Programmatic modification of SMTP virtual server access and relay control

Microsoft Exchange 2000 provides connection and relay control for its Simple Mail Transfer Protocol (SMTP) virtual servers. An administrator can use these controls to limit the computers that can connect to a virtual server or that can relay e-mail to outside the Exchange 2000 organization. You can view these controls by using Exchange System Manager.

An Exchange 2000 post-Service Pack 3 (SP3) hotfix introduces a programmatic interface to the SMTP Virtual Server Connection Control settings and the Relay Control settings. The Exchange IP Security Component Object Model (COM) interface (ExIPSec) provides an additional way to access these control settings.

ExIPSec allows an administrator to programmatically view and modify the connection settings and relay control settings on an Exchange 2000 server. In certain circumstances, an administrator can modify these settings in bulk on servers throughout the organization to lower the total cost of ownership of Exchange 2000.

The following file is available for download from the Microsoft Download Center:
Download the 810913 package now. Release Date: December 12, 2002

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base: Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Cumulative Patch Information

For more information about a cumulative patch that contains this hotfix, click the following article number to view the article in the Microsoft Knowledge Base:

Usage

The computer that is running ExIPSec.dll must be a member of a domain that has Exchange 2000 installed. ExIPSec.dll has been tested on Microsoft Windows NT Server 4.0, Microsoft Windows 2000 Server, and Microsoft Windows XP Professional.

Any language that can create COM clients, such as Visual C++, Visual Basic, Microsoft C#, or Delphi , can use ExIPSec. For languages that require a COM reference, the programmer must add a reference to "ExIPSec 1.0 Type Library". A simple script (Ipsec.vbs) is provided to demonstrate the usage of the COM object. The script can add or delete an entry from either the Allow list or the Deny list, and also clear or display those lists.
The following list describes the typical usage of this interface:

1. Bind to the SMTP Virtual Server Instance. When you bind to the SMTP Virtual Server you must specify the Exchange 2000 server name, the Virtual Server Instance, and a domain controller to connect to through Lightweight Directory Access Protocol (LDAP). If you do not specify an Exchange 2000 server, the local server (that is, the server that the program is running on) is the default server. The Virtual Server Instance is a number; for example, "1" for the default virtual server. The domain controller is the server which has the Active Directory information that must be accessed to read or write settings. The DS2MB process of Exchange System Attendant later reads the Active Directory information and writes it to the Microsoft Internet Information Service (IIS) metabase to actually implement the settings.
   
   VBScript:

   Dim objDsIpSec
   Set objDsIpSec = CreateObject("ExIpSec.ExIpSecurity")
   objDsIpSec.BindToSmtpVsi "MyServer", "1", "MyDomainController

   C# (assuming default names for referenced COM class):

   EXIPSECLib.ExIpSecurityClass sec = new EXIPSECLib.ExIpSecurityClass();
   sec.BindToSmtpVsi("My ExchangeServer", 1, "MyDomainController");
   

2. Access the attribute set to view or modify. To access the attribute set:
   1. Get either the access list or the relay list.
   2. Change the GrantByDefault property, if appropriate.
   3. Then access the appropriate list.
   The combination of the list that you get (GetIPSecurityList or GetRelayList) and the GrantByDefault property indicates which list is applicable. If GrantByDefault is true and the programmer calls GetIPSecurityList, the valid lists that the programmer can work with are IpDeny and DomainDeny. The lists are arrays of variants (or objects if you are using the Microsoft .NET Framework). Those objects are strings of IP addresses, subnet addresses, or domain names.
   
   VBScript:

   objDsIpSec.GetIpSecurityList
   objDsIpSec.GrantByDefault=false
   redim Preserve objDsIpSec.IpGrant(UBound(objDsIpSec.IpGrant)+1)
   listGrant(UBound(objDsIpSec.IpGrant)) = "1.2.3.4"
   

   C#:

   System.Collections.ArrayList list = new System.Collections.ArrayList((object[])sec.IPDeny);
   list.Add("1.2.3.4");
   sec.IPGrant = list.ToArray();
   

3. Write any modifications. The changes that have been made up to this point only exist in memory. This step writes the new settings to the domain controller's Active Directory.
   
   VBScript:

   objDsIpSec.WriteList

   C#:

   sec.WriteList();

4. Unbind from the Virtual Server Instance. This step is necessary clean up.
   
   VBScript:

   objDsIpSec.ReleaseBinding

   C#:

   sec.ReleaseBinding();

See ExIPSec.vbs for more sample code that includes error handling.

The English version of this feature has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Component: EMOIn Microsoft Exchange Server 2003, the ExIpsec.dll file and the Ipsec.vbs file have been updated to include the ability to update Exchange 2003 global accept and deny lists. This tool can be used against Exchange 2000 servers. However, the global accept and deny list configuration is only applicable to Exchange 2003 servers. If Active Directory has been updated with the Exchange 2003 schema, the tool can be used to configure entries on the global accept and deny lists. However, this configuration is only available on Exchange 2003 servers. For more information, visit the following Microsoft Web site: