There are two identifying features for a Simple Mail Transfer Protocol (SMTP) virtual server: the display name and the IP address/TCP port combination. Setup assigns a Microsoft Management Console display name for the default SMTP virtual server. You can keep the name (Default SMTP Virtual Server) or change it using the following steps. You can also select the IP address that will be associated with this SMTP virtual server.
Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc".
Procedures
To identify an SMTP virtual server
1. In IIS Manager, right-click the SMTP virtual server, and then click Rename.
2. Type a new name for the virtual server name if you want to change it from the default. Do not use extended characters when naming your SMTP virtual server.
3. Right-click the SMTP virtual server, and click Properties.
4. On the General tab, in the IP address list, click the IP address for this virtual server. The SMTP virtual server can respond to connection requests for all IP addresses configured on the computer. To identify the TCP port for each IP address configured for the virtual server, click Advanced. Port 25 is the SMTP standard TCP port and is recommended. More than one virtual server can use Port 25, provided they are associated with different IP addresses.
Starting, Stopping, or Pausing SMTP Virtual Servers (IIS 6.0)
The Default SMTP Virtual Server starts upon installation of the SMTP service. You can pause, stop, and start it in IIS Manager.
You can also start, stop, and pause the entire SMTP service. However, if you have more than one virtual server, stopping the service affects all of the Simple Mail Transfer Protocol (SMTP) virtual servers running on your computer. When the SMTP service is stopped, you cannot use IIS in Microsoft Management Console (MMC) to perform administrative functions on any SMTP virtual server.
Important
Make sure only trusted administrators in your organization have the necessary permissions to start or stop an SMTP virtual server. For more information, see Setting Operator Permissions.
You can stop and start the SMTP service manually. However, while it is operating, you must be careful when stopping, pausing, or restarting the service to minimize the impact on users.
If the default startup setting is Manual, you can use IIS in Microsoft Management Console (MMC) to start a Simple Mail Transfer Protocol (SMTP) virtual server.
Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc %systemroot%\system32\inetsrv\iis.msc".
Procedures
To start an SMTP virtual server
• In IIS Manager, expand the local computer, right-click the SMTP virtual server, and click Start.
You can stop a Simple Mail Transfer Protocol (SMTP) virtual server for configuration changes and maintenance.
To stop an SMTP virtual server
• In IIS Manager, expand the local computer, right-click the SMTP virtual server, and click Stop.
You can pause a Simple Mail Transfer Protocol (SMTP) virtual server for configuration changes and maintenance. Pausing prevents new client connections, but it enables the virtual server to continue processing existing client connections and delivering queued messages.
To pause an SMTP virtual server
• In IIS Manager, expand the local computer, right-click the SMTP virtual server, and click Pause.
Starting, Stopping, or Pausing the SMTP Service (IIS 6.0)
The SMTP service runs as a service on Windows Server 2003, Standard Edition and Windows Server 2003, Enterprise Edition, and it starts upon installation. Although there is only one SMTP service on a computer, it is possible to have more than one Simple Mail Transfer Protocol (SMTP) virtual server. You can start, stop, or pause each virtual server independently of one another while the SMTP service is running.
If you have more than one SMTP virtual server, it is important to remember that pausing or stopping the entire SMTP service will affect all of the SMTP virtual servers. When the service is stopped, you cannot use IIS in Microsoft Management Console (MMC) to perform administrative functions on any SMTP virtual server.
Note
The one exception is that you can start a virtual server while the SMTP service is stopped. Starting an SMTP virtual server will also restart the entire SMTP service. This, in turn, will start all other SMTP virtual servers that had been running when the SMTP service was originally stopped.
When you start the SMTP service, it accepts new connections from users. When you stop the SMTP service, it does not accept new connections. When you pause the SMTP service, every running SMTP virtual server will cease accepting new connections but will continue to service existing connections.
Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc".
Procedures
To start, stop, or pause the SMTP service
1. From the Start menu, point to Administrative Tools, and then click Component Services.
2. In the console tree, click Services (Local).
3. In the details pane, right-click Simple Mail Transfer Protocol (SMTP), and then click Start, Stop, or Pause.
Configuring Startup Settings (IIS 6.0)
You can use Administrative Tools to configure the default state of the SMTP service at startup.
Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc".
Procedures
1. From the Start menu, point to Administrative Tools, and then click Component Services.
2. In the console tree, click Services (Local).
3. In the details pane, right-click Simple Mail Transfer Protocol (SMTP), and then click Properties.
4. On the General tab, in the Startup type list, click Automatic, Manual, or Disabled.
Setting Connections (IIS 6.0)
A connection is initiated whenever a message is sent to or received from a remote server.
