CONFIGURING
SMTP sessions conducted over a standard TCP/IP channel are vulnerable to eavesdropping because the unencoded transmission can be easily intercepted. To protect SMTP communications, servers can use transport-layer security (TLS), more commonly known as TLS encryption, to provide privacy and authentication.
Some servers support TLS for SMTP communications by sending and receiving SMTP traffic through the TLS port (port 465 by default) only. However, because this requires that both the sending and receiving servers support SMTP over TLS, this solution isn't always practical.
To provide TLS security for SMTP transfers over TCP/IP, Domino® supports the use of negotiated TLS. In a negotiated TLS scheme, the sending and receiving hosts each use the SMTP STARTTLS extension, defined in RFC 2487, to signal their readiness to negotiate an TLS connection. The receiving server displays the STARTTLS keyword in response to the sending server's EHLO command. The sending server issues the STARTTLS command to request the creation of a secure connection. After the initial TLS handshake completes successfully, the two parties proceed to set up an TLS channel between them. Both the sending and receiving server must possess TLS certificates.
Supporting STARTTLS for outbound SMTP sessions
A Domino server configured to use negotiated TLS for outbound mail connects to the receiving server's SMTP TCP/IP port (port 25 by default). If the initial SMTP response from the receiving server indicates that it supports the STARTTLS extension, Domino issues the STARTTLS command to request the use of TLS to encrypt the rest of the session.
If the receiving server did not advertise support for STARTTLS in response to the Domino server's EHLO command, the sending Domino server continues with an unencrypted SMTP TCP/IP session.
To enable outbound STARTTLS support, set the SMTP outbound TCP/IP port status to:Negotiated TLS.
Supporting STARTTLS for inbound SMTP sessions
You can configure Domino to support the STARTTLS command for inbound SMTP transactions. When a Domino SMTP server is set to use negotiated TLS for inbound sessions, the server advertises support for STARTTLS in response to EHLO commands the TCP/IP port receives from connecting hosts. A connecting host can then issue the STARTTLS command to request an encrypted session.
If Domino is configured to require STARTTLS for SMTP sessions over TCP/IP and a connecting host cannot meet this demand, no mail is sent over the connection.
To enable inbound STARTTLS support:
Enabling ESMTP support for negotiated TLS allows a server to accept requests to use TLS over TCP/IP from remote servers that connect anonymously. However, not all inbound connections are anonymous. A connecting SMTP server may be configured to send Domino a name and password by means of the ESMTP AUTH command.
To support connections from SMTP clients that send a name and password during a negotiated TLS session, set the value of the Name & password field for the SMTP inbound TLS port to Yes. You do not have to enable the TLS port. If the TLS port does not support name-and-password authentication, the Domino SMTP server rejects the AUTH command from the remote server and returns an error indicating that the command is not implemented.
Even though Domino receives the AUTH command over the TCP/IP port, Domino uses the TLS name-and-password authentication settings to determine whether to accept the AUTH request because it receives the command in the context of an TLS session. The Name & password authentication setting for the TCP/IP port is ignored.
Related concepts Customizing SMTP Routing TLS security
Related tasks Changing outbound SMTP port settings Enabling a server to receive mail sent over SMTP routing Changing the inbound SMTP port settings Supporting inbound SMTP extensions