Microsoft Windows 2003 Securing SMTP Virtual Servers:
Configuring Access-Related Settings
You can restrict access to your SMTP server by requiring authentication, limiting access according to IP address, or both. Restrict access by using the Access tab of the SMTP virtual server properties dialog box. The Access tab has five important security-related settings: Authentication, Certificate, Communication, Connection, and Relay.
The Authentication option allows you to select from the following methods for authenticating users who attempt to connect to your SMTP server:
- Anonymous access. Anonymous access does not require users to enter a user name and password. This option is intended for servers that accept mail from outside the network.
For example, if you are creating a stand-alone smart host that sits outside of your firewall and in front of your Exchange server, then you might select Anonymous access. Or, if you are creating a server to receive e-mail from a public Web site, then you might select Anonymous access.
- Basic authentication. Basic authentication requires users to enter a valid user name and password; however, the credentials are sent across the network unencrypted. If you select Basic authentication, then select Requires TLS encryption, which encrypts the user credentials. To require TLS encryption, you must have a valid SSL certificate installed on the server.
- Integrated Windows authentication. Integrated Windows authentication requires users to enter a valid Windows user name and password to connect to your SMTP server. Credentials are sent across the network encrypted. You can select Integrated Windows authentication if you are setting up a smart host to relay messages within your network or if you are setting up a server to receive e-mail from internal sites, such as a company intranet.
Certificate and Communication
The Certificate and Communication options allow you to secure communication by installing security certificates and requiring encryption. To install a certificate, click Certificate to start the New Certificate Wizard. Then, if you want to require the SMTP service to use SSL to encrypt every message, click Communication.
The Connection option allows you to restrict access to your server based on IP address. For example, if you are setting up a smart host that works inside your network, then you can use the Only the list below option to restrict access to the range of IP addresses for your network. If you are setting up a smart host that relays external e-mail or if you are setting up a server to accept e-mail from a public Web site, then connection control can be an effective way to restrict unsolicited commercial e-mail. After you identify the IP address or addresses of computers that send bulk e-mail, you can use the All except the list belowoption to prevent computers with specific IP addresses from connecting to your server. Although you can restrict access based solely on the domain name, this practice is not recommended because of the resources required to perform a reverse DNS lookup to identify the IP address of the computer attempting to connect.