Note
Designating the TCP port that the SMTP service uses to receive incoming messages is done when you configure the Simple Mail Transfer Protocol (SMTP) virtual server.
Setting connection limits and imposing connection time-outs can make it more difficult for someone to initiate a malicious attack (such as denial of service) against your virtual server.
Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc".
Procedures
To configure incoming connections
1. In IIS Manager, right-click the SMTP virtual server, and then click Properties.
2. On the General tab, select the Limit number of connections to check box (the default is no limit), and set the following options.
To configure outbound connections
1. In IIS Manager, right-click the SMTP virtual server, and then click Properties.
2. Click the Delivery tab, and click Outbound connections.
3. In the Outbound Connections dialog box, select a check box and set the following options.
Creating Additional SMTP Virtual Servers (IIS 6.0)
In most cases, you should need only one Simple Mail Transfer Protocol (SMTP) virtual server. However, if you are hosting multiple domains and want to have more than one default domain, for example, you can create multiple SMTP virtual servers. To an end user, each SMTP virtual server appears as a separate server with a unique IP address/TCP port combination.
When you create an SMTP virtual server, you are prompted to enter a path to your home directory. This directory must be local to the computer on which the SMTP service runs.
Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc".
Procedures
To create a new SMTP virtual server
1. If the SMTP virtual server will be using a new IP address, configure an IP address. From the Start menu, click Control Panel, and then double-click Network Connections. See Windows Server 2003 family Help for more information on Network Connections.
2. After you configure the IP address, in IIS Manager, right-click an existing SMTP virtual server, point to New, and then click Virtual Server.
3. Follow the steps in the New SMTP Virtual Server Wizard. Be sure to select an IP address/TCP port combination that is not being used by another SMTP virtual server. The recommended TCP port is 25, which is the SMTP standard TCP port. More than one virtual server can use the same TCP port provided they are configured with different IP addresses.
4. If the default startup setting for SMTP Service is set to Automatic, the new SMTP virtual server will start automatically. If it doesn't start, it is because you selected an IP address/TCP port combination that is already in use.
5. Configure the new SMTP virtual server.
Setting Up Virtual Servers for Clustering (IIS 6.0)
A server cluster is a group of independent computer systems, known as nodes, working together as a single system to ensure that mission-critical applications and resources remain available to clients. Server clusters provide high availability. High availability in a Simple Mail Transfer Protocol (SMTP) server cluster means that, if one virtual server fails, its work is dispersed to the remaining virtual servers in the cluster, ensuring mail service is not interrupted. The other benefit of server clusters is the failover of server resources, which is when a virtual server goes down and another one comes online to assumes its role.
In clustering, a node is a system that has a working installation of Windows Server 2003, Enterprise Edition and the Cluster service. Microsoft recommends creating a new virtual server on your node for clustering, rather than reconfiguring your default SMTP virtual server.
For more information about Windows Clustering and server clusters, see Windows Server 2003, Enterprise Edition Help. That documentation contains detailed information about setting up and administrating server clusters.
Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc".
Procedures
To set up an SMTP virtual server for clustering
1. If necessary, change the default startup setting of the SMTP Service to Manual.
2. Before creating a new virtual server, in IIS Manager, right-click Default SMTP Virtual Server, and then click Properties.
3. On the General tab, click Advanced.
4. Under Address, double-click All Unassigned.
5. In the Identification box, change the TCP port number from 25, which is the default setting, to another port number -- any unassigned port will work. Type in the new port number, making sure it is unique, and then click OK.
6. Create a new SMTP virtual server. After it is created, you will have to manually start the new virtual server. Use the default TCP port on the new virtual server, which is port 25.
Important
When you get to the Select Home Directory and Default Domain screen of the New SMTP Virtual Server Wizard, be sure to type paths to the shared resource that will be used in clustering. Do not type paths to a local hard drive.
7. Run the iiscnfg /copy command to copy the IIS configuration on your node to the other nodes in the server cluster. At a command prompt, navigate to the systemroot\System32\Inetsrv directory on your node, and then type iiscnfg /copy /ts target server /tu userid /tp password where the following is true:
• /ts is another node in the same cluster.
• /tu is the user ID to use when connecting to the target server.
• /tp is the password associated with the specified user ID.
Important
The /copy operation does not copy the server content, such as Web pages and FTP files, that is associated with the IIS configuration. This command changes the computer-specific and system-specific properties in the metabase so that they are valid on the target computer. However, it does not adjust the directory or file paths. As a result, you might need to configure valid paths on the target computer.
Enabling Protocol Logging (IIS 6.0)
Use the General tab to enable transaction logging and to select the format. When setting up the log file, keep in mind that the log formats and default file names are the same as those used by other IIS services. If you choose the default names, all transactions for all services are recorded in the same file. You can set up a separate file for each service if you want to maintain separate records.
