SSL for Exchange 2003 SMTP
I have a number of clients on Small Business Server 2003, which includes Exchange Server 2003. A few of them have AT&T as their ISP.
In an effort to avoid losing email send abilities due to temporarily getting block-listed for a spambot, I would like to hand off email delivery to AT&T instead of delivering it directly (yes, we will still clean up the spambots). AT&T requires SSL, Microsoft does not seem to support it until Exchange 2007.
I have found references to STunnel as a possible work-around, but it looks like the tunnel has to stay up permanently?
Has someone used STunnell successfully in an Exchange 2003/AT&T environment and be willing to share the recipe?
Does someone know of a better solution using Exchange 2003 and AT&T?
We had the same problem here in Germany recently as all the ISP's are now requiring SSL connections from the beginning of the next year (2014).
For us the following workaround has worked:
We are running a Microsoft Small Business Server 2003 (wich includes Exchange). Since the Exchange 2003 Server does not support SSL encryption natively we had to install stunnel (free download from http://www.stunnel.org) and to configure the Exchange Server to send outgoing mail to stunnel rather than directly to the ISP. stunnel then encrypts the email with SSL and passes it on to the ISP.
This is what we did:
- stunnel
The software needs to be configured to listen to a (free) port different from the standard port 25 (as port 25 is still needed for the Exchange Server to accept emails). In this example we are using port 259. Furthermore, stunnel needs to know to which ISP and port the emails have to be passed on after encryption. In order to provide this information the file "stunnel.conf" has to be customized using an editor (e.g. Notepad). Here are the contents of the customized file (whereas [yourisp:port] has to be replaced by the fully qualified domain name and port specified by your ISP for SMTP connections):
; Global options
; Debugging (activate for troubleshooting)
; debug = 7
; output = stunnel.log
; Service defaults
; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
; Show stunnel icon on taskbar
taskbar = yes
; Service definitions (accepting emails for Exchange 2003
; and passing it on to the ISP)
[SSLsmtp]
client = yes
accept = 127.0.0.1:259
connect = [yourisp:port]
; example: connect = smtp.live.com:587
protocol = smtp
- Exchange Server 2003
The Exchange Server 2003 then has to be configured to send all outgoing email to stunnel on port 259 rather than to your ISP. This requires modifications in two places:
a) Internet Mail SMTP-Connector
In the tree of the Exchange System Manager navigate to "Administrative Groups", "[First] Administrative Group", "Routing Groups", "[First] Routing Group", "Connectors", "Internet Mail SMTP Connector". Open the properties of the Internet Mail SMTP Connector. On the "General" tab under "Forward all mail through this connector to the following smart hosts" specify "[127.0.0.1]" instead of the address of your ISP. Make sure to include the square brackets as they are required by Exchange to accept an IP-address as destination.
b) Default SMTP Virtual Server
In the tree of the Exchange System Manager navigate to "Administrative Groups", "[First] Administrative Group", "Servers", "[Name of your Server]", "Protocols", "SMTP", "Default SMTP Virtual Server". Open the properties of the Default SMTP Virtual Server and go to the "Delivery" tab. Click on "Outbound connections". Under "TCP port" specify port 259 instead of port 25.
Make sure to start the stunnel service and to specify the stunnel service as to be started automatically on startup of the system so that stunnel is activated also after a reboot.
I am not sure about the AT&T bit, but I know Exchange 2003 supports SSL. See section To Configure Encryption in KB 823019 [original | archived].