The fourth and last core service that is included as part of IIS on Windows 2000 Server is the SMTP Service. SMTP is the application-layer protocol that underlies the worldwide system of SMTP hosts (mail servers) on the Internet. If it's not already installed on IIS, use the Add/Remove Programs utility in Control Panel.
You can administer the SMTP Service on IIS version 5 either by using the IIS snap-in for the MMC or via a Web browser using SMTP Service Manager (HTML). Like other core IIS facilities, it is fully integrated with Windows 2000 event and performance monitoring. IIS includes the SMTP Service primarily for use by mail-enabled Web applications. A simple example is an HTML form that a user fills out and submits, upon which the form handler (the script or program that takes the information entered by the client and actually does something with it) composes an e-mail message and sends it using the SMTP Service.
Note that the SMTP Service included with IIS isn't intended to replace a company mail server—IIS has no facility for creating individual user mailboxes. The SMTP Service is intended mainly for mail forwarding by mail-enabled Web applications, although it can both send and receive mail and relay mail from other SMTP hosts. If you need a full-featured mail server for your company, try Microsoft Exchange Server 5.5 and implement the Internet Mail Service on it to give it SMTP capability.
When you install the SMTP Service on IIS, it automatically creates a Default SMTP Virtual Server, as shown in Figure 28-26. You can host multiple SMTP virtual servers on a single machine, but this is rarely needed because the Default SMTP Virtual Server can be configured to forward mail for multiple SMTP domains. Like other IIS core services, the SMTP Service is managed by a combination of Properties windows and wizards.
Figure 28-26. The Default SMTP Virtual Server shown in the IIS console window.
Important to the operation of an SMTP virtual server are a series of directories that are used for processing mail. For the Default SMTP Virtual Server, these directories are all located within the \inetpub\mailroot directory on the server. Some of the more important directories include the following:
To configure an SMTP virtual server, use the various tabs in its Properties window. For this example, we'll use the Default SMTP Virtual Server for simplicity. Configuring an SMTP virtual server is similar to configuring Web and FTP sites and NNTP virtual servers (all discussed previously).
The virtual server identity is configured on the General tab of the Properties window for the virtual server. IIS logging is implemented the same as for the other IIS core services. Note, however, that logging is disabled by default.
Identification An SMTP virtual server has a two-part identity similar to that of an NNTP virtual server. The two parameters that uniquely specify an SMTP virtual server are IP address and TCP port number (the default is 25). By clicking the Advanced button on this tab, you can assign multiple identities (IP address and TCP port number) to your server, but each identity must differ by at least one of these parameters. The usual procedure is to leave the TCP port set to 25 and use one IP address for the virtual server, with a mapping from this address to a fully qualified DNS name in a DNS server or Hosts file.
Connections Clicking the Connection button in the Connection section of the General tab opens the Connections dialog box (Figure 28-27). Here you configure connection limits separately for incoming and outgoing messages. You can either specify the number of connections allowed numerically or set them as unlimited by clearing the check boxes. You can set a timeout value also for outgoing connection attempts. You can also limit connections on a per-domain basis if multiple SMTP domains are configured for the virtual server. Note that you can specify the outgoing TCP port here, while you specify the incoming TCP port as part of the virtual server's identity settings (see previous section).
Figure 28-27. Configuring connection settings for the Default SMTP Virtual Server.
IIS Logging IIS logging is implemented the same as for the other IIS core services. Note, however, that logging is disabled by default.
On the Access tab, you can choose the type of access and control you want.
Anonymous Access and Authentication Control The SMTP Service supports anonymous access, basic authentication, and Windows Security Package (Windows integrated security) for inbound connection attempts. Basic authentication security uses a user name and password, while Windows Security Package includes the Windows 2000 domain name as well. Clicking the Authentication button on the Access tab opens the Authentication dialog box where you configure these settings. Note that by default, an SMTP virtual server is configured to try to authenticate inbound connection attempts using all three authentication methods, if necessary.
