Microsoft KB Archive/303776

= How To Set SMTP Security Options in Windows 2000 =

Article ID: 303776

Article Last Modified on 10/31/2006

-

APPLIES TO


 * Microsoft Windows 2000 Advanced Server
 * Microsoft Internet Information Services 5.0

-



This article was previously published under Q303776



IN THIS TASK
SUMMARY Setting Operator Permissions
 * To Assign Operator Permissions
 * To Remove Operator Permissions

Requiring Authentication for Incoming Connections
 * To Disable Authentication for Incoming Messages
 * To Set Clear Text Authentication for Incoming Messages
 * To Use a Windows Security Package to Authenticate Incoming Messages

Configuring Authentication for Outbound Messages
 * To Disable Authentication for Outgoing Messages
 * To Set Basic Authentication for Outgoing Messages
 * To Set Windows Security Package for Outgoing Messages

Requiring Transport Layer Security (TLS) Encryption
 * To Create and Manage Key Certificates
 * To Set TLS Encryption Levels for the Server

Setting IP Access Restrictions to the Server
 * To Set IP Address Access Restrictions

Removing Relay Restrictions from a Virtual Server
 * To Remove Relay Restrictions from a Virtual Server



SUMMARY
You can choose the security levels for the Simple Mail Transfer Protocol (SMTP) virtual server and you can use the security options to obtain the level of protection that you require. Settings on the security tabs apply to all domains on the virtual server. This step-by-step article describes how to set the security options.

back to the top

Setting Operator Permissions
If the remote domain is not specifically configured, Microsoft SMTP Service does not perform any of these operations when it delivers to this domain. However, SMTP Service completes a normal DNS lookup.

back to the top

To Assign Operator Permissions
You can designate which user accounts have operator permissions for the SMTP virtual server. After you set up Windows 2000 Server accounts, you can grant permissions by selecting the account from a list.
 * 1) In Microsoft Management Console (MMC), click the SMTP virtual server, and then click Properties on the Action menu.
 * 2) Click the Security tab, and then click Add.
 * 3) Click a Windows 2000 Server account, click Add, and then click OK. The selected account is now displayed in Operators.

back to the top

To Remove Operator Permissions
To remove permissions, remove the account from the list of virtual server operators. You can also remove operator permissions from the Windows 2000 Server user accounts that are listed in Operators.
 * 1) In MMC, click the SMTP virtual server, and then click Properties on the Action menu.
 * 2) Click the Security tab, and then click the operator you want to remove.
 * 3) Click Remove.

back to the top

Requiring Authentication for Incoming Connections
There are three authentication methods available. You can choose one, two, or all three methods. All three authentication methods are set by default.
 * If you use the Anonymous access option, an account name or password is not required. You can use this option to disable authentication for the SMTP virtual server.
 * If you use the Basic authentication option, an account name and a password are sent using clear text. You must specify a Windows domain that is appended to the account name for authentication.
 * If you use the Windows security package option, a Windows account name and password are authenticated using this option.

back to the top

To Disable Authentication for Incoming Messages

 * 1) In MMC, click the SMTP virtual server, and then click Properties on the Action menu.
 * 2) Click the Access tab, and then click Authentication under Access control.
 * 3) Click Anonymous access, and then click to clear the remaining check boxes for the other options.

back to the top

To Set Clear Text Authentication for Incoming Messages

 * 1) In MMC, click the SMTP virtual server, and then click Properties on the Action menu.
 * 2) Click the Access tab, and then click Authentication under Access control.
 * 3) Click Basic authentication.
 * 4) In the Default domain box, type a Windows domain name.

This default domain differs from the SMTP virtual server default domain.

back to the top

To Use a Windows Security Package to Authenticate Incoming Messages

 * 1) In MMC, click the SMTP virtual server, and then click Properties on the Action menu.
 * 2) Click the Access tab, and then click Authentication under Access control.
 * 3) Click Windows security package.

back to the top

Configuring Authentication for Outbound Messages
You can configure the SMTP virtual server to provide the authentication credentials required by the receiving server. The following types of authentication are available:
 * Anonymous (does not require authentication)
 * Basic (clear text)
 * Windows Security Package

You can override the SMTP virtual server authentication by selecting a configuration option.
 * If messages are commonly sent to multiple addresses, disable authentication for the SMTP virtual server. If attempts to deliver messages to an address fail because of authentication requirements, add a remote domain for the address, and then enable authentication for the domain at the same level required by the server.
 * If messages are commonly sent to one address that requires authentication, determine the level of authentication required to connect, and then enable authentication for the SMTP virtual server using the same level. If you want to send messages to other addresses, set up remote domains and set different authentication options. If you use this option, it is likely that the account name used is the one that identifies the computer set up as the smart host.

