James,

You are correct - it is NOT one stateful connection. They are two different connections.

One SSL certificate can be used on different servers, provided the host name matches. If you have a wild-card cert, that takes care of the host name problem as well. The reason we mention using "wildcard" is because the page assumes the certificate on your IIS is probably for www.yourdomain.com and the host name of your mail server will be something like mail.yourdomain.com . Bottom line: same certificate you use on Exchange can be used in Xeams, provided the host name problem is solved.

If the shutdown Exchange, the Proxy server in Xeams will also shutdown. That is because as soon as a EHLO is sent from CheckTLS, Xeams will try to open another socket to Exchange. If that second socket cannot be opened, Xeams will display an error complaining server is temporarily unavailable. This does NOT mean TLS is not working. TLS starts AFTER the EHLO command. If EHLO fails, no TLS will every occur.

I think you are confusing between SSL and STARTTLS. The port for SSL is typically 465. Any communication on this port will be 100% encrypted (even the HELO/EHLO). STARTTLS on the other hand starts with plain non-encrypted communication, checks if the receiving server supports STARTTLS (which is an option returned by EHLO command) and then upgrades the existing socket to SSL. This will be evident from looking at SMTPOutboundConversation.log . Try sending an email to gmail.com and then look at that log in Xeams. The EHLO command is sent twice. The first call will be in plain and the second will be encrypted. Additionally, gmail.com's server will only advertise STARTTLS in the first call. The second call, which is already encrypted, will not have a 250-STARTTLS as part of its EHLO results.