none
BizTalk 2016 SMTP/POP3 with TLS 1.2 RRS feed

  • Question

  • Is there any way to make BizTalk 2016 use TLS 1.2 with the SMTP and POP3 adapters?

    SMTP


    The SMTP adapter only seems to support:

    • Basic authentication (everything is sent in clear text)
    • Process account (NTLM)

    Sure you can add a certificate but this quite more complex (and inflexible) compared to TLS, and the partner I need to send messages to require (at least) TLS version 1.2 in explicit mode, the transfer needs to start with the STARTTLS command.

    Do I lack some piece of information? I looked at nSoftware’s “secure email adapter” and this did not either mention TLS:
    http://cdn.nsoftware.com/help/EAB/bt/Email_tx.htm


    POP3

    Here (at least) you have the possibility to use SSL, but SSL is something that most people stopped using four years ago.
    How do we implement TLS?

    Is WCF the only way to use TLS in BizTalk?


    • Edited by Jonas Grundén Thursday, January 18, 2018 11:52 AM added link
    Thursday, January 18, 2018 11:47 AM

Answers

  • The solution that now is working for me is by using Stunnel.

    Feature pack 2 was never an option since this would remove SSL completely from all non-WCF adapters.

    The installation of Stunnel is pretty straight-forward, is will basically unzip the files to a directory and directly prompt you for generating a local self-signed certificate.

    Most likely you won’t need this certificate so nothing goes wrong if you’re a little bit unspecific with the values entered.

    In the Stunnel subdirectory config you find the file stunnel.conf and this is where you will add your configuration:

    Under global options I added the following:

    ; **************************************************************************
    ; * Global options                                                         *
    ; **************************************************************************

    ; Debugging stuff (may be useful for troubleshooting)
    cert = stunnel.pem
    debug = 7 ç adds extra logging
    output = stunnel.log
    log = append
    client = yes

    Under the Service definitions you add entries that acts as a local proxy.

    Say for example that the SMTP and POP3 requires TLS 1.2. We want to use the following servers:
    SMTP: smtp.jonas.production.com (port 587)
    POP3: pop.jonas.production.com (port 110)

    SMTP

    [my-smtp.production] ç just a name that makes it easier to interpret the logs
    client = yes
    accept = 127.0.0.1:20025 ç the local port that listens when you send your email
    connect = smtp.jonas.production.com:587 ç the port which your email is redirected to but before the actual mails transfers, the TLS handshake will be performed by Stunnel
    protocol = smtp

    When Stunnel is started this means that any connections made to localhost on port 20025 will be mapped to smtp.jonas.production.com:587

    To make this a little bit less confusing for the next person (who does not know about Stunnel) I don’t address the SMTP server as 127.0.0.1:20025 in BizTalk. I added an entry in my local hosts file:

    C:\Windows\System32\drivers\etc\hosts

    The entry I added was:

    127.0.0.1 localhost_stunnel_hostfile

    BizTalk SMTP configuration

    POP3

    For POP I want to connect to pop.jonas.production.com with port 110 so I add the following in my Stunnel config:

    [my-pop3-production]
    client = yes
    accept = 127.0.0.1:20110
    connect = pop.jonas.production.com:110
    protocol = pop3

    BizTalk POP3 configuration

    Start Stunnel

    I added Stunnel’s bin directory to the PATH environment variable but I don’t think it’s necessary.

    1. Open an elevated Command Prompt
           
    2. Navigate to Stunnel’s bin      directory (unless you added it to %PATH%)
            
    3. First we need to install Stunnel as a Service, so enter:
      stunnel -install
      and click OK (Stunnel will be visible as a regular services, run
      services.msc and see).
    4. Next type:
      stunnel -start
      and click OK

    5. Next you can type:
      stunnel -options
      which will open a Stunnel window which basically is the log file, you can see what happens.

    With the Stunnel window open I frequently experienced that choosing Edit Configuration on the Configuration menu failed, but if I chose Reload Configuration, then I would be able to choose Edit Configuration afterwards.

    Whenever you want you can stop the service with:
    stunnel -stop

    or uninstall the service by:
    stunnel -uninstall

    Since I am using unprivileged ports in this example I also ran into some problems with ports already being assigned to something else, but I assume there should be no problem to use ports <1024 to avoid these problems.

    Friday, March 23, 2018 1:12 PM

All replies

  • I see now that the feature pack 2 might contain exactly what is needed.
    Thursday, January 18, 2018 12:31 PM
  • But useful only if all the systems BizTalk connects to supports TLS 1.2.

    From the page you linked to

    • Any external systems communicating with BizTalk also need to support TLS 1.2

    We've had to write a Endpoint Behaviour to selectively use TLS 1.1 or 1.2 for certain WCF ports in BizTalk 2013 R2.

