SMTP and TLS

Peter · September 26, 2025, 12:02am

Our corporate SMTP server requires TLS1.2. I expected that all that would be required is to tick the TLS box for mail in Lucee Administrator. It didn’t work. As an interim solution I used the local Windows SMTP Service as a relay. On revisiting this, AI suggested adding the following Java Options to the Tomcat settings.

-Dmail.smtp.ssl.protocols=TLSv1.2
-Dmail.smtp.starttls.enable=true
-Dmail.smtp.starttls.required=true

The TLS box now works. Is this the correct procedure to get Lucee mail to use TLS1.2 ?

Lucee 6.2.2.91, Java 21.0.8, Tomcat 11.0.11, Windows 2022.

dawesi · September 30, 2025, 7:45am

Thanks #watching thread

BK_BK · November 4, 2025, 10:13am

Yes, I think that is the correct way to get Lucee mail to use TLS 1.2.

Zackster · November 4, 2025, 12:30pm

The problem is currently Lucee announces all the versions it supports, given it’s 2025, i think we should consider not announcing by default versions less than 1.2, and perhaps exposing via the smtp settings the protocol

github.com

lucee/Lucee/blob/7.0/core/src/main/java/lucee/runtime/net/mail/MailUtil.java#L230


      
          			}
          		}
          		return addr;
          	}
          
          	/**
          	 * This method should be called when TLS is used to ensure that the supported protocols are set.
          	 * Some servers, e.g. Outlook365, reject lists with older protocols so we only pass protocols that
          	 * start with the prefix "TLS"
          	 */
          	public static void setSystemPropMailSslProtocols() {
          		String protocols = SystemUtil.getSystemPropOrEnvVar(SYSTEM_PROP_MAIL_SSL_PROTOCOLS, "");
          		if (protocols.isEmpty()) {
          			List<String> supportedProtocols = SSLConnectionSocketFactoryImpl.getSupportedSslProtocols();
          			protocols = supportedProtocols.stream().filter(el -> el.startsWith("TLS")).collect(Collectors.joining(" "));
          			if (!protocols.isEmpty()) {
          				System.setProperty(SYSTEM_PROP_MAIL_SSL_PROTOCOLS, protocols);
          				Config config = ThreadLocalPageContext.getConfig();
          				if (config != null)
          					ThreadLocalPageContext.getLog(config, "mail").info("mail", "Lucee system property " + SYSTEM_PROP_MAIL_SSL_PROTOCOLS + " set to [" + protocols + "]");
          			}

Zackster · November 6, 2025, 10:15am

Allow specifying tlsProtocol(s) in mail server definitions

https://luceeserver.atlassian.net/browse/LDEV-5892

default to only TLS v1.2 and newer for SMTP

https://luceeserver.atlassian.net/browse/LDEV-5893

Raju001 · May 11, 2026, 10:37am

Yes, adding those Java/Tomcat options is the right approach when your SMTP service provider requires TLS 1.2, since Lucee’s checkbox alone doesn’t always enforce the protocol version. If you’re looking to simplify this setup, switching to a dedicated SMTP service provider like DigitalAka™ can handle TLS negotiation automatically without manual JVM flags. That said, the fix you’ve applied is technically sound and a commonly recommended workaround until Lucee exposes protocol selection natively in its mail settings.

Zackster · May 11, 2026, 2:15pm

I have updated Lucee 6.2, 7.0 and 7.1 to respect the jvm supported mail protocols (which skips the older deprecated ones) , as long as you are using a recent jvm, it will automatically default now to tls 1.2 and 1.3

existing overrides / workarounds still work

https://luceeserver.atlassian.net/browse/LDEV-5893