Using an SMTP Server with SSL


Follow

Overview

First, if you’re not sure that Secure Sockets Layer (SSL) is to blame, here are thorough, general debugging steps for outgoing mail problems. If your mail server’s certificate is self-signed, check out these instructions for using self-signed certificates.

For more information about using an SMTP server with SSL, browse through the following sections in this article.

Information

How SSL works over SMTP

There are two ways to do SMTP over SSL: Explicit and Implicit.

  • Explicit means you connect to a normal SMTP port (usually 25 or 587) in plaintext, then issue the starttls command to switch to SSL-mode.
  • Implicit means you connect to a port that expects everything to be SSL (usually 465).

In FogBugz, we support Explicit SSL automatically if you check the “Use SSL” box in Site Settings. This means that connecting to servers like Gmail is much easier: just put in the server, port, and check the box.

If the server doesn’t support Explicit SSL, then you still have to use Stunnel which is a bit more complicated. For more info, see this MSDN article.

Setting up SSL in FogBugz

  • Determine if the server supports Explicit SSL

    1. Telnet to the server at port 25 (or whatever the normal SMTP port is): (e.g. from the command line, telnet testmail.hq.fogcreek.com 25).
      • If you are on Windows and get a message saying that the command is not found, you’re probably on Windows 7. Search Google for “enable telnet windows 7” to get several options to re-enable.
    2. Type starttls and hit enter. If Explicit SSL is supported, you should see “220 2.0.0 Ready to start TLS”.
  • If the server supports Explicit SSL

    1. In FogBugz, go to Admin > Site.
    2. Set the SMTP server and port (using the normal, non-SSL port, probably either 25 or 587).
    3. Check the Use SSL box.
  • If the server only supports Implicit SSL

    1. Set up Stunnel. Use these lines in your config: [SMTP FogBugz] accept = 1099 connect = [smtp server]:[smtp port - usually 465]
    2. Verify that Stunnel is working using telnet:
      • From a command line, run telnet localhost 1099. You should see something like “220 [smtp-server]”.
      • In telnet, type starttls. You should see something like “554 5.5.1 Error: TLS already active”.
    3. In FogBugz, go to Admin > Site.
    4. Set the SMTP server to localhost and the port to 1099.
    5. Uncheck the Use SSL box.

Certificate Problems

If FogBugz gives you an error about your certificate when setting up SMTP, or in site diagnostics on the mail sending step, see this guide for using self-signed certificates.

Troubleshooting

Error: The remote certificate is invalid according to the validation procedure.

Solution 1: Check that the server you are connecting to is the server the certificate is issued for (for example, testmail.hq.fogcreek.com is actually geniusfc1.hq.fogcreek.com). You need to use the correct server address that the certificate is issued to.

Solution 2: The certificate is self-signed, so you need to add it to the list of "Trusted Root Certification Authorities":

  1. Get the certificate file.  You can probably do this with openssl, but I used IE7:
    1. Hit the URL & port.
    2. Click the SSL icon and select View Certificate.
    3. Select Details > Copy to File.
    4. Select .P7B format (Cryptographic Message Syntax Standard) and select "Include all certificates in the certification path if possible".
    5. Save it somewhere.
  2. Import the certificate file.
    1. Run Start > Run > MMC.
    2. Go to File > Add/Remove Snap-in.
    3. Go to Add... > Certificates.
    4. Select Computer Account, then Local Computer.
    5. Expand Certificates, then right-click Trusted Root Certification Authorities > All Tasks > Import.
    6. Select your certificate file.
    7. Verify that it is in the list under "Trusted Root Certification Authorities", and that the "Advanced..." tab indicates that it is valid for "Secure Email".