Re: IIS SMTP virtual server - the big picture

steve schofield — Sat, 11 Oct 2008 02:47:03 GMT

The built-in SMTP service with IIS 6 isn't meant or designed to block spam. Check out ORF (open relay filter) by www.vamsoft.com

They have a product that can plug into IIS SMTP.

IIS SMTP virtual server - the big picture

Mike Trader — Fri, 10 Oct 2008 23:34:35 GMT

Hello and thank you for this Forum!

(a good developer friend recommended I visit)

I have been tearing my hair out for the last four days trying to grapple with email.. of all things!

The website is done and working, FTP is setup and working, IIS is installed and running the CGI.exe (except for email), POP3 accounts are setup and receiving email ok and life is generally good except for the achillies heel.. SMTP email aaaaaaaaaaaaaaaaaaaaaaaaaargh!!!!!

There is an old addage in development that the last 10% takes as long as the first 90%. That is proving true thanks to the IIS SMPT virtual server.

The biggest problem, is that despited 3 days of reading and studying the 3inch thick book I bought on Windows Server 2003, there is NO discussion of the overall concept in light of todays problems... SPAM!

After setting up what I thought was a working solution, I discover there are 200,000 emails in the Queue folder with 101 addresses in each one... obviously spam. The server had become a spam bot. Just deleting the dang spam took 240 minutes once it was in the Recycle Bin!

But I am gettting ahead of myself... its been a long week.

The original concept was to have a server, my first server, host the website and email for my little software product. But those are secondary items. The main purpose of the server is to interact with my client app in some clever ways using CGI.exe executables. As complex as this is, this is the easy part by comparison to setting up email.

The email is really for ONE account, support@myproduct.com. Thats it.

So I dive into the Properties of the Default SMTP virtual server and begin with the obvious, setting the IP address.

Next the access tab and Authentication.

Now the fun begins. Annonymous access sounds like a bad thing, yet from this website

http://www.ilopia.com/Articles/WindowsServer2003/EmailServer.aspx#Install

I read:

"So enabling Anonymous here is not a security issue, in fact, it’s required if we want our server to be able to receive emails from other servers on Internet (I doubt you want to tell all administrators of email servers on Internet how they should logon to yours). We also need Windows Authentication so the email clients can authenticate to the server and be able to relay (send emails)."

This is then qaulified with:

"As Relay Restrictions we selected Only the list below because we do not want to be used by spammers to send emails. But we never specified any computers. That is valid, because we wants our clients to always use the username and password to authenticate, no matter where they are."

This might be well know information to a seasoned IIS admin, but to a greenhorn this is convoluted.

Somewhere else i read:

"I read that leaving "Anonymous Access" enabled without some sort of authentication option means that the server never authenticates but treats all connections as autheticated. Therefore, uncheck the box on Relay Restrictions:
"Allow computers which successfully authenticate to relay, regardless of the list above"
Unless you would like to see how long it takes spammers to discover your open server"

OK so now we have a third variable.

Then as i look in

Delivery -> Outbound security

I have the same three options again!

http://support.microsoft.com/kb/324285

says that these apply to the server receiving what we are sending, but since I am sending emails to the world and his dog, I assume this must cannot be anything other than annoymous access? There is no discussion of this.

So lets see what else MS says:

"The Relay option allows you to send e-mail to an SMTP server, which then sends it to the destination server or to another SMTP relay server. By default, the SMTP service blocks all computers from relaying unwanted mail through the virtual server, except those that meet the authentication requirements you designated in the Authentication dialog box. If you are setting up a smart host, enable only authenticated users to relay messages. If you are setting up a server to receive e-mail from the Internet, do not allow relaying, which can make you vulnerable to outside users who attempt to send unsolicited commercial e-mail through your SMTP server."

Well this assumes that I know what "smart host" and have determined why I might need one. There is no discussion of this.

Add to this the description of each of these authentication modes (which is contained in a popup! from the help page (help button) which says only that:

Annonymous Access: use this option to authenticate for outbound transmissions.

MS says:

Anonymous access: If you use this option, an account name or password is not required.

Basic authentication: If you use this option, the account name and password of the server that you are connecting to are sent as clear text.

Why is this? No discussion given. Since we know that SMTP must be AUTH with a mime encoded user/pass, why is this suthentication in plain text?

Then there is the

Integrated Windows Authentication - The client and server negotiate the Windows security support provider Interface.

Huh?

Luckily MS goes on to say:

Integrated Windows Authentication: If you use this option, a Windows account name and password are required.

Now this sounds like the ticket except I I am not clear I should uncheck the other options.

I read somewhere they are AND combined (but this can be changed to OR... assuming you know whay you would want to change this) but what does that mean in practice... no discussion is given.

So now I have 5 layers of variables and i still do not know why i would choose any of the settings available, let alone how they all interact with each other. I am also not clear if "Exchange Server" describes the SMTP Virtual server in relay mode or some other thing.

After four days of reading, I am none the wiser

On top of all of this, the CGI.exe executables need to send email (only), so the configuration I come up with has to be able to accomodate them.

SO, I thought I should begin by asking for an OVERVIEW of this subject so that i might choose a path that makes sense. Then I can proceed to understanding the interaction of the pieces of this puzzle and implement a solution.

General

Re: IIS SMTP virtual server - the big picture

IIS SMTP virtual server - the big picture