Windows Server 2008 : Configuring SMTP (part 4) - Securing Access to an SMTP Virtual Server

Securing Access to an SMTP Virtual Server

To prevent unwanted use of SMTP virtual servers, it is important to configure access rules for sending messages by SMTP. A large portion of unsolicited commercial e-mail (spam) is sent through SMTP relays that are unprotected. You can manage rules for using the SMTP virtual server through the properties on the Access tab. (See Figure 5.)

You can use the Authentication settings to determine how potential users of the SMTP virtual server must pass their credentials to the service. Figure 6 shows the available options. The default setting is Anonymous Access, which specifies that no credentials are required to connect to the SMTP virtual server. This option is useful when you are using other methods (such as firewalls or trusted network connections) to prevent unauthorized access to the server.

The Basic Authentication option requires a username and password to be sent to the SMTP virtual server. By default, these logon credentials are transmitted using clear text and are, therefore, susceptible to being intercepted. You can also enable Transport Layer Security (TLS) to enable encryption for sent messages. TLS uses a certificate-based approach to create the encrypted connection. Integrated Windows Authentication relies on standard Windows accounts to verify credentials to access the system. This method is most appropriate for applications that will be used by a single Windows account or when all potential users of the SMTP server have Active Directory domain accounts.

In addition to configuring authentication settings, you can also restrict access to an SMTP virtual server based on IP addresses or domain names. This can help ensure that only authorized network clients are able to use SMTP services. To add these restrictions, click the Connection button on the Access tab of the properties of the SMTP virtual server. You will be able to choose the default behavior for connection attempts.

The Only The List Below option means that only computers that match the entry rules you have configured will be able to use the server. This is most appropriate when all the expected client computers are part of one or a few networks. The All Except The List Below option means that the rules you add are for computers that are not allowed to use the SMTP virtual server. Click the Add button to create new configuration rules. (See Figure 7.) You can configure restrictions by specifying a single IP address or an IP address range.

You can also use the DNS Lookup command to find a specific IP address based on a domain name. The Domain option instructs the SMTP server to perform a DNS reverse lookup operation when a computer attempts to connect. This method attempts to resolve the IP address of the incoming connection to a DNS name. Enabling this option can reduce performance due to the overhead of performing many DNS queries.

The final set of Access control options are relay restrictions. SMTP relaying occurs when a message is sent with both to and from addresses that are not part of the virtual server’s domain. Relaying is a common method by which large spammers are able to use unprotected SMTP virtual servers to send unsolicited mail. The Relay Restrictions option enables you to specify which computers can relay messages through the SMTP server. (See Figure 8.) The default settings are for all users and computers to be allowed to relay messages as long as they are able to authenticate. You can use the Add command to define which IP addresses, domain names, or both will be allowed to relay messages.