Microsoft KB Archive/324285

= HOW TO: Set SMTP Security Options in Windows Server 2003 =

PSS ID Number: 324285

Article Last Modified on 4/5/2004

-

The information in this article applies to:


 * Microsoft Windows Server 2003, Datacenter Edition
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Standard Edition
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Server 2003, 64-Bit Enterprise Edition
 * Microsoft Windows Small Business Server 2003, Standard Edition
 * Microsoft Windows Small Business Server 2003, Premium Edition

-



This article was previously published under Q324285



For a Microsoft Windows 2000 version of this article, see 303776.

IN THIS TASK

 * SUMMARY
 * ** Setting Operator Permissions
 * *** To Assign Operator Permissions
 * To Remove Operator Permissions
 * Authentication for Incoming Connections
 * *** To Disable Authentication for Incoming Messages
 * To Set Clear Text Authentication for Incoming Messages
 * To Use Integrated Windows Authentication to Authenticate Incoming Messages
 * Configuring Authentication for Outbound Messages
 * *** To Disable Authentication for Outbound Messages
 * To Set Basic Authentication for Outbound Messages
 * To Set Integrated Windows Authentication for Outbound Messages
 * Transport Layer Security (TLS) Encryption
 * *** To Create and Manage Key Certificates
 * To Set TLS Encryption Levels for the Server
 * Setting IP Access Restrictions to the Server
 * *** To Set IP Address Access Restrictions
 * Removing Relay Restrictions from a Virtual Server
 * *** To Remove Relay Restrictions from a Virtual Server



SUMMARY
This step-by-step article describes how to set Simple Mail Transfer Protocol (SMTP) virtual server security options. You can select the security levels for the SMTP virtual server and use the security options to obtain the level of protection that you require. The settings that you configure on the security tabs apply to all domains on the virtual server.

back to the top

Setting Operator Permissions
You can designate which user accounts have operator permissions for the SMTP virtual server. After you set up Windows user accounts, you can grant or rescind permissions by adding users to, or removing users from, the Operators list.

back to the top

To Assign Operator Permissions
To assign operator permissions, add the user account that you want to the Operators list:
 * 1) Start Internet Information Services Manager or open the Microsoft Internet Information Services (IIS) snap-in.
 * 2) Expand  , where   is the name of the server.
 * 3) Right-click the SMTP virtual server that you want (for example, Default SMTP Virtual Server), and then click Properties.
 * 4) Click the Security tab, and then click Add.
 * 5) Click the Windows user account that you want to add, click Add, and then click OK.

The account that you added is displayed in the Operators list.
 * 1) Click OK.
 * 2) Quit IIS Manager or close the IIS snap-in.

back to the top

To Remove Operator Permissions
To remove operator permissions, remove the user account from the Operators list:
 * 1) Start IIS Manager or open the IIS snap-in.
 * 2) Expand  , where   is the name of the server.
 * 3) Right-click the SMTP virtual server that you want (for example, Default SMTP Virtual Server), and then click Properties.
 * 4) Click the Security tab.
 * 5) In the Operators list, click the Windows user account that you want to remove, click Remove, and then click OK.
 * 6) Quit IIS Manager or close the IIS snap-in.

back to the top

Authentication for Incoming Connections
There are three authentication methods that are available. You can select and use one, two, or all three of the following methods:
 * Anonymous access: If you use this option, an account name or password is not required. You can use this option to disable authentication for the SMTP virtual server.
 * Basic authentication: If you use this option, an account name and a password are sent as clear text. You must specify a Windows domain that is appended to the account name for authentication.
 * Integrated Windows Authentication: If you use this option, the Windows account name and password are authenticated.

back to the top

To Disable Authentication for Incoming Messages

 * 1) Start IIS Manager or open the IIS snap-in.
 * 2) Expand  , where   is the name of the server.
 * 3) Right-click the SMTP virtual server that you want (for example, Default SMTP Virtual Server), and then click Properties.
 * 4) Click the Access tab, and then under Access control, click Authentication.
 * 5) Click to select the Anonymous access check box (if it is not already selected), and then click to clear the Basic authentication and Integrated Windows Authentication check boxes (if they are selected).
 * 6) Click OK two times.
 * 7) Quit IIS Manager or close the IIS snap-in.

back to the top

To Set Clear Text Authentication for Incoming Messages

 * 1) Start IIS Manager or open the IIS snap-in.
 * 2) Expand  , where   is the name of the server.
 * 3) Right-click the SMTP virtual server that you want (for example, Default SMTP Virtual Server), and then click Properties.
 * 4) Click the Access tab, and then under Access control, click Authentication.
 * 5) Click to select the Basic authentication check box.
 * 6) Click Yes on the message that appears in the Basic Authentication dialog box to confirm that you want continue.
 * 7) In the Default domain box, type a Windows domain name.

