Microsoft KB Archive/920600

= How to make the connection control apply to anonymous connections in an SMTP virtual server =

Article ID: 920600

Article Last Modified on 10/11/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Standard x64 Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems

-



Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer.



INTRODUCTION
When you set the value of the SmtpIpRestrictionFlag property to 1 in Microsoft Internet Information Services (IIS), the connection control applies to anonymous connections only.



MORE INFORMATION
Warning This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.

Warning If you use this setting, you will break sender check for the whole SMTP virtual server. Because Anonymous authentication is enabled on the SMTP Virtual Server, sender check is disabled. This means that mail will be accepted on this Virtual Server regardless of who the sender is. Identity theft can occur in this case. Therefore, if you intend to check senders by using basic authentication, do not use this setting. If the SmtpIpRestrictionFlag is turned on, an authenticated user can submit mail from an address that they do not own. Use this setting with caution.

Typically, mail administrators want Microsoft Exchange Server to receive anonymous mail submissions from hosts such as other mail gateways or application servers that must deliver mail. However, these hosts cannot be configured to use authenticated Simple Mail Transfer Protocol (SMTP). Instead, the mail administrators create a dedicated, anonymous virtual server that has the connection control configured to enable connection only from those specified hosts.

When you troubleshoot mail issues, multiplying virtual servers on Exchange Server can be difficult. Therefore, Microsoft IT has published a white paper that describes how to make the connection control settings relevant only for anonymous connections. This configuration enables you to use an existing virtual server to let anonymous connections from some IP addresses. Additionally, you can maintain access from all authenticated client computers.

You can use an existing SMTP virtual server to do the following tasks:  Check the anonymous authentication in addition to the current authentication settings Configure connection control only let the hosts that submit mail anonymously to connect Set the value of the SmtpIpRestrictionFlag property to 1 on the SMTP virtual server

Then, you can use this virtual server for ordinary mail flow and anonymous mail submissions in addition to maintaining good security.

Note For the first SMTP virtual server, type the following command at the command prompt:

cscript adsutil.vbs SMTPSVC/1/SmtpIpRestrictionFlag 1



Additional query words: Content Maintenance 50091

Keywords: kbhowto kbinfo KB920600

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.