This step-by-step article describes how to prevent mail
relays for an Internet Information Services (IIS) Simple Mail Transport
Protocol (SMTP) virtual server.
IIS in Windows Server 2003 includes
a full-featured SMTP virtual server that you can use to receive and relay
e-mail messages to other SMTP servers on your network or to servers on the
Internet. The relay function is useful for internal network clients that may
have to forward mail to other SMTP servers and for IIS programs that need
access to an SMTP server to forward mail.
When the SMTP virtual
server relays e-mail messages, it may forward mail that is addressed to any
e-mail domain. With this feature, the SMTP virtual server can forward mail to
any internal or external network SMTP server for which is can resolve an MX
record. However, if the SMTP virtual server is accessible to Internet users,
mail relay is not good because unscrupulous users can forward mail to your SMTP
virtual server and as a result, distribute unsolicited commercial e-mail to
large numbers of computers. This can have a very adverse impact on available
bandwidth for your internal connection, and cause your mail server to be placed
on "black hole" lists of open mail relays.
For a user or computer to
relay e-mail messages through an SMTP virtual server, the following two
conditions must be met:
- The user or computer must be able to access the SMTP
- The SMTP virtual server must be configured to relay e-mail
messages to other domains.
How to Prevent the IIS SMTP Virtual Server from Relaying E-mail Messages
- Start Internet Information Services Manager or open the
Internet Information Services (IIS) snap-in.
- Expand Server_name, where Server_name is the name of the
server, right-click Default SMTP Virtual Server, and then
- Click the Access tab, and then under Access control, click Authentication.
- Click to select either or both the Basic
authentication and the Integrated Windows
authentication check boxes, click to clear the Anonymous
access check box (if it is selected), and then click OK.
By doing so, authentication is required before access
is granted to the SMTP virtual server. In this case, if the user or computer
does not successfully authenticate, the user or computer cannot send mail to
NOTE: If you click to select the Anonymous access
check box and do not click to select the Basic authentication
and the Integrated Windows authentication check boxes, all
users and computers are able to access the SMTP virtual server.
- Under Relay restrictions, click Relay.
- Note the options that are available in the Relay Restrictions dialog box. By default, the Only the list below
option is selected and this list is empty. Additionally, the Allow all
computers which successfully authenticate to relay, regardless of the list
above option is selected. With this feature, users and computers that
can authenticate with the server can relay through the server. All computers
are blocked except those that meet the authentication requirements that you
configured earlier in the Authentication dialog box of the Access tab.
Note that if you allow only anonymous access, the
server does not authenticate users or computers.
- Click Add, and then do one of the following to add a single computer, group
of computers, or a domain:
- Click Single computer.
Type the IP address of the computer that you want in the IP Address box, and then click OK.
- Click Group of computers.
the subnet address and the Subnet mask of the group into the corresponding
boxes, and then click OK.
- Click Domain.
Type the domain name that you want in the Name box, and then click OK.
- If you do not want to add a computer, group or
computers, or a domain, click Cancel.
- Click OK, and then click OK.
By default, Microsoft SMTP Service blocks computers from relaying
e-mail that you do not want through the SMTP virtual server. The information in
this article helps you to evaluate whether the configuration of your SMTP
virtual server has changed in a way that allows it relay messages that are sent
by unintended hosts.
For additional information about how to configure a
remote SMTP mail relay server, click the following article number to view the
article in the Microsoft Knowledge Base:
TO: Configure a Remote Domain for an Internet Information Services (IIS) SMTP Mail Relay Server in Windows Server 2003
Article ID: 324281 - Last Review: December 3, 2007 - Revision: 10.3
- Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows Server 2003, Web Edition
- Microsoft Windows Server 2003, Enterprise x64 Edition
- Microsoft Windows Server 2003, 64-Bit Datacenter Edition
- Microsoft Internet Information Services 6.0
|kbhowto kbhowtomaster kbnetwork kbwebservices kbappservices KB324281|