If you set up the file in a location other than the default, make sure it is stored on a local drive and not on a network.
Auditing server activity with log files is a good way to detect if unauthorized external users are attempting to access your virtual server, or if internal users are trying to access resources they do not have permission to access. For more information about auditing and using Event Viewer, see Windows Server 2003 family Help.
Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc".
Procedures
To enable logging that uses one of the ASCII text formats
1. In IIS Manager, right-click the SMTP virtual server, and then click Properties.
2. On the General tab, select the Enable logging check box.
3. In the Active log format list, click a transaction log format. If you chose the W3C Extended Log File Format, click the Advanced tab, and then click the items you want to track.
4. Click Properties, and then set the log file size and location.
To enable logging that uses the ODBC format
1. Set up an ODBC-compliant database.
2. In IIS Manager, right-click the SMTP virtual server, and then click Properties.
3. On the General tab, select the Enable logging check box.
4. In the Active log format list, click ODBC Logging.
5. Click Properties, and then set the log file size and location.
Setting Operator Permissions (IIS 6.0)
You can designate which user accounts can have operator permissions for the Simple Mail Transfer Protocol (SMTP) virtual server. After Windows user accounts are set up, you can grant permissions by selecting the account from a list. These permissions can be rescinded by removing the account from the list of virtual server operators.
Important You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /user:Administrative_AccountName "mmc %systemroot%\system32\inetsrv\iis.msc".
Procedures
To assign operator permissions
1. In IIS Manager, right-click the SMTP virtual server, and then click Properties.
2. Click the Security tab, and click Add.
3. Select a Windows user account, and then click OK. The selected account will now appear in Operators.
To remove operator permissions
1. In IIS Manager, right-click the SMTP virtual server, and then click Properties.
2. Click the Security tab, and in the Operators list, click the operator you want to remove.
3. Click Remove.
Requiring Authentication for Incoming Connections (IIS 6.0)
There are three authentication methods available. You can choose one, two, or all three methods. All three are set by default.
Important
The default mail relay settings on the SMTP virtual server allow only mail from authenticated users to be relayed. Therefore, to allow users in your organization to send mail through the virtual server, users must first be authenticated. By choosing one of the methods in the Authentication dialog box, your users will be able to send mail and, at the same time, unauthorized users will not be able to use your virtual server to relay mail.
Authentication option Description
Anonymous access An account name or password is not required. You can use this option to disable authentication for the Simple Mail Transfer Protocol (SMTP) virtual server.
Basic authentication An account name and a password are sent using plaintext. Specify a Windows domain that is appended to the account name for authentication.
Integrated Windows authentication A Windows account name and password are authenticated using this option.
Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc".
Procedures
To disable authentication for incoming messages
1. In IIS Manager, right-click the SMTP virtual server, and then click Properties.
2. Click the Access tab, and under Access control, click Authentication.
3. Select the Anonymous access check box, and then clear the remaining check boxes for the other options.
To set clear text authentication for incoming messages
1. In IIS Manager, right-click the SMTP virtual server, and then click Properties.
2. Click the Access tab, and under Access control, click Authentication.
3. Select the Basic authentication check box.
4. In the Default domain box, type a Windows domain name. This default domain differs from the SMTP virtual server default domain.
To use Integrated Windows authentication to authenticate incoming messages
1. In IIS Manager, right-click the SMTP virtual server, and then click Properties.
2. Click the Access tab, and under Access control, click Authentication.
3. Select the Integrated Windows Authentication check box.
Requiring Authentication for Outbound Messages (IIS 6.0)
You can configure the Simple Mail Transfer Protocol (SMTP) virtual server to provide the authentication credentials required by a receiving server. There are three types of authentication available: anonymous, Basic (plaintext), and Integrated Windows authentication. Anonymous requires no authentication. With the plaintext option, the account name and password of the server you're connecting to are transmitted in plaintext. The Integrated Windows authentication option requires a Windows account name and password.
The option set here can be overridden for a specific remote domain. Overriding the authentication settings for a remote domain enables you to set the virtual server authentication level to handle most of the transmissions, while allowing exceptions for individual addresses. The following table describes several configuration examples.
SMTP transmissions Authentication option
Messages are commonly sent to multiple addresses. Disable authentication for the SMTP virtual server. If attempts to deliver messages to an address fail because of authentication requirements, add a remote domain for the address. Then enable authentication for the domain at the same level required by the server.
Messages are commonly sent to one address, which requires authentication. Determine what level of authentication is required to connect. Then enable authentication for the SMTP virtual server using the same level. If you want to then send messages to other addresses, set up remote domains and set different authentication options. If you use this option, it is likely that the account name used is the one that identifies the computer set up as the smart host.
Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc %systemroot%\system32\inetsrv\iis.msc".
Procedures
To disable authentication for outgoing messages
1. In IIS Manager, right-click the SMTP virtual server, and then click Properties.
2. Click the Delivery tab, and click Outbound Security.
3. Click Anonymous access.
4. Clear all other options.
To set Basic authentication for outgoing messages
1. In IIS Manager, select the SMTP virtual server, and then click Properties on the Action menu.
2. On the Delivery tab, click Outbound Security to open the Outbound Security dialog box.
3. Click Basic authentication.
4. Under User name and Password, type the account name and password that will grant you access to the computer you are connecting to.
Important
If Basic authentication is your only authentication method, it is strongly recommended that you also require TLS encryption to avoid unauthorized detection of user names and passwords.
To set Integrated Windows authentication for outgoing messages
1. In IIS Manager, select the SMTP virtual server, and then click Properties on the Action menu.
2. On the Delivery tab, click Outbound Security to open the Outbound Security dialog box.
3. Select the Integrated Windows Authentication check box.
4. Under Account and Password, type a Windows account name and password that will grant you access to the computer you're connecting to.
Setting IP Access Restrictions to Servers (IIS 6.0)
You can grant or deny Simple Mail Transfer Protocol (SMTP) virtual server access to specific IP addresses. By default, the SMTP virtual server is accessible to all IP addresses. You can set restrictions by specifying a single IP address, a group of addresses using a subnet mask, or a domain name.
Important You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc %systemroot%\system32\inetsrv\iis.msc".
Procedures
To set IP address access restrictions
1. In IIS Manager, right-click the SMTP virtual server, and then click Properties.
2. Click the Access tab, and under Connection control, click Connection.
3. Click either Only the list below or All except the list below.
4. To add to the list of computers, click Add.
5. To delete from the list of computers, select a listing, and then click Remove.
Configuring SMTP Virtual Server Relay Restrictions (IIS 6.0)
IIS includes a full-featured SMTP virtual server that you can use to receive and relay e-mail messages to other SMTP servers on your network or to servers on the Internet. The relay function is useful for internal network clients that might have to forward mail to other SMTP servers, and it is useful for IIS programs that need access to an SMTP server to forward mail.
For a user or computer to relay e-mail messages through an SMTP virtual server, the following two conditions must be met:
• The user or computer can access the SMTP virtual server.
• The SMTP virtual server is configured to relay e-mail messages to other domains.
When an SMTP virtual server relays e-mail messages, it can forward mail that is addressed to any e-mail domain. With this feature, an SMTP virtual server can forward mail to any internal or external network SMTP server for which it can resolve an MX record. However, if the SMTP virtual server is accessible to Internet users, mail relay should not be enabled. With mail relay enabled, malicious users might forward e-mail to your SMTP virtual server, distributing unwanted messages to other computers and reducing the available bandwidth for your internal connection.
By default, the SMTP service blocks computers from relaying unwanted mail through the virtual server. To enable relay access through the SMTP virtual server, click Relay on the Access tab. By default, all computers are blocked except those that meet the authentication requirements that are designated in the Authentication box, which you can view by clicking Authentication on the Access the tab.
You can also allow messages to be relayed to a specific remote domain. The domain setting overrides the SMTP virtual server setting. For more information about relaying messages to a remote domain, see Configuring Remote Domains.
If you enable mail relay on your SMTP virtual server, then you can specify the relay restrictions that are described in the following table.
Option Description
Only the list below This option allows only the computers specified in the list to relay messages through the SMTP virtual server.
All except the list below This option allows all computers, except the computers that are specified in the list, to relay messages through the SMTP virtual server. This option is set by default, along with the Allow all computers which successfully authenticate to relay, regardless of the list above option.
Add and Remove Clicking these buttons allows you to grant or deny relay access by adding to or removing from the list of computers.
Allow all computers which successfully authenticate to relay, regardless of the list above This option allows computers that meet authentication requirements set in the Authentication box to relay messages to the SMTP virtual server. This option is set by default.
Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc %systemroot%\system32\inetsrv\iis.msc".
Procedures
To add relay restrictions to an SMTP virtual server
1. In IIS Manager, right-click the SMTP Virtual Server for which you want to add relay restrictions, and then click Properties.
2. Click the Access tab, and then click Authentication.
3. To enable the appropriate level of authentication for your server, select either (or both) the Basic authentication or the Integrated Windows Authentication check box, clear the Anonymous access check box, and then click OK.
Note
If you enable Anonymous access and do not enable Basic authentication and Integrated Windows authentication, then authentication is no longer enabled, which means that all users and computers can access the SMTP virtual server.
