Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. HOW TO: Set SMTP Security Options in Windows Server 2003

HOW TO: Set SMTP Security Options in Windows Server 2003

View products that this article applies to.

SUMMARY

This step-by-step article describes how to set Simple Mail
Transfer Protocol (SMTP) virtual server security options. You can select the
security levels for the SMTP virtual server and use the security options to
obtain the level of protection that you require. The settings that you
configure on the security tabs apply to all domains on the virtual server.


back to the top

Setting Operator Permissions

You can designate which user accounts have operator permissions
for the SMTP virtual server. After you set up Windows user accounts, you can
grant or rescind permissions by adding users to, or removing users from, the Operators list.

back to the top

To Assign Operator Permissions

To assign operator permissions, add the user account that you
want to the Operators list:
  1. Start Internet Information Services Manager or open the
    Microsoft Internet Information Services (IIS) snap-in.
  2. Expand Server_name, where Server_name is the name of the
    server.
  3. Right-click the SMTP virtual server that you want (for
    example, Default SMTP Virtual Server), and then click Properties.
  4. Click the Security tab, and then click Add.
  5. Click the Windows user account that you want to add, click Add, and then click OK.

    The account that you added is displayed in the Operators list.
  6. Click OK.
  7. Quit IIS Manager or close the IIS snap-in.
back to the top

To Remove Operator Permissions

To remove operator permissions, remove the user account from the Operators list:
  1. Start IIS Manager or open the IIS snap-in.
  2. Expand Server_name, where Server_name is the name of the
    server.
  3. Right-click the SMTP virtual server that you want (for
    example, Default SMTP Virtual Server), and then click Properties.
  4. Click the Security tab.
  5. In the Operators list, click the Windows user account that you want to remove,
    click Remove, and then click OK.
  6. Quit IIS Manager or close the IIS snap-in.
back to the top

Authentication for Incoming Connections

There are three authentication methods that are available. You
can select and use one, two, or all three of the following methods:
  • Anonymous access: If you use this option, an account name or password is not
    required. You can use this option to disable authentication for the SMTP
    virtual server.
  • Basic authentication: If you use this option, an account name and a password are sent
    as clear text. You must specify a Windows domain that is appended to the
    account name for authentication.
  • Integrated Windows Authentication: If you use this option, the Windows account name and password
    are authenticated.
back to the top

To Disable Authentication for Incoming Messages

  1. Start IIS Manager or open the IIS snap-in.
  2. Expand Server_name, where Server_name is the name of the
    server.
  3. Right-click the SMTP virtual server that you want (for
    example, Default SMTP Virtual Server), and then click Properties.
  4. Click the Access tab, and then under Access control, click Authentication.
  5. Click to select the Anonymous access check
    box (if it is not already selected), and then click to clear the Basic
    authentication     and Integrated Windows Authentication check boxes (if they are selected).
  6. Click OK two times.
  7. Quit IIS Manager or close the IIS snap-in.
back to the top

To Set Clear Text Authentication for Incoming Messages

  1. Start IIS Manager or open the IIS snap-in.
  2. Expand Server_name, where Server_name is the name of the
    server.
  3. Right-click the SMTP virtual server that you want (for
    example, Default SMTP Virtual Server), and then click Properties.
  4. Click the Access tab, and then under Access control, click Authentication.
  5. Click to select the Basic authentication check box.
  6. Click Yes on the message that appears in the Basic Authentication dialog box to confirm that you want continue.
  7. In the Default domain box, type a Windows
    domain name.

    NOTE: This default domain differs from the SMTP virtual server default
    domain.
  8. Click OK two times.
  9. Quit IIS Manager or close the IIS snap-in.
back to the top

To Use Integrated Windows Authentication to Authenticate Incoming Messages

  1. Start IIS Manager or open the IIS snap-in.
  2. Expand Server_name, where Server_name is the name of the
    server.
  3. Right-click the SMTP virtual server that you want (for
    example, Default SMTP Virtual Server), and then click Properties.
  4. Click the Access tab, and then under Access control, click Authentication.
  5. Click to select the Integrated Windows Authentication check box.
  6. Click OK two times.
  7. Quit IIS Manager or close the IIS snap-in.
back to the top

Configuring Authentication for Outbound Messages

You can configure the SMTP virtual server to provide the
authentication credentials that the receiving server needs. The three methods
of authentication are:
  • Anonymous access: If you use this option, an account name or password is not
    required.
  • Basic authentication: If you use this option, the account name and password of the
    server that you are connecting to are sent as clear text.
  • Integrated Windows Authentication: If you use this option, a Windows account name and password are
    required.
You can override the authentication option that you set for a
specific domain. By doing so, you can configure the SMTP virtual server
authentication level to handle most of the transmissions, and also permit
exceptions for individual addresses. For example:
  • If messages are frequently sent to multiple addresses,
    disable authentication for the SMTP virtual server. If attempts to deliver
    messages to an address are unsuccessful because of authentication requirements,
    add a remote domain for the address, and then enable authentication for the
    domain at the same level that the server requires.
  • If messages are frequently sent to one address that
    requires authentication, determine the level of authentication that is required
    to connect, and then enable authentication for the SMTP virtual server by using
    the same level. If you want to send messages to other addresses, set up remote
    domains, and then set different authentication options. If you use this option,
    it is likely that the account name used is the one that identifies the computer
    set up as the smart host.
back to the top

To Disable Authentication for Outbound Messages

  1. Start IIS Manager or open the IIS snap-in.
  2. Expand Server_name, where Server_name is the name of the
    server.
  3. Right-click the SMTP virtual server that you want (for
    example, Default SMTP Virtual Server), and then click Properties.
  4. Click the Delivery tab, and then click Outbound Security.
  5. Click Anonymous access (if it is not
    already selected).
  6. Click OK two times.
  7. Quit IIS Manager or close the IIS snap-in.
back to the top

To Set Basic Authentication for Outbound Messages

  1. Start IIS Manager or open the IIS snap-in.
  2. Expand Server_name, where Server_name is the name of the
    server.
  3. Right-click the SMTP virtual server that you want (for
    example, Default SMTP Virtual Server), and then click Properties.
  4. Click the Delivery tab, and then click Outbound Security.
  5. Click Basic authentication.
  6. In the User name and Password boxes, type the account name and password that grants you access
    to the computer that you are connecting to.
  7. Click OK two times.
  8. Quit IIS Manager or close the IIS snap-in.
back to the top

To Set Integrated Windows Authentication for Outbound Messages

Integrated Windows Authentication requires a Windows account name
and password. To create these elements, follow these steps:
  1. Start IIS Manager or open the IIS snap-in.
  2. Expand Server_name, where Server_name is the name of the
    server.
  3. Right-click the SMTP virtual server that you want (for
    example, Default SMTP Virtual Server), and then click Properties.
  4. Click the Delivery tab, and then click Outbound Security.
  5. Click Integrated Windows Authentication.
  6. In the Account and Password boxes, type the Windows account name and password that grants you
    access to the computer that you are connecting to.
  7. Click OK two times.
  8. Quit IIS Manager or close the IIS snap-in.
back to the top

Transport Layer Security Encryption

Transport Layer Security (TLS) is a generic security protocol
that is similar to Secure Sockets Layer (SSL). You can require that all clients
use TLS encryption to connect to the default SMTP virtual server. This option
secures the connection, but it is not used for authentication.

back to the top

To Create and Manage Key Certificates

To use TLS encryption for the virtual server, you must create key
pairs and configure key certificates. Clients can then use TLS to encrypt the
session (and all messages that are sent) with SMTP Service.
  1. Start IIS Manager or open the IIS snap-in.
  2. Expand Server_name, where Server_name is the name of the
    server.
  3. Right-click the SMTP virtual server that you want (for
    example, Default SMTP Virtual Server), and then click Properties.
  4. Click the Access tab, and then under Secure communication, click Certificate.

    The Welcome to the Web Server Certificate Wizard
    starts. Click Next, and then follow the instructions in the wizard to set up new key
    certificates and manage installed key certificates for the SMTP virtual
    server.

    Key pairs are made up of a number of bits that indicate the
    key's security level. You can strengthen security by increasing the encryption
    level from 40 bits (the default) to 128 bits. The greater the number of bits,
    the more difficult the item is to decrypt.
IMPORTANT: Users who try to secure access must use the same encryption
level that you set. Otherwise, messages are returned with a non-delivery report
(NDR).

back to the top

To Set TLS Encryption Levels for the Server

  1. Start IIS Manager or open the Internet IIS
    snap-in.
  2. Expand Server_name, where Server_name is the name of the
    server.
  3. Right-click the SMTP virtual server that you want (for
    example, Default SMTP Virtual Server), and then click Properties.
  4. Click the Access tab, and then under Access control, click Authentication.
  5. Click Basic authentication.
  6. Click to select the Requires TLS
    encryption     check box.
  7. Click OK two times.
  8. Quit IIS Manager or close the IIS snap-in.
NOTE: Two additional TLS options are available. To use TLS for all
outgoing connections, click Outbound Security on the Delivery tab, and then click to select the TLS encryption check box. Also, if a server to which you frequently connect requires the use
of TLS for all incoming connections, you can create a remote domain, and then
configure TLS encryption for the remote domain.

back to the top

Setting IP Access Restrictions to the Server

You can grant or deny SMTP virtual server access to specific IP
addresses. By default, the SMTP virtual server is accessible to all IP
addresses.

back to the top

To Set IP Address Access Restrictions

You can set restrictions by specifying a single IP address, a
group of addresses using a subnet mask, or a domain name.
  1. Start IIS Manager or open the IIS snap-in.
  2. Expand Server_name, where Server_name is the name of the
    server.
  3. Right-click the SMTP virtual server that you want (for
    example, Default SMTP Virtual Server), and then click Properties.
  4. Click the Access tab, and then under Connection control, click Connection.
  5. Click either Only the list below or
    All except the list below.
  6. To add a computer, group of computers, or a domain to the Computers list, click Add, specify the computer, group of computers, or domain that you
    want to add, and then click OK.
  7. To remove a computer, group of computers, or domain from
    the Computers list, click the item that you want to remove in the list, click Remove, and then click OK.
  8. Click OK, and then quit IIS Manager or close the IIS snap-in.
back to the top

Removing Relay Restrictions from a Virtual Server

By default, SMTP Service blocks computers from relaying
undesirable mail through the virtual server. All computers are blocked by
default except those that meet the authentication requirements that are
configured in the Authentication dialog box (click the Access tab, and then click Authentication).

NOTE: If your virtual server is on the Internet, Microsoft recommends
that you do not permit relaying. This prevents the propagation of unsolicited
e-mail.

back to the top

To Remove Relay Restrictions from a Virtual Server

  1. Start IIS Manager or open the IIS snap-in.
  2. Expand Server_name, where Server_name is the name of the
    server.
  3. Right-click the SMTP virtual server that you want (for
    example, Default SMTP Virtual Server), and then click Properties.
  4. Click the Access tab, and then under Relay restrictions, click Relay.
  5. Click either Only the list below or
    All except the list below.
  6. Click Add, and then add exceptions to the global access option that you
    selected in step 5.

    For example, you can specify the following
    options in the Relay Restrictions dialog box:
    • If you click Only the list below, only
      computers that are displayed on the Computers list can relay messages through the SMTP virtual
      server.
    • If you click All except the list
      below      , all computers can relay messages through the SMTP virtual
      server, except those that are displayed on the Computers list. This option is set by default, as is the Allow any
      computers which successfully authenticate to relay, regardless of the list
      above       option.
    • If you click to select the Allow all computers
      which successfully authenticate to relay, regardless of the list above       check box, computers that meet authentication requirements that are set in the Authentication dialog box can relay messages to the SMTP virtual server. This
      option is set by default.
  7. Click OK, and then quit IIS Manager or close the IIS snap-in.
back to the top

↑ Back to the top

Keywords: kbnetwork, kbhowtomaster, KB324285, kbAudITPro

↑ Back to the top

Article Info
Article ID : 324285
Revision : 3
Created on : 4/20/2018
Published on : 4/20/2018
Exists online : False
Views : 333