    Thursday, January 18, 2018 9:11 PM
  • But useful only if all the systems BizTalk connects to supports TLS 1.2.

    From the page you linked to

    • Any external systems communicating with BizTalk also need to support TLS 1.2

    We've had to write a Endpoint Behaviour to selectively use TLS 1.1 or 1.2 for certain WCF ports in BizTalk 2013 R2.

    Thanks for the response!

    Does "all systems" means all system using the spcific adapter/protocol, or does it mean "all systems using any adapter/protocol"?

    I can accept if SSL is replaced by TLS in all SMTP/POP3 connections, but if your post means that all connections with all adapters (WCF, FTP, etc) will be affected, it's quite different.

    It's "great" that you're able to change WCF ports with Endpoint Behaviours, does not exist for alla adapters; so the impact might just be to big if the update means that all current usage of SSL will be replaced by TLS after installation of the feature pack.

    Tuesday, January 23, 2018 10:02 AM
  • I have not tried it yet, nor seen any articles from anyone who has, but I would think it would only those currently using SSL.  Let us know if you do try it and what the results are, I'm sure there will be a lot of people interested in the outcome.

    Yes, I'm aware that not all adaptors can have end point behaviours, I wrote about that as part of my article about BizTalk SSO & SSO Affiliate Settings

    Tuesday, January 23, 2018 8:02 PM
  • The solution that now is working for me is by using Stunnel.

    Feature pack 2 was never an option since this would remove SSL completely from all non-WCF adapters.

    The installation of Stunnel is pretty straight-forward, is will basically unzip the files to a directory and directly prompt you for generating a local self-signed certificate.

    Most likely you won’t need this certificate so nothing goes wrong if you’re a little bit unspecific with the values entered.

    In the Stunnel subdirectory config you find the file stunnel.conf and this is where you will add your configuration:

    Under global options I added the following:

    ; **************************************************************************
    ; * Global options                                                         *
    ; **************************************************************************

    ; Debugging stuff (may be useful for troubleshooting)
    cert = stunnel.pem
    debug = 7 ç adds extra logging
    output = stunnel.log
    log = append
    client = yes

    Under the Service definitions you add entries that acts as a local proxy.

    Say for example that the SMTP and POP3 requires TLS 1.2. We want to use the following servers:
    SMTP: smtp.jonas.production.com (port 587)
    POP3: pop.jonas.production.com (port 110)

    SMTP

    [my-smtp.production] ç just a name that makes it easier to interpret the logs
    client = yes
    accept = 127.0.0.1:20025 ç the local port that listens when you send your email
    connect = smtp.jonas.production.com:587 ç the port which your email is redirected to but before the actual mails transfers, the TLS handshake will be performed by Stunnel
    protocol = smtp

    When Stunnel is started this means that any connections made to localhost on port 20025 will be mapped to smtp.jonas.production.com:587

    To make this a little bit less confusing for the next person (who does not know about Stunnel) I don’t address the SMTP server as 127.0.0.1:20025 in BizTalk. I added an entry in my local hosts file:

    C:\Windows\System32\drivers\etc\hosts

    The entry I added was:

    127.0.0.1 localhost_stunnel_hostfile

    BizTalk SMTP configuration

    POP3

    For POP I want to connect to pop.jonas.production.com with port 110 so I add the following in my Stunnel config:

    [my-pop3-production]
    client = yes
    accept = 127.0.0.1:20110
    connect = pop.jonas.production.com:110
    protocol = pop3

    BizTalk POP3 configuration

    Start Stunnel

    I added Stunnel’s bin directory to the PATH environment variable but I don’t think it’s necessary.

    1. Open an elevated Command Prompt
           
    2. Navigate to Stunnel’s bin      directory (unless you added it to %PATH%)
            
    3. First we need to install Stunnel as a Service, so enter:
      stunnel -install
      and click OK (Stunnel will be visible as a regular services, run
      services.msc and see).
    4. Next type:
      stunnel -start
      and click OK

    5. Next you can type:
      stunnel -options
      which will open a Stunnel window which basically is the log file, you can see what happens.

    With the Stunnel window open I frequently experienced that choosing Edit Configuration on the Configuration menu failed, but if I chose Reload Configuration, then I would be able to choose Edit Configuration afterwards.

    Whenever you want you can stop the service with:
    stunnel -stop

    or uninstall the service by:
    stunnel -uninstall

    Since I am using unprivileged ports in this example I also ran into some problems with ports already being assigned to something else, but I assume there should be no problem to use ports <1024 to avoid these problems.

    Friday, March 23, 2018 1:12 PM