Connecting to a TLS-enabled mail server in ColdFusion

One of the nifty conveniences of ColdFusion is its built-in ability to communicate with other systems in a variety of Internet protocols, inclusing mail protocols like POP and SMTP. In general, setting up ColdFusion to work with a mail server is a simple affair:

1. Log into the ColdFusion Administrator.
2. Click the Mail entry under Server Settings.
3. Fill out the form with the name or IP address of your mail server.
4. Change the SMTP port, if appropriate.
5. Click Submit.

For years, setting up a mail server in CF worked pretty much like this. More recently, though, mail servers have started to widely adopt encryption technology, reverse DNS checking, and other measures designed to enhance security and combat spam. This change of affairs has forced companires like Adobe to add features to their products to support these new technologies. In the case of mail connections with ColdFusion, the current solution works but is not always easy to implement.

At Emergent Path, we recently added a publicly signed SSL certificate to our mail server to enable encryption for all mail traffic. Immediatley, we noticed that our corporate web site (and yes, this blog) could not send email out because the ColdFusion server could not talk to the mail server.

After some research and a quick check around the CF/Java blogsphere,I got an opinion from Jeff Smallwood that I should try importing the mail server cert into ColdFusion to see if that would resolve the issue. Importing a cert into the keystore in ColdFusion's JVM isn't that dificult, but it is the sort of exacting task that is easy to get wrong, especially if you have not done it before. For a couple of threads on that topic, check Terry Ryan's blog entry on importing certs with the keytool.

I imported the cert and restarted ColdFusion, but the system would still not connect to our mail server. Hmm. 

Next, I dropped to the command line on the CF server to try and debug the connection to the mail server that way.

telnet mailserver.emergentpath.com 25
Service not available (-37) 
connection closed by foreign host

A search for the error condition along with the name of our mail server (XMail), yielded this thread about DNS checking on the XMail Forum. Ah, now I was getting somewhere. The mail server is set up to run reverse DNS checks on all peers, and it couldn't verify the identity of the CF server, so it would not accept the connection. A quick trip to the console of the internal DNS server to add the internal IP address mapping of the server to its hostname fixed that problem, and I was ready to test again, but I still got an error. 

A little further searching about ColdFusion and TLS mail settings led me to a blog post from TACFUG about connecting to GMail from ColdFusion. I copied the settings, changed the appropriate bits for my server, and the system were finally able to communicate.

The lesson to take away from our experience is how many variables there are now in connecting to a mail server. If you are trying to connect to a simlarly locked down mail server from your CF server, remember all the security measures mail administrators put in place to block bad traffic, and account for all the possible sources of connection failures.I would also recommend a conversation ahead of time with your mail server administrator and internal DNS administrator. Researching the issues ahead of time could save you a whole lot of trouble later on.

UPDATE: Jared Rypa-Hauer brought to my attention an add-on tool for CF Admin that enables you to work with the CF keystore in the Admin rather than on the command line.  The tool is an open source project on RIAForge called CertMan.