NOTE: This default domain differs from the SMTP virtual server default domain.
 * 1) Click OK two times.
 * 2) Quit IIS Manager or close the IIS snap-in.

back to the top

To Use Integrated Windows Authentication to Authenticate Incoming Messages

 * 1) Start IIS Manager or open the IIS snap-in.
 * 2) Expand  , where   is the name of the server.
 * 3) Right-click the SMTP virtual server that you want (for example, Default SMTP Virtual Server), and then click Properties.
 * 4) Click the Access tab, and then under Access control, click Authentication.
 * 5) Click to select the Integrated Windows Authentication check box.
 * 6) Click OK two times.
 * 7) Quit IIS Manager or close the IIS snap-in.

back to the top

Configuring Authentication for Outbound Messages
You can configure the SMTP virtual server to provide the authentication credentials that the receiving server needs. The three methods of authentication are:
 * Anonymous access: If you use this option, an account name or password is not required.
 * Basic authentication: If you use this option, the account name and password of the server that you are connecting to are sent as clear text.
 * Integrated Windows Authentication: If you use this option, a Windows account name and password are required.

You can override the authentication option that you set for a specific domain. By doing so, you can configure the SMTP virtual server authentication level to handle most of the transmissions, and also permit exceptions for individual addresses. For example:
 * If messages are frequently sent to multiple addresses, disable authentication for the SMTP virtual server. If attempts to deliver messages to an address are unsuccessful because of authentication requirements, add a remote domain for the address, and then enable authentication for the domain at the same level that the server requires.
 * If messages are frequently sent to one address that requires authentication, determine the level of authentication that is required to connect, and then enable authentication for the SMTP virtual server by using the same level. If you want to send messages to other addresses, set up remote domains, and then set different authentication options. If you use this option, it is likely that the account name used is the one that identifies the computer set up as the smart host.

back to the top

To Disable Authentication for Outbound Messages

 * 1) Start IIS Manager or open the IIS snap-in.
 * 2) Expand  , where   is the name of the server.
 * 3) Right-click the SMTP virtual server that you want (for example, Default SMTP Virtual Server), and then click Properties.
 * 4) Click the Delivery tab, and then click Outbound Security.
 * 5) Click Anonymous access (if it is not already selected).
 * 6) Click OK two times.
 * 7) Quit IIS Manager or close the IIS snap-in.

back to the top

To Set Basic Authentication for Outbound Messages

 * 1) Start IIS Manager or open the IIS snap-in.
 * 2) Expand  , where   is the name of the server.
 * 3) Right-click the SMTP virtual server that you want (for example, Default SMTP Virtual Server), and then click Properties.
 * 4) Click the Delivery tab, and then click Outbound Security.
 * 5) Click Basic authentication.
 * 6) In the User name and Password boxes, type the account name and password that grants you access to the computer that you are connecting to.
 * 7) Click OK two times.
 * 8) Quit IIS Manager or close the IIS snap-in.

back to the top

To Set Integrated Windows Authentication for Outbound Messages
Integrated Windows Authentication requires a Windows account name and password. To create these elements, follow these steps:
 * 1) Start IIS Manager or open the IIS snap-in.
 * 2) Expand  , where   is the name of the server.
 * 3) Right-click the SMTP virtual server that you want (for example, Default SMTP Virtual Server), and then click Properties.
 * 4) Click the Delivery tab, and then click Outbound Security.
 * 5) Click Integrated Windows Authentication.
 * 6) In the Account and Password boxes, type the Windows account name and password that grants you access to the computer that you are connecting to.
 * 7) Click OK two times.
 * 8) Quit IIS Manager or close the IIS snap-in.

back to the top

Transport Layer Security Encryption
Transport Layer Security (TLS) is a generic security protocol that is similar to Secure Sockets Layer (SSL). You can require that all clients use TLS encryption to connect to the default SMTP virtual server. This option secures the connection, but it is not used for authentication.

back to the top

To Create and Manage Key Certificates
To use TLS encryption for the virtual server, you must create key pairs and configure key certificates. Clients can then use TLS to encrypt the session (and all messages that are sent) with SMTP Service.
 * 1) Start IIS Manager or open the IIS snap-in.
 * 2) Expand  , where   is the name of the server.
 * 3) Right-click the SMTP virtual server that you want (for example, Default SMTP Virtual Server), and then click Properties.
 * 4) Click the Access tab, and then under Secure communication, click Certificate.