4. On the Access tab, under Relay restrictions, click Relay.
5. In the Relay Restrictions box, click Add, and then do the following to add a single computer, a group of computers, or a domain:
• To add a single computer, click Single computer, type the IP address of the computer that you want to add, and then click OK.
• To add a group of computers, click Group of computers, type the subnet address and the subnet mask of the group into the corresponding boxes, and then click OK.
• To add a domain, click Domain, type the domain name that you want to add, and then click OK.
6. To apply your configuration changes, click OK twice.
To remove relay restrictions from an SMTP virtual server
1. In IIS Manager, right-click the SMTP virtual server for which you want to remove relay restrictions, and then click Properties.
2. Click the Access tab, and then click Relay.
3. In the Relay Restrictions box, select either the Only the list below or the All except the list below check box.
4. If you want to add exceptions, click Add and then specify the computer, group of computers, or domain for which you want to retain relay restrictions.
Requiring TLS Encryption (IIS 6.0)
You can require that all clients use Transport Layer Security (TLS) encryption, a generic security protocol similar to Secure Sockets Layer (SSL), to connect to the default Simple Mail Transfer Protocol (SMTP) virtual server. This option secures the connection, but it is not used for authentication.
When requiring Basic authentication on your virtual servers, it is strongly recommended that you also use TLS encryption. Without encryption, user names and passwords can be easily intercepted.
To use TLS encryption for the virtual server, you must create key pairs and configure key certificates. Clients can then use TLS to encrypt the session with the SMTP service, therefore, all messages sent. The SMTP service can also use TLS to encrypt sessions with remote servers.
Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc".
Procedures
To create and manage key certificates
1. In IIS Manager, right-click the SMTP virtual server, and then click Properties.
2. Click the Access tab, and under Secure communication, click Certificate to set up new key certificates and manage installed key certificates for the SMTP virtual server.
Key pairs consist of a number of bits that indicate the key's security level. You can strengthen security by increasing the encryption level from 40 bits (the default) to 128 bits. The greater the number of bits, the more difficult the item is to decrypt. Users attempting to secure access must use the same encryption level that you set or messages will be returned with a non-delivery report (NDR).
To set TLS encryption levels for the server
1. In IIS Manager, right-click the SMTP virtual server, and then click Properties.
2. Click the Access tab, and under Access control, click Authentication.
3. Click Basic authentication.
4. Select the Require TLS encryption check box.
Note
There are two additional TLS options available. To use TLS for all outgoing connections, click Outbound Security on the Delivery tab, and then click TLS encryption. Also, if a server you commonly connect to requires the use of TLS for all incoming connections, you can create a remote domain and click TLS encryption when creating the domain.
Message Delivery Options (IIS 6.0)
Use the Delivery tab to set all delivery and routing options. Settings can be grouped into three categories, which are listed below.
Routing Options
• Smart host: Designates a server through which to route all outgoing messages.
• Message hop count: Determines the maximum number of servers a message is routed through before being considered undeliverable.
• Fully qualified domain name (FQDN): Clarifies the address to use in message exchanger (MX) records.
Top of page
Transmission Options
• Retry attempts and retry interval: Determines how many times to resend a message, and at what intervals, before the message is considered undeliverable.
• Delivery using Pickup directory: Allows you to transmit messages composed as a text file.
Top of page
Security Options
• Outbound security: Allows you to use authentication and Transport Layer Security (TLS) encryption for outgoing messages.
• Reverse DNS lookup: Verifies that the message actually originated from the computer and the domain listed in the From field.
• Masquerade domains: Replaces any local domain name used in any Mail From lines in the protocol with a different domain name. This is the name you want stamped on outgoing
Configuring Retry Attempts and Intervals (IIS 6.0)
If a message cannot be delivered on the first attempt, the SMTP service sends it again from the Queue directory after a specified time. You can set the interval between delivery attempts. You can also designate the number of times to attempt to deliver a message. After the limit is reached, the message is returned to the sender with a non-delivery report (NDR) and copies of the message and NDR are sent to the location you designate. The NDR is placed in the Queue directory and goes through the same delivery process as messages. When the NDR reaches the maximum number of retry attempts, the NDR and message are sent to the Badmail directory.
Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc".
Procedures
To configure retry attempt and interval settings
1. In IIS Manager, right-click the SMTP virtual server, and then click Properties.
2. Click the Delivery tab.
3. In the First retry interval (minutes) box, type a value for the amount of time to wait before retrying message delivery. The default is 15 minutes.
4. In the Second retry interval (minutes) box, type a value for the amount of time to wait before retrying message delivery. The default is 30 minutes, which is 30 minutes after the First retry interval.
5. In the Third retry interval (minutes) box, type a value for the amount of time to wait before retrying message delivery. The default is 60 minutes, which is 60 minutes after the Second retry interval.
