Does LISTSERV support secure SMTP transactions with TLS?


Not directly.  LISTSERV itself has no internal support tor TLS (Transport Layer Security).  This is primarily because LISTSERV itself is not an SMTP server.


It is possible to use an SMTP server external to LISTSERV to provide TLS for both inbound and outbound mail.  In this scenario, the mail flow looks like this:



The SMTP server with TLS can be any SMTP server anywhere in your organization that can handle the TLS handshake and encryption, but which also can be configured to send mail to LISTSERV and accept mail from LISTSERV without TLS.  Typically, if your SMTP server is capable of "opportunistic" TLS, this will not be a problem.  "Opportunistic" TLS simply means that if TLS is available, the server will use it, otherwise, it will send the mail without it.

Unix

Under unix, in most cases this is the configuration you will have anyway (even if it does not currently include TLS).  Typically a unix LISTSERV machine uses a local Postfix or Sendmail server to handle both inbound and outbound mail.  The local SMTP server then "pipelines" LISTSERV's inbound mail directly into LISTSERV's spool via the lsv_amin mailer utility, and LISTSERV connects to the SMTP port on the local machine to send its outbound mail.  Under unix, the only thing you should have to do in order to place LISTSERV behind TLS is to enable opportunistic TLS for your SMTP server's inbound and outbound mail.

Windows

Under Windows, the situation is a little different, as LISTSERV's SMTP "Listener" service (SMTPL.EXE) does accept mail via SMTP, but does not do TLS (and cannot be used for LISTSERV's outbound mail in any case).  To provide inbound and outbound SMTP TLS under Windows, it is generally recommended that an SMTP server be installed on the LISTSERV machine (this can be something like the IIS SMTP service) and configured appropriately.  Inbound mail to LISTSERV would have to be redirected to a non-standard port (as only one SMTP service may bind to the SMTP port), and LISTSERV's SMTPL.EXE "Listener" service configured to listen on that non-standard port. IIS SMTP is then configured to negotiate opportunistic TLS with external hosts.  A white paper describing how this is done can be obtained here  The white paper is somewhat outdated but the instructions have not changed for newer versions of IIS SMTP.  If you have questions regarding this setup, please contact L-Soft Support.


(Note that both of these descriptions are simplistic in that they do not address cases where LISTSERV is set to use multiple outbound SMTP servers for its outbound traffic, but all that needs to happen in that case is that all of those outbound SMTP servers need to be set to use opportunistic TLS, or they must at minimum be set to accept non-TLS SMTP connections from the LISTSERV server.)


At this time, the use of opportunistic TLS rather than forced TLS is strongly recommended, since not all organizations have implemented SMTP TLS and many may never do so.  It is, of course, up to your organization as to how you wish to handle this; if Forced TLS is a requirement of your industry, then you will have to accept the fact that you may lose some mail, depending on whether or not the remote server is configured to handle TLS.  At any rate, you will not be able to use Forced TLS to communicate with LISTSERV, because LISTSERV does not speak TLS.