The Welcome to the Web Server Certificate Wizard starts. Click Next, and then follow the instructions in the wizard to set up new key certificates and manage installed key certificates for the SMTP virtual server.

Key pairs are made up of a number of bits that indicate the key's security level. You can strengthen security by increasing the encryption level from 40 bits (the default) to 128 bits. The greater the number of bits, the more difficult the item is to decrypt.

IMPORTANT: Users who try to secure access must use the same encryption level that you set. Otherwise, messages are returned with a non-delivery report (NDR).

back to the top

To Set TLS Encryption Levels for the Server

 * 1) Start IIS Manager or open the Internet IIS snap-in.
 * 2) Expand  , where   is the name of the server.
 * 3) Right-click the SMTP virtual server that you want (for example, Default SMTP Virtual Server), and then click Properties.
 * 4) Click the Access tab, and then under Access control, click Authentication.
 * 5) Click Basic authentication.
 * 6) Click to select the Requires TLS encryption check box.
 * 7) Click OK two times.
 * 8) Quit IIS Manager or close the IIS snap-in.

NOTE: Two additional TLS options are available. To use TLS for all outgoing connections, click Outbound Security on the Delivery tab, and then click to select the TLS encryption check box. Also, if a server to which you frequently connect requires the use of TLS for all incoming connections, you can create a remote domain, and then configure TLS encryption for the remote domain.

back to the top

Setting IP Access Restrictions to the Server
You can grant or deny SMTP virtual server access to specific IP addresses. By default, the SMTP virtual server is accessible to all IP addresses.

back to the top

To Set IP Address Access Restrictions
You can set restrictions by specifying a single IP address, a group of addresses using a subnet mask, or a domain name.
 * 1) Start IIS Manager or open the IIS snap-in.
 * 2) Expand  , where   is the name of the server.
 * 3) Right-click the SMTP virtual server that you want (for example, Default SMTP Virtual Server), and then click Properties.
 * 4) Click the Access tab, and then under Connection control, click Connection.
 * 5) Click either Only the list below or All except the list below.
 * 6) To add a computer, group of computers, or a domain to the Computers list, click Add, specify the computer, group of computers, or domain that you want to add, and then click OK.
 * 7) To remove a computer, group of computers, or domain from the Computers list, click the item that you want to remove in the list, click Remove, and then click OK.
 * 8) Click OK, and then quit IIS Manager or close the IIS snap-in.

back to the top

Removing Relay Restrictions from a Virtual Server
By default, SMTP Service blocks computers from relaying undesirable mail through the virtual server. All computers are blocked by default except those that meet the authentication requirements that are configured in the Authentication dialog box (click the Access tab, and then click Authentication).

NOTE: If your virtual server is on the Internet, Microsoft recommends that you do not permit relaying. This prevents the propagation of unsolicited e-mail.

back to the top

To Remove Relay Restrictions from a Virtual Server

 * 1) Start IIS Manager or open the IIS snap-in.
 * 2) Expand  , where   is the name of the server.
 * 3) Right-click the SMTP virtual server that you want (for example, Default SMTP Virtual Server), and then click Properties.
 * 4) Click the Access tab, and then under Relay restrictions, click Relay.
 * 5) Click either Only the list below or All except the list below.
 * 6) Click Add, and then add exceptions to the global access option that you selected in step 5.

For example, you can specify the following options in the Relay Restrictions dialog box:
 * 1) * If you click Only the list below, only computers that are displayed on the Computers list can relay messages through the SMTP virtual server.
 * 2) * If you click All except the list below, all computers can relay messages through the SMTP virtual server, except those that are displayed on the Computers list. This option is set by default, as is the Allow any computers which successfully authenticate to relay, regardless of the list above option.
 * 3) * If you click to select the Allow all computers which successfully authenticate to relay, regardless of the list above check box, computers that meet authentication requirements that are set in the Authentication dialog box can relay messages to the SMTP virtual server. This option is set by default.
 * 4) Click OK, and then quit IIS Manager or close the IIS snap-in.

back to the top

Additional query words: kbsecurity

Keywords: kbHOWTOmaster kbNetwork KB324285

Technology: kbSBServ2003Pre kbSBServ2003Search kbSBServ2003St kbSBServSearch kbWinServ2003Data kbWinServ2003Data64bit kbWinServ2003Data64bitSearch kbWinServ2003DataSearch kbWinServ2003Ent kbWinServ2003Ent64bit kbWinServ2003Ent64bitSearch kbWinServ2003EntSearch kbWinServ2003Search kbWinServ2003St kbWinServ2003Web

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.