Securing Access to an SMTP Virtual Server
To
prevent unwanted use of SMTP virtual servers, it is important to
configure access rules for sending messages by SMTP. A large portion of
unsolicited commercial e-mail (spam) is sent through SMTP relays that
are unprotected. You can manage rules for using the SMTP virtual server
through the properties on the Access tab. (See Figure 5.)
You can use the
Authentication settings to determine how potential users of the SMTP
virtual server must pass their credentials to the service. Figure 6
shows the available options. The default setting is Anonymous Access,
which specifies that no credentials are required to connect to the SMTP
virtual server. This option is useful when you are using other methods
(such as firewalls or trusted network connections) to prevent
unauthorized access to the server.
The Basic
Authentication option requires a username and password to be sent to the
SMTP virtual server. By default, these logon credentials are
transmitted using clear text and are, therefore, susceptible to being
intercepted. You can also enable Transport Layer Security (TLS) to
enable encryption for sent messages. TLS uses a certificate-based
approach to create the encrypted connection. Integrated Windows
Authentication relies on standard Windows accounts to verify credentials
to access the system. This method is most appropriate for applications
that will be used by a single Windows account or when all potential
users of the SMTP server have Active Directory domain accounts.
In addition to
configuring authentication settings, you can also restrict access to an
SMTP virtual server based on IP addresses or domain names. This can help
ensure that only authorized network clients are able to use SMTP
services. To add these restrictions, click the Connection button on the
Access tab of the properties of the SMTP virtual server. You will be
able to choose the default behavior for connection attempts.
The Only The List Below
option means that only computers that match the entry rules you have
configured will be able to use the server. This is most appropriate when
all the expected client computers are part of one or a few networks.
The All Except The List Below option means that the rules you add are
for computers that are not allowed to use the SMTP virtual server. Click
the Add button to create new configuration rules. (See Figure 7.) You can configure restrictions by specifying a single IP address or an IP address range.
You can also use the DNS
Lookup command to find a specific IP address based on a domain name. The
Domain option instructs the SMTP server to perform a DNS reverse lookup
operation when a computer attempts to connect. This method attempts to
resolve the IP address of the incoming connection to a DNS name.
Enabling this option can reduce performance due to the overhead of
performing many DNS queries.
The final set of Access control options are relay restrictions.
SMTP relaying occurs when a message is sent with both to and from
addresses that are not part of the virtual server’s domain. Relaying is a
common method by which large spammers are able to use unprotected SMTP
virtual servers to send unsolicited mail. The Relay Restrictions option
enables you to specify which computers can relay messages through the
SMTP server. (See Figure 8.)
The default settings are for all users and computers to be allowed to
relay messages as long as they are able to authenticate. You can use the
Add command to define which IP addresses, domain names, or both will be
allowed to relay messages.
Note: Helping reduce spam
Apart
from the benefits of reducing load on unprotected networks, there are
other good reasons to protect your SMTP virtual server from unauthorized
access. Many anti-spam utilities will maintain a list of known
unprotected SMTP servers and will add them to a blocklist. All messages
sent through this SMTP relay might be marked as spam, making it
difficult for your users and applications to communicate with
individuals outside your organization. When you’re setting up a new SMTP
virtual server, be sure to take the time to secure the configuration.
It is also important to review SMTP server configuration and log files
regularly to find potential unauthorized use of the server.