back to the top

To Disable Authentication for Outgoing Messages

 * 1) Click the Delivery tab, and then click Outbound Security.
 * 2) Click Anonymous access, and then clear all other options.

back to the top

To Set Basic Authentication for Outgoing Messages

 * 1) Click the Delivery tab, and then click Outbound Security.
 * 2) Click Basic authentication.
 * 3) Under User name and Password, type the account name and password that grants you access to the computer you are connecting to.

back to the top

To Set Windows Security Package for Outgoing Messages
The Windows Security Package authentication requires a Windows account name and password.
 * 1) Click the Delivery tab, and then click Outbound Security.
 * 2) Click Windows security package.
 * 3) Under User name and Password, type a Windows account name and password that grants you access to the computer you are connecting to.

back to the top

Requiring Transport Layer Security (TLS) Encryption
You can require that all clients use TLS encryption, a generic security protocol similar to Secure Sockets Layer (SSL), to connect to the default SMTP virtual server. This option secures the connection, but it is not used for authentication.

back to the top

To Create and Manage Key Certificates
To use TLS encryption for the virtual server, you must create key pairs and configure key certificates. Clients can then use TLS to encrypt the session with SMTP Service and all messages that are sent.
 * 1) In MMC, click the SMTP virtual server, and then click Properties on the Action menu.
 * 2) Click the Access tab, and then click Certificate under Secure communication to set up new key certificates and manage installed key certificates for the SMTP virtual server.

Key pairs consist of a number of bits that indicate the key's security level. You can strengthen security by increasing the encryption level from 40 bits (the default) to 128 bits. The greater the number of bits, the more difficult the item is to decrypt. Because of export restrictions, the 128-bit key strength encryption feature is available only in the United States and Canada.

IMPORTANT: Users who are attempting to secure access must use the same encryption level that you set, or messages are returned with a non-delivery report (NDR).

back to the top

To Set TLS Encryption Levels for the Server

 * 1) In MMC, click the SMTP virtual server, and then click Properties on the Action menu.
 * 2) Click the Access tab, and then click Authentication under Access control.
 * 3) Click Basic authentication.
 * 4) Click to select the Require TLS encryption check box.

NOTE: Two additional TLS options are available. To use TLS for all outgoing connections, click Outbound Security on the Delivery tab, and then click TLS encryption. Also, if a server to which you commonly connect requires the use of TLS for all incoming connections, you can create a remote domain, and then click TLS encryption when you create the domain.

back to the top

Setting IP Access Restrictions to the Server
You can grant or deny SMTP virtual server access to specific IP addresses. By default, the SMTP virtual server is accessible to all IP addresses.

back to the top

To Set IP Address Access Restrictions
You can set restrictions by specifying a single IP address, a group of addresses using a subnet mask, or a Windows 2000 Server domain name.
 * 1) In MMC, click the SMTP virtual server, and then click Properties on the Action menu.
 * 2) Click the Access tab, and then click Connection under Connection control.
 * 3) Click either Only the list below or All except the list below.
 * 4) To add to the list of computers, click Add.
 * 5) To delete from the list of computers, click a listing, and then click Remove.

back to the top

Removing Relay Restrictions from a Virtual Server
By default, SMTP Service blocks computers from relaying unwanted mail through the virtual server. By default, all computers are blocked except those that meet the authentication requirements designated in the Authentication dialog box, which you can view by clicking Authentication on the Access tab.

NOTE: If your virtual server is on the Internet, it is recommended that you do not allow relaying to avoid propagating unsolicited e-mail.

back to the top

To Remove Relay Restrictions from a Virtual Server

 * 1) In MMC, click the SMTP virtual server, and then click Properties on the Action menu.
 * 2) Click the Access tab, and then click Relay under Relay restrictions.
 * 3) Click either Only the list below or All except the list below.
 * 4) Click Add, and then add exceptions to the global access option that you chose in step three.

You can specify the following options in the Relay Restrictions dialog box:
 * If you click Only the list below, only the computers listed can relay messages through the SMTP virtual server.
 * If you click All except the list below, all computers can relay messages through the SMTP virtual server, except those listed below. This option is set by default, along with Allow any computers which successfully authenticate to relay, regardless of the list above.
 * If you click Add and Remove, you can add and remove entries to the list of those computers either granted or denied relay access.
 * If you click Allow all computers which successfully authenticate to relay, regardless of the list above, computers that meet authentication requirements that are set in the Authentication dialog box can relay messages to the SMTP virtual server. This option is set by default.

back to the top

Keywords: kbhowtomaster KB303776

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.