My ISP's decided to block outbound port 25 on all of their dial-up and home
DSL connections. I have some clients that use my Exchange 2K server with
POP3 and IMAP clients (notably Outlook Express and Outlook 2003). Port
587's a common port for accepting relay mail over SMTP (the so-called
"SUBMIT" procedure like what AOL's using), so I figured I could set up a
second port to accept relay mail to work around my ISP's filtering.

I thought the straightforward way to do this was to create a second SMTP
Virtual Server and have it use port 587 instead of port 25. I also want to
secure this virtual server using SSL, which I've done before on the default
virtual server running on port 25 - the clients are usually set up to use
SSL and the basic authentication mode has "Require TLS" turned on.

It took some "encouragement" to make IIS work off port 587 - I had to create
the virtual server and edit its properties while the SMTP portion of IIS was
stopped. Once that was done, I could have it answer port 25 and port 587
just fine. However, SSL connections return such errors as: "Your server has
unexpectedly terminated the connection" (OE6 SP1), or, "Your server does not
support SSL" (Outlook 2003). Meanwhile I can telnet to port 587 just fine
from a remote machine, and it answers with the standard SMTP banner (?! I
thought it was supposed to require SSL when I turn on "Require SSL.")

If I disable the requirement to use SSL, it appears to work just fine, but I
don't want to expose login passwords, nor would I like to have that mail
sniffed during transmission. Like I explained, SSL on port 25 (the default
virtual server) works just fine, so I think the server certificate is
correctly set up.

So, how do I properly set up Exchange 2K / IIS5 SMTP to accept mail for
relaying on port 587, and still receive incoming mail on port 25? And how
do I require SSL (ideally 128-bit SSL) on port 587? Do I remove the cert
from the default virtual server and reapply it to the second one I created?