6. In the Subsequent retry interval (minutes) box, type a value for the amount of time to attempt delivery before posting a notification. The default is 240 minutes.
Top of page
Delay Notification
To allow for network delays, you can set a delay period to expire before sending the delivery notification. The minimum value is 1 minute, the default is 12 hours, and the maximum value is 9999 days. Use the drop-down menu beside the value field to use minutes, hours, or days.
Top of page
Expiration Timeout
Type a value for messages that have not been delivered after all retries and delays have expired. The minimum value is 1 minute, the default is 2 days, and the maximum value is 9999 days. Use the drop-down menu beside the value field to use minutes, hours, or days.
Setting the Message Hop Count (IIS 6.0)
When a message is delivered, it may be routed to a number of servers before reaching its final destination. You can designate how many servers the message is allowed to pass through. This is called the hop count.
After the hop count is set, the Simple Mail Transfer Protocol (SMTP) server counts the hops listed in the Received lines of the message header. When the number of Received fields exceeds the maximum hop count setting, the message is returned to the sender with a non-delivery report (NDR).
Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc".
Procedures
To set the message hop count
1. In IIS Manager, right-click the SMTP virtual server, and then click Properties.
2. Click the Delivery tab, and click Advanced.
3. In the Maximum hop count box, type a value for the number of hops a message can take between the source and destination servers. The default is 15 hops.
Setting the Masquerade Domain (IIS 6.0)
The masquerade domain replaces any local domain name used in any Mail From lines in the protocol. The replacement occurs on the first hop only.
Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc %systemroot%\system32\inetsrv\iis.msc".
Procedures
To set the masquerade domain
1. In IIS Manager, right-click the SMTP virtual server, and then click Properties.
2. Click the Delivery tab, and click Advanced.
3. In the Masquerade domain box, type a domain name that you want to appear in message headers, instead of the actual name of the domain.
Note
All replies to such messages will be routed through the SMTP virtual server that uses the masquerade domain.
Setting Fully Qualified Domain Names (IIS 6.0)
An e-mail domain must be able to be resolved through Domain Name System (DNS). There are two DNS records that are used to resolve an e-mail domain. In most cases, a mail exchanger (MX) record is set up to associate an e-mail domain with the fully qualified domain name (FQDN) of one or more Simple Mail Transfer Protocol (SMTP) virtual servers that serve that domain. Each SMTP server referenced in the MX record must have an address (A) record. The A record maps a given FQDN to its IP address.
It is possible to just have an A record set up for an e-mail domain. In this scenario, the A record maps the domain to the IP address or addresses of the SMTP virtual server or servers that serve that domain. Adding an MX record, however, is recommended over using an A record by itself, because an MX record allows an SMTP administrator to specify an ordered list of servers to use for clients sending mail to that e-mail domain. Microsoft SMTP Service always checks first for an MX record before falling back to an A record, so setting up MX records on your virtual server can improve performance. And, in some cases, the A record is used for other purposes, such as HTTP, although the MX record is generally used only for SMTP. The MX record allows one server to handle http://example.com (HTTP clients use the A record) and another server to handle someone@example.com (SMTP clients use the MX record).
On the SMTP service, there are two options for specifying an FQDN. You can use the name specified on the Network Identification tab of System Properties in Control Panel, or you can specify a unique FQDN for the SMTP virtual server you are configuring.
At startup, the name designated on the Network Identification tab of System Properties is automatically used for the FQDN. If you change the name (either manually or by joining a domain), the new name is automatically used for the FQDN the next time the computer is restarted. No action is required to update the FQDN for the virtual server.
To override the automatic use of the computer and domain names on the Network Identification tab, change the FQDN in the Advanced Delivery dialog box, accessed through the Delivery tab. The SMTP service can then use the designated name instead of the one specified on the Network Identification tab.
Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc".
Procedures
To change the FQDN
1. In IIS Manager, right-click the SMTP virtual server, and then click Properties.
2. Click the Delivery tab, and click Advanced.
3. In the Fully-qualified domain name box, type the FQDN.
Configuring Smart Hosts (IIS 6.0)
You can route all outgoing messages for remote domains through a smart host instead of sending them directly to the domain. This enables you to route messages over a connection that may be more direct or less costly than other routes. The smart host is similar to the route domain option for remote domains. The difference is that, after a smart host is designated, all outgoing messages are routed to that server. With a route domain, only messages for the remote domain are routed to a specific server.
Important
Make sure your designated smart host is secure and administered by a trusted authority, especially when forwarding sensitive information.
If you set up a smart host, you can still designate a different route for a remote domain. The route domain setting overrides the smart host setting.
