TLS only works with useTLS = "yes" in CFMAIL ??

Guys, I appreciate the frustration you must be having, but I'm afraid I must contradict the assertion (even by anyone at Adobe) that "CF 2018 Enterprise will not create email using tls unless you put usetls in the cfmail".  I have just done it, and it worked. But I do have some things for you to check, to get to the bottom of the problem you're experiencing. Sorry it's not a twitter-length comment.

First, yes I am on CF2018 (update 11), yes running Enterprise, and yes sent a cfmail with nothing but a to, from, and subject. And yes, with the CF Admin set to enable tls (and the port set to 587).

So let's see if we can figure out why you are experiencing things differently.

1) First, I will note that the resulting mail (appearing in the cf mail/spool folder, caught as soon as it was created with the above) does show having this line within the generated mail file (with the long random name ending in .cfmail):

usetls:  true

(This was in addition to the lines like type:, server:, x-Mailer:, body:, etc.)

So I'm curious: when you guys say it's "not working", you seem to be referring to how the mail is "not delivered. Can you confirm a couple of things?

2) If you do what I discuss above (catching the email right after it's sent, in the CF mail/spool folder), do you or do you not see the usetls: true?

Note that it is really important to be looking at emails in the spool folder--or if you have trouble catching one (either because you create many, or a short "spool interval" setting causes them to leave too quickly), then when you ARE looking in the mail/undelivr folder, please confirm you are looking at emails that were JUST generated.

I press this point because sometimes people chasing down cf admin mail settings problems don't consider the fact that the changes ONLY affect emails that are generated from that point on. It does NOT affect emails already there. Nor does it affect emails you may copy INTO the spool from Undliver. Let me clarify.

If you may be trying to prove that things don't work by a) making the Admin change and then b) copying one or more *.cfmail files out of the Undelivr and into the Spool folder, that will NOT "fix" things. Again, the .cfmail files generated via the request doing the cfmail (in the past) will have had the values within that generated .cfmail file set at THAT time, like I showed at the top of my comment. Again, changing the CF Admin settings will NOT affect files YOU put into the spool manually.

3) If instead you DO see the 'usetls:true" being put into the .cfmail files and yet they STILL end up in Undelivr, then CF is at least indeed doing what it's supposed to do with regard to the original problem: it IS honoring the CF admin setting to set tls true, for newly generated emails.

In that case, we need to move on to what's keeping such mails from being delivered.

4) So then I would ask: what is the error message in the mail.log in CF? That should help identify if the problem of "not delivering" had some other cause.

For instance, you may see the error, "unable to find valid certification path to requested target", which is misleading. That may not be the problem at all.

a) I've seen it when all that was needed was indeed an updated JVM.  To that point, I'm running with Java 11.0.11.

And BKBK made a good point that some problems of sending out via https/tls from CF end up being caused by the JVM being out of date--the JVM that CF uses and points to. I did a blog post on that in the past, with much more info.

b) Or I've seen it was a need to configure the CF jvm startup args to trust the smtp server you have set in the CF Admin "mail server" (or set in any cfmail server attribute), with a JVM arg naming it, such as:

-Dmail.smtp.ssl.trust=smtp.example.com 

Of course, you would change that in the CF jvm.config file or CF Admin java&jvm page (riskier, if you make a serious mistake and now CF won't restart), and you'd need to restart CF for the change to take effect. 

5) In summary, my main point is that whatever the problem is that's keeping your cfmail being delivered, it would seem odd that you could experience that CF is NOT putting the "usetls: true" value in your email. Please confirm first if that IS or is not happening, and if not, what is the error in the mail log? 

We should be able to get to the bottom of this.

Oh, do your Dev and Prod share the same Java version? If so, which version?

Your Dev version is telling you something. 🙂 The attribute UseTLS is optional. 

What if you do the following:

1) Delete the attribute from the cfmail tag.

2) In the ColdFusion Administtrator:

    Uncheck the box "Enable TLS connection to mail server";

    Check the box "Maintain connection to mail server";

    Press the button to "Submit Changes".

3) Test by sending mail to a secure mail server using cfmail.