How to enable TLS for SMTP in II6 on Windows Server 2012 R2

ssl windows-server-2012-r2 smtp ssl-certificate iis-6

23,944

From https://forums.iis.net/t/1155280.aspx

When the IIS6 SMTP Server module looks for a certificate to use for TLS encryption, it seems checks the 'Local_Machine\my' store. I'm not sure where the OpenSSL certificate was placed by the system, but if it's not in the Personal certificates section, then the SMTP server won't be able to find it, and will therefore provide the error listed here.

If you have IIS7 installed on this server, the easiest way to go about securing this would be to select the 'Server' node in the IIS7 manager, select 'Certificates', and 'Create a self-signed certificate...' This will place a copy of the certificate in both the 'Local_Machine\my' store, as well as the Trusted Roots store.

I ran through a quick test of this: clearing out the Personal store provided the error mentioned above, but reloading the 'Properties' of the SMTP server after creating the self-signed certificate through IIS showed the certificate present, and allowed it to be secured.

Hope this helps!

Note: To check what's in a given certificate store, load up MMC (mmc.exe in the 'Run' box), under 'File', select 'Add/Remove Snap-in'. Under the snap-in list, select 'Certificates', and then choose Local Machine. Once back at the MMC listing, under certificates, you can check 'Personal\Certificates' to see its content.

23,944

Lory Lory

Updated on September 18, 2022

Comments

Lory Lory over 1 year

I correctly bought a SSL certificate for my domain www.omniservice2.it from Aruba Business on my server with Windows Server 2012 R2.

I correctly installed the certificate in IIS 8 on every site and web application and in fact each of them is correctly reachable from https.

Now, I need to set up the same for my SMTP server in IIS 6. The SMTP works fine with Basic Authentication but obviously I want the credentials to be encrypted. So, I activated the flag "Requires TLS Encryption" in Tab Access under its properties.

Moreover, in the root console I did the following to check the certificate is installed in Personal store (otherwise IIS 6 won't detect it as documentation says) File --> Add/Remove snap-in --> Select Certificates --> Computer account --> Local computer --> OK Under Console Root I see Certificates (Local Computer) --> Personal --> Certificate into which there is correctly the RapidSSL SHA256 CA I bought with the correct expiration date.

The problem is that in section "Secure Communication" I still read "TLS is not available without a certificate" Where also am I supposed to install that certificate so that IIS 6 detects it?