IBM Support

How to configure Domino for secure SMTP sessions using STARTTLS



How do you configure Lotus® Domino® for secure SMTP sessions using the STARTTLS extension?


To provide SSL security for SMTP transfers over TCP/IP, Domino supports the use of negotiated SSL. In a negotiated SSL scheme, the sending and receiving hosts each use the SMTP STARTTLS extension, defined in RFC 2487, to signal their readiness to negotiate an SSL connection. Both the sending and receiving server must possess SSL certificates for the transport-layer security (TLS) handshake to be successful.

To support STARTTLS for INBOUND SMTP sessions:

1. Enable the "SMTP Listener task" via the Server document (Basics tab).
2. Enable SMTP Inbound "TCP/IP port status" in the Server document (Ports -> Internet Ports -> Mail tab).

3. Set the "SSL Port Status" to "Disabled" in the Server document (Ports -> Internet Ports -> Mail tab)
4. Enable "SSL negotiated over TCP/IP port" in the Configuration document (Router/SMTP -> Advanced -> Commands and Extensions tab).
5. Restart the SMTP Listener task/=.

Note: Setting the SSL negotiated over TCP/IP port to required would force any sending server to use only TLS/SSL. It is suggested to set this setting to Enabled. This feature may not be enabled on sending servers and could result in a loss of incoming mail to your Domino server.


To support STARTTLS for OUTBOUND SMTP sessions:

1. Set Negotiated SSL for the SMTP Outbound "TCP/IP port status" in the Server document (Ports -> Internet Ports -> Mail tab).

2. Set the "SSL Port Status" field to "Disabled".

3. Restart the Router task.

Here is a sample of what you see in a debug outfile with SMTPDebugIO enabled (the STARTTLS is the secure session about to begin):


  • [06D8:0008-0324] R: STARTTLS
    03/18/2003 04:05:56.74 PM [06D8:0008-0324] SMTP CITask StateMachine> Sent 24 bytes to

    [06D8:0008-0324] S: 220 Ready to start TLS<CRLF>


Note: Some servers support SSL for SMTP communications by sending and receiving SMTP traffic through the SSL port (port 465 by default) only. However, because this requires that both the sending and receiving servers support SMTP over SSL, this solution isn't always practical.

Also, Port 465 is no longer registered as SMTP-SSL. It has been deprecated in favor of TLS/SSL over port 25. For more information see:

For information on configuring SSL with a third-party Certificate Authority, refer to the technote "How to set up SSL using a third-party Certificate Authority (CA)".

For information on configuring SSL with Domino as the Certificate Authority, refer to the technote "Quick guide to setting up SSL using Domino as the Certificate Authority".

Additional information regarding SSL, TLS, and STARTTLS can be found in the Admin Help along with RFC 2487.


Document information

More support for: IBM Domino

Component: SMTP / MIME, ">More...

Software version: 7.0, 8.0, 8.5

Operating system(s): AIX, Linux, Solaris, Windows

Reference #: 1108352

Modified date: 07 September 2018

Translate this page: