Home > IIS SMTP mail relay service and Microsoft Exchange Server
Security School:
EMAIL THIS LICENSING & REPRINTS

IIS SMTP mail relay service and Microsoft Exchange Server

01 Jun 2005 | SearchSecurity.com

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   

by Michael Cobb

This list is a companion piece to the Secure Web server installation portion of SearchSecurity.com's Intrusion Defense School lesson on Web attack prevention and defense. Check out the companion primer, Insider's guide to Web server security.

You can use the IIS SMTP mail relay service to prevent spammers from directly interacting with your Microsoft Exchange Server!

Security School

Download the PDF version of Network configuration: IIS SMTP mail relay service and Microsoft Exchange Server

View the companion primer: Insider's guide to Web server security

Return to Intrusion Defense School

Your Exchange Server is probably set up on your internal network to receive all mail for users in your domain for onward delivery. If you publish your Exchange Server's SMTP service, Internet users can send messages directly to your Exchange Server. Allowing the Internet to have direct contact with your Exchange Server is never a good idea. To stop this direct contact, set up an IIS SMTP relay, and instead of publishing the Exchange Server's SMTP service, publish the IIS SMTP Service. Now when mail destined for yourdomain.com hits the external interface of your firewall, it will be forwarded to the SMTP relay. The SMTP relay in turn forwards it to your Exchange Server. Now set your Exchange Server to send outgoing SMTP mail messages to the IIS SMTP relay server so it forwards them on to the Internet.

















Figure 1: With this configuration, your Exchange Server's SMTP service never has to interact with an Internet SMTP server.

To secure this set up, for incoming mail, allow the IIS SMTP server to relay only to your own domains. For outgoing mail, allow the IIS SMTP server to relay to all domains. If you allow incoming mail to be relayed to all domains, spammers will take advantage of your open mail relay and you'll process thousands of spam e-mails within a few days. A default configuration allows all computers that can authenticate to relay through the server; however, authentication requires more overhead, so it's better to allow relay based on IP address. Since you only want to allow your Exchange Server to use the IIS SMTP Server as an open relay, add the IP address of your Exchange Server to Allow "Only the list below." You need to allow the IIS SMTP Service to act as an open relay for your Exchange Server because the Exchange Server needs to send SMTP mail to all Internet mail domains. The open relay for outbound mail is required. You also need to prevent relay for incoming messages. Do this by configuring the server to relay only messages destined to your own domain:

  1. In the Internet Services Manager console, expand the Default SMTP Virtual Server node.
  2. Right-click on the Domains node, point to New and click Domain.
  3. Select the Remote option and click Next.
  4. Type in your mail domain name and click Finish.
  5. Double-click on your new Remote Domain name.
  6. Check the option to Allow incoming mail to be relayed to this domain so that inbound mail destined for other domains is dropped by the SMTP relay.
  7. In the Route domain frame, select Forward all mail to smart host.
  8. Enter the IP address of your Exchange Server in the text box under this selection in brackets, like [192.168.1.254].
Another advantage of this set up is that you can take down the Exchange Server for maintenance without losing any incoming mail. You can also improve fault tolerance by setting up multiple IIS SMTP Servers. Another possibility would be to add an additional mail relay server to filter e-mail for spam or viruses before relaying it on to the Exchange Server.


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


RELATED CONTENT
IIS Security
Kaminsky: DNS flaw capable of attacks on many fronts
Trend Micro site compromised
What server considerations should be made when setting up an internal network's private applications?
IT discussion: Is malware the cause of a DNS server error?
Insider's guide to IIS Web server security
Microsoft July updates for critical Excel, Windows and .NET flaws
Finding and blocking Web application server attack vectors
What's the best way to verify client authentication across unrelated Web servers?
Microsoft to release DNS patch Tuesday
DNS worm strikes at Microsoft flaw
IIS Security Research

Spam and Antispam
Apple iPhone mail, Safari prone to spoofing
Why is backscatter spam so difficult to block?
Spam Blockers Losing Ground on Sophisticated Attackers
Companies still monitoring email manually, survey finds
Google Docs used in latest spam run
New phishing, Zeus Trojan technique spreads crimeware
Kraken botnet balloons to dangerous levels
New Storm attack exploits April Fool's Day
Gmail CAPTCHA cracking leads to spam surge
Clinton, Obama campaigns used in spam blasts
Spam and Antispam Research

Secure Web server installation
Insider's guide to IIS Web server security
Windows IIS server hardening checklist
Essential versus nonessential services for a Windows Web server
Know your enemy: Why your Web site is at risk
Quiz: Web attack prevention and defense
Checklist of known IIS vulnerabilities

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
CAPTCHA  (SearchSecurity.com)
challenge-response system  (SearchSecurity.com)
content filtering  (SearchSecurity.com)
DomainKeys  (SearchSecurity.com)
Joe job  (SearchSecurity.com)
munging  (SearchSecurity.com)
Register of Known Spam Operations  (SearchSecurity.com)
Sender Policy Framework  (SearchSecurity.com)
spam cocktail  (SearchSecurity.com)
spam filter  (SearchSecurity.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary




Search Additional Security Research and Solutions
Find Security Channel Research for Resellers and Partners
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy
  TechTarget - The IT Media ROI Experts