You can identify the smart host by fully qualified domain name (FQDN) or an IP address (but if you change the IP address, you would have to change it on every virtual server as well). If you use an IP address, enclose it in brackets ([ ]) to increase system performance. The SMTP service checks first for a server name, and then an IP address. The brackets identify the value as an IP address, so the DNS lookup is bypassed.
Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc".
Procedures
To set up a smart host
1. In IIS Manager, right-click the SMTP virtual server, and then click Properties.
2. Click the Delivery tab, and click Advanced.
3. In the Smart host box, type the name of the smart host server. You can type a string to represent a name or enter an IP address.
4. If you want the SMTP service to attempt to deliver remote messages directly before forwarding them to the smart host server, select the Attempt direct delivery before sending to smart host check box. The default is to send all remote messages to the smart host, not to attempt direct delivery.
Enabling Reverse DNS Lookup (IIS 6.0)
If you select this option, the SMTP service will attempt to verify that the client’s IP address matches the host/domain submitted by the client in the EHLO/HELO command. If the reverse DNS lookup is successful, the RECEIVED header will remain intact. If the verification is unsuccessful, "unverified" appears after the IP address in the RECEIVED header of the message. If the reverse DNS lookup fails, "RDNS failed" will appear in the RECEIVED header of the message.
Because this feature verifies addresses for all incoming messages, its use could affect SMTP service performance. Clear the check box to disable the feature.
Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc".
Procedures
To enable reverse DNS lookup
1. In IIS Manager, right-click the SMTP virtual server, and then click Properties.
2. Click the Delivery tab, and click Advanced.
3. Select the Perform reverse DNS lookup on incoming messages check box.
Setting Message Size Limits (IIS 6.0)
There are two message size limit settings. The first, Limit message size to, is a preferred message limit for the virtual server. This is what the SMTP service will advertise as the maximum message size this Simple Mail Transfer Protocol (SMTP) virtual server will accept. If a mail client sends a message that exceeds the limit, they will get an error. If a remote server supports EHLO, it will detect the advertised maximum message size value when it connects to the SMTP virtual server and won't attempt to deliver a message that exceeds the limit. Instead it will simply send a non-delivery report (NDR) to the sender of the message. A remote server that does not support EHLO will try to send a message that exceeds the size limit, but will still end up sending an NDR to the sender when the message doesn't go through.
Limit session size to is the maximum amount of data accepted during the total connection. This is the sum of all messages sent during the connection (applying to the message body only).
Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc".
Procedures
To set message size limits
1. In IIS Manager, right-click the SMTP virtual server, and then click Properties.
2. Click the Messages tab, select the Limit message size to (KB) check box, and then type a value (in kilobytes) for the maximum size of a message. The default is 2048 KB. The minimum value is 1 KB.
3. Select the Limit session size to (KB) check box, and then type a value to indicate the maximum total size (in kilobytes) of all messages in a given connection. This number will always be larger than the maximum message size and should be set carefully because the connecting message transfer agent (MTA) is likely to resubmit the message repeatedly. The default size is 10240 KB. This value should be greater than or equal to the value entered for Limit message size to (KB).
Setting Recipient Limits (IIS 6.0)
You can determine the maximum number of recipients for a single message sent in one connection. The default is 100, which is the minimum number specified in Request for Comment (RFC) 821. Many clients return messages with a non-delivery report (NDR) after an error message is received, indicating that the maximum number of recipients has been exceeded. The SMTP service does not return messages in this instance. It opens a new connection immediately and processes the remaining recipients. For example, if the recipient limit is set to 100 and a message with 105 recipients is received, the first 100 are delivered in one connection. Then, a new connection is opened, and the message is processed for the remaining five recipients.
Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc".
Procedures
To set recipient limits
1. In IIS Manager, right-click the SMTP virtual server, and then click Properties.
2. Click the Messages tab, select the Limit number of recipients per message to check box, and then type a number to represent the recipient limit. To impose no limit, clear the check box.
Limiting the Number of Messages per Connection (IIS 6.0)
This option enables you to limit the number of messages sent in a single connection. It also provides a method to improve system performance by allowing the use of multiple connections to deliver messages to a remote domain. When the set limit is reached, a new connection is automatically opened and the transmission continues until all messages are delivered.
For example, if you commonly send a large number of messages to certain remote domains, you could set the Limit number of messages per connection to value to a relatively small number, such as 20. As a result, when sending 100 messages in one session, the SMTP service immediately opens a new connection after the first 20 are sent, another after the next 20 are sent, and so on. In this case, there could be up to five simultaneous connections delivering queued messages to one destination. Message delivery would be faster because fewer messages are delivered simultaneously, instead of in one long stream over one connection.
To determine a value for the limit, review the Messages Sent/sec performance counter for the SMTP Server object in System Monitor. The Limit number of messages per connection to value should be less than the value indicated by the performance counter. If the counter indicates a value of 30, and you set your maximum connections to 50, no simultaneous connection would be opened because the server would not exceed 30 messages per second. It would work as though the messages were sent in one long stream over one connection. This setting affects outgoing messages only. You can use it to increase your server output speed, but it has no effect on the rate that other servers process incoming messages.
Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc".
Procedures
To limit the number of messages sent in one connection
1. In IIS Manager, right-click the SMTP virtual server, and then click Properties.
2. Click the Messages tab, select the Limit number of messages per connection to check box, and then type a value in the box. The default is 20.
Storing Non-Delivery Reports (IIS 6.0)
When a message is undeliverable, the SMTP service returns it to the sender with a non-delivery report (NDR). You can also designate that copies of the NDR be sent to a location of your choice. If the NDR cannot be delivered to the sender, a copy of the message is put in the Badmail directory.
All NDRs go through the same delivery process as other messages, including attempts to resend the message. If the NDR has reached the retry limit and cannot be delivered to the sender, a copy of the message is placed in the Badmail directory. Messages placed in the Badmail directory cannot be delivered or returned.
Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc".
Procedures
To set a storage location for NDRs
1. In IIS Manager, right-click the SMTP virtual server, and then click Properties.
2. Click the Messages tab, in the Send copy of Non-Delivery Report to box, type the e-mail address of the mailbox you want to use to store copies of the NDRs. This address can be any valid SMTP e-mail address and is optional. To disable the feature, clear the text box.
3. In the Badmail directory box, type the directory you want to use to store undeliverable messages. The default location is X:\Inetpub\Mailroot\Badmail, where X is the drive on which IIS is installed. Click Browse to select another folder. You can designate a different directory, provided it is on the same computer as the SMTP service.
Creating SMTP Domains (IIS 6.0)
You can create two types of domains in the SMTP service: alias and remote. Alias domains allow you to create secondary domains that point to the default domain and use its settings, including the Drop directory. Any message sent to an alias domain is stamped with the default domain name.
Remote domains can be set for domains to which you commonly send messages. For each remote domain, you can set a predetermined delivery route and require that Transport Layer Protocol (TLS) encryption be used in all sessions with that domain. You can also use a wildcard character in the name so that all inclusive domains for the domain you are creating use the same settings. Use an asterisk (*) as the first character, followed by a period (.). For example, you can use the asterisk as a wildcard in the following format:
*.example.com
Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc".
Procedures
To create an alias domain
1. In IIS Manager, expand the SMTP virtual server, right-click Domains, point to New, and then click Domain.
2. Use the New SMTP Domain Wizard to set up a local (alias) domain.
To create a remote domain
1. In IIS Manager, expand the SMTP virtual server, right-click Domains, point to New, and then click Domain.
2. In Welcome to the New SMTP Domain Wizard, ensure that the Remote option is selected, and click Next.
3. In Domain Name, in the Name text box, type a name for the new domain, and then click Finish.
You can use a wildcard character. For example, type *.contoso.comif you want mail to be delivered to any of the contoso.com SMTP servers.
4. Right-click the domain you just created, and then click Properties.
5. Select the Allow incoming mail to be relayed to this domaincheck box.
6. Click Outbound Security, and then configure the authentication and provide the credentials required by the SMTP server to which the smart host will connect.
Deleting SMTP Domains (IIS 6.0)
You can delete domains that you have added. You cannot delete the default domain, unless you first add an alias domain and then make that domain the default domain.
Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc".
Procedures
To delete a domain
1. In IIS Manager, expand the SMTP virtual server, and click Domains.
2. In the details pane, right-click the domain you want to delete, and click Delete.
Designating Default Domains (IIS 6.0)
The default domain is used to stamp messages from addresses that do not have a domain. A Simple Mail Transfer Protocol (SMTP) virtual server can have one default domain that cannot be deleted.
To name a default domain, you can use the name specified on the DNS tab for the TCP/IP protocol in the Network application in Control Panel. This domain name is also used for all other services. Alternatively, you can specify a unique domain to serve as the default for the SMTP service only.
At startup, the name designated on the DNS tab for the TCP/IP protocol in the Network application in Control Panel is automatically used for the default domain. If you change the name on the DNS tab, the new name is used automatically for the default domain the next time the service is started. No action is required to update the default domain for the SMTP service.
To override the automatic use of the network domain, specify the default domain on the General tab. The SMTP service can then use the designated name instead of the network domain.
Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc".
Procedures
To rename the default domain
1. In IIS Manager, expand the SMTP virtual server, and then click Domains.
2. In the details pane, right-click a domain name, and then click Rename.
3. Type a new name for the default domain.
Thursday, July 9, 2009
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment