Phone Lines icon GFI Support Home Start a conversation Sign in
Start a conversation
  1. GFI MailEssentials
  2. GFI MailEssentials - General Settings
  3. Articles

Enabling TLS Configuration on IIS/SMTP Server

Overview 

GFI MailEssentials supports both, Transport Layer Security (TLS) and Secure Sockets Layer (SSL) SMTP servers, both of which are widely used encryption protocols for secure email messaging.

As SSLv3 is vulnerable and not secure to use, it is recommended to enable TLS configuration on your Windows Server 2008 R2 and Internet Information Service (IIS) 7.5.

Important Note: If you are unsure about securely performing the steps mentioned in this article, always make a backup before making any changes or reach out to GFI support for more help.

 

Solution

MailEssentials supports TLS/SSL SMTP servers. The encryption however takes place between SMTP servers and is handled outside MailEssentials by IIS SMTP SMTPSVC which is a built-in SMTP server available on Windows server platforms.

By the time the email is scanned by MailEssentials, it appears to be no different from any other unencrypted email hence the TLS settings are not done within MailEssentials but rather on IIS.

Follow these steps to enable TLS on your IIS server:

  1. Take a backup of the registry before making any changes.
  2. Enable TLS 1.2 on Windows by manually updating the registry files.
    1. Open registry on the server by running regedit in the run window.
    2. Navigate to the below location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
    3. Add the TLS 1.1 and TLS 1.2 keys under Protocols:
        1. Right-click Protocols,
        2. Select New > Key
        3. Name the key TLS 1.1
        4. Similarly, create another key with the name TLS 1.2

      TLS-1.png

    4. Create two keys Client and Server under both TLS keys.
    5. Create the DWORD (32-bit) values under Server and Client key as follows:
      DisabledByDefault [Value = 0]
      Enabled [Value = 1]


      TLS-2.png

  3. Disable TLS and SSL older versions:
    1. Open registry on your server by running regedit in the run window.
    2. Navigate to the below location:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
    3. Now change DWORD values under Server and Client under TLS 1.0, SSL 3.0, and older SSL version keys:
      DisabledByDefault [Value = 0]
      Enabled [Value = 0]

  4. Reboot the server.

Testing

Verify that your server now supports TLS 1.2 protocol by following the below steps:

  1. Click the Windows button on the lower left-hand corner of your Desktop.
  2. Type "Internet Options" and select Internet Options from the list.
  3. Click on the Advanced tab and from there scroll down to the very bottom. Confirm that TLS 1.2 is checked. If it is not, please check the box adjacent to Use TLS 1.2 and then Apply.
    • TLS_1.2.png

You may also refer to this 3rd party online check to validate the SMTP TLS configuration: CheckTLS.com

 

Additional Information

REG files to automate the process are attached as downloadable files.

Enable-TLS12-TLS11-Windows.reg

  1. 1 KB
  2. View
  3. Download

Enable-TLS12-Windows.reg

  1. 1 KB
  2. View
  3. Download
Download all
Choose files or drag and drop files
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted
  3. Updated

Comments