The TLS (Transport Layer Security) option is essentially a variant of SSL encryption, and you can enable it here for inbound connection attempts. You must first obtain a server certificate from a certificate authority and install it on the SMTP virtual server before TLS can be properly enabled (see the next section). For more information on IIS authentication methods, see the earlier coverage of Web sites, FTP sites, and NNTP virtual servers, all in this chapter.
NOTE
The settings configured here specify how your SMTP virtual server authenticates remote SMTP hosts that are trying to connect to it to deliver mail, that is, for inbound connection attempts. To specify authentication methods for outbound connection attempts, select Outbound Security on the Delivery tab.
Secure Communications As expected, if you click the Certificate button, the Web Server Certificate Wizard (still a misnomer) starts, while you can click the Communication button to require that access take place on a secure channel, once the certificate has been installed on the virtual server. If you choose Require Select Channel, you must also enable TLS in the Authentication dialog box. Requesting, obtaining, and installing server certificates is discussed earlier in this chapter.
Connection Control IP address and domain name restrictions function in the same way for the SMTP Service as it does for the other three IIS core services.
Relay Restrictions Click the Relay button in the Relay Restrictions field on the Access tab to open the Relay Restrictions dialog box (Figure 28-28). This setting is important because allowing untrusted SMTP hosts to relay mail through your SMTP virtual server is an invitation for sending spam. You should generally deny relay privileges to all hosts and grant them to only known hosts that you trust or those that can properly authenticate with your server.
Figure 28-28. Configuring relay restrictions for the Default SMTP Virtual Server.
You can use the Messages tab to limit messages in three ways:
In addition, you can change the directory where nondelivery reports (NDRs) are sent and also send copies of NDRs to an e-mail address that you specify.
TIP
Make sure the maximum session size is greater than the maximum message size. Don't choose a maximum session size that's too low, or a remote SMTP host might continually resubmit a message for delivery. On the other hand, if you regularly send a lot of messages to a few domains, set the maximum number of outbound messages per connection low enough so that the SMTP Service opens multiple connections to the remote host, resulting in faster and more efficient transfer of messages.
The Delivery tab allows you to specify the following different settings related to mail delivery:
If you want your SMTP virtual server to be able to access an LDAP-compliant directory service to obtain information like the addresses of senders and recipients, you can enable this feature and specify the name, schema type, binding type, account, password, and naming context for connecting to the directory server. If you enable LDAP Routing, the default entries in the fields allow the SMTP virtual server to connect to and use the Windows 2000 Active Directory. Supported directory services include
SMTP operators have limited administration privileges for the virtual server, similar to the way operators function in Web sites, FTP sites, and NNTP virtual servers.
Each SMTP virtual server that is created manages at least one SMTP domain. This domain is specified automatically as the default local domain, and you can view it by selecting the Domains node under the SMTP virtual server node in the console tree. This is the DNS domain that is being serviced by the virtual server, and any incoming messages addressed to recipients within this domain will either be dropped in the Drop folder or returned to sender with an NDR.
You can have only one default local domain on the virtual server, and this domain is stamped on the message headers of all outgoing messages. However, you can create additional alias domains so that your virtual server can manage more than one SMTP domain. Alias domains use the same settings as the default domain and deliver incoming messages to the same Drop folder.
You can also create remote domains and specify delivery requirements for each one differently, which is useful if some remote SMTP hosts that you need to connect to use TLS but others don't. Global TLS configuration isn't enough in this case. In addition, for remote domains you can specify a predefined delivery route and even use wildcards to include subdomains. Use remote domains for connecting to remote SMTP hosts to which you frequently need to send mail.
NOTE
Like the NNTP Service, an SMTP virtual server node has a Current Sessions node under it in the console tree that you can use to view current connections to the server and terminate any or all of those connections.
Use the New Domain Wizard to create either alias or remote domains. We'll only look at how to create alias domains here. (See the online documentation for information about creating remote domains.) To create an alias domain for the Default SMTP Virtual Server, follow these steps:
TIP
By opening the Properties window for the default local domain, you can change the location of the folder where mail is dropped from Mailroot\Drop to some other local folder on your server. Alias domains always use the same Drop folder as the default local domain, however.