-some-use-tls-and-use-ssl-options-turned-off
0
 
drmonoeAuthor Commented:
Hmmm, interesting.


I'll check those out and get back to you.  Thanks for the leads.
0
 
drmonoeAuthor Commented:
Unfortunately, none of those steps applied to this situation.  Truly a mystery as to why IIS is failing to see the cert (which seems to be properly installed and verified).
0
 
Chris HIT DirectorCommented:
Lol, it's not expired is it?  (had to ask)
0
 
drmonoeAuthor Commented:
Ha! That's a fair question (crossing all the T's, etc).

I'm sure the cert is still valid.  It was only issued a few days ago and expires a year from now.  Also, I confirmed it using a tool named SSLDiag.

Oh and I successfully used it to secure the default website with SSL.

So aside from the SMTP relay, all else seems good.
0
 
drmonoeAuthor Commented:
Yup, I verified that too.  

The cert's subject name definitely matches the virtual server's FQDN.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now