Windows 2000 and XP both include a Simple Mail Transport Protocol (SMTP) service that enables the computer to function as an SMTP server so that it can send and receive e-mail through SMTP on behalf of other computers. Although neither operating system includes POP3 or mailbox support in the service, the SMTP service can still be extremely useful for processing outgoing mail in a variety of situations. I’ll explain the ins and outs of SMTP and how to use and secure the SMTP service on both platforms.

SMTP in a nutshell

The SMTP service in Windows 2000 and XP is a component of Internet Information Server (IIS) that lets you create virtual SMTP servers in much the same way you can create virtual Web servers. Windows 2000 Server and .NET Server support a theoretically unlimited number of virtual servers per computer. Windows 2000 Professional and Windows XP Professional support one virtual SMTP server, just as they support only one Web or FTP server. Professional is also limited to a maximum of 10 concurrent connections, while the Server versions have no connection limit.

The SMTP service only provides the SMTP server components of a typical mail server. It doesn’t provide mailboxes or support for client protocols like POP3 or IMAP. But in some cases you don’t need a full-blown mail server. For example, I use CompuServe for my primary e-mail account, but I connect through a local ISP. I can’t send directly through CompuServe because I’m not on their network as I would be if I dialed into CompuServe to connect to the Internet. It’s unlikely that your local ISP won’t have its own mail server to accept your outgoing mail, but you might want better control over your outgoing messages. Or maybe your local ISP doesn’t have a reliable mail server.

One solution is to use the SMTP service on your local computer to act as your outgoing mail server so your outgoing messages don’t have to go through your ISP’s server. Your computer looks like any other SMTP server on the Internet to remote servers, so your mail is accepted. Your computer accepts an outgoing message, connects to the server for the recipient domain, and transfers the message. It does the same for each of the other outgoing messages, connecting to the recipient mail servers in turn to deliver the messages.

If you have a Web server on your network, you might have another reason to use the SMTP service. If your Web site(s) include forms that need to be submitted by e-mail or you need to be able to send mail for other reasons, you can use the SMTP service to handle it. This gives you a no-cost, in-house solution for sending messages from the Web server rather than relying on an external server or adding the Web server’s mail load to your company mail server. You can also use the SMTP service to route mail for multiple internal domains.

Installing the SMTP service
The SMTP service is a component of IIS and might already be installed on the computer (as long as IIS is already installed). If not, you can add the service through the Add/Remove Programs item in the Control Panel. Choose Add/Remove Windows Components, double-click Internet Information Services, select SMTP Service, click OK, and click Next. Follow the wizard’s prompts to complete the installation.

After the service is installed, you configure and manage it through the Internet Information Services console in the Administrative Tools folder. Open the IIS console, expand the server, and you should find Default SMTP Virtual Server in the left pane. Right-click the server and choose Properties to begin configuring the server.

Configuring general server properties
Your first step is to verify and adjust the general properties for the server, if needed. Open the IIS console, right-click the Default SMTP Server, and choose Properties. The General tab lets you configure the IP address for the server, the SMTP port, and a few other properties.

Note

For this section, I’m assuming you’re using the SMTP service for outgoing mail and won’t be receiving incoming e-mail from other SMTP servers or clients on the Internet. If you need that capability, you’ll need to invest in a full-blown mail server application.

Use the IP Address drop-down list to select the IP address to which you want the SMTP service to respond. Choose All Unassigned to have the SMTP service respond to the SMTP request for all IP addresses not assigned to other SMTP virtual servers. This selection isn’t really applicable for Professional platforms (because of the one-server limit), but you can leave the server set for All Unassigned and the server will work just fine. If the computer contains multiple interfaces, you should specify one IP address to allow for proper network address translation.

The SMTP server can actually respond on more than one IP address and/or port. On a multihomed system, for example, you might want the service to respond to two IP addresses on the standard port 25. Or you could have the server respond to two different ports on the same IP address. However, clients would still need to be configured to use the appropriate port. To change ports or assign an additional IP address and port, click Advanced on the General tab to display the Advanced dialog box. Click Add to add another IP address and port, or click Edit to change the existing IP address/port combination.

The General tab is also the place to set the maximum number of SMTP connections and the connection timeout. Windows XP Professional and Windows 2000 Professional are limited to 10 concurrent connections, and although you can enter a greater number in the Limit Number Of Connections field, Windows 2000/XP reverts to using a value of 10. You might want to limit the number of connections on these platforms to less than 10 for security or performance reasons.

You also configure the SMTP service to log transactions between the server and clients. Use the Active Log Format drop-down list to choose the desired log format. Use the W3C Extended Log File Format if you want access to extended logging options. All of the log types use an ASCII file format, making them viewable with a text editor. Click Properties to configure the log settings.

Controlling access and authentication
You use the Access tab of the SMTP service’s properties to control authentication methods and other security options, including mail relay. Listed below are your choices for controlling the way the SMTP service works.

Access control
The SMTP service supports anonymous authentication, basic authentication, and Integrated Windows Authentication. Anonymous is the most common. It allows remote clients to connect to the server without providing user credentials. (For the purposes of this discussion, consider a remote e-mail server that communicates with your SMTP service to be a client.)

You need to enable anonymous authentication if you receive incoming messages from the Internet to your SMTP server. You can use only anonymous authentication if you wish, but that’s generally a bad idea because it leaves you open to spamming. Disabling anonymous access is the best option for reducing the chances of spamming.

Basic authentication allows the client to send user credentials in clear text. You can specify a default domain name to be appended to the user name. You need to do this only if the account resides in a domain rather than on the local computer. For optimum security, select the option Requires TLS Encryption, which requires that incoming messages be encrypted using Transport Layer Security (TLS). The client must support TLS to use this option.

Integrated Windows Authentication allows the client to negotiate the connection without transmitting passwords across the network, but it requires that the user have an e-mail client that supports IWA. Both Outlook Express and Outlook support IWA authentication.

Using certificates and SSL
You can use SSL to secure transactions between clients and the e-mail server if security is a major issue for you. You’ll need a server certificate for your SMTP server if you don’t already have one. Just click Certificate on the Access tab to start the Web Server Certificate Wizard and complete the process of requesting a certificate. Or connect your Web browser to a public Certificate Authority to obtain one. Run the wizard again after you obtain the certificate to install it.

If you already have a certificate installed on the server for Web access and want to use it for SMTP, click Certificate on the Access tab. In the wizard, choose the option Assign An Existing Certificate and click Next. Select the existing certificate, and then click Next through the rest of the wizard to complete the process. Finally, click Communication to open the Security dialog box. Select the option Require Secure Channel to require SSL, or leave it deselected to allow SSL as an option. Select Require 128-bit Encryption if you want to force the clients to use 128-bit encryption.

Connection control
You can control which computers can connect to your SMTP server, which lets you control which clients can send mail through it. Click Connection on the Access tab to configure access to the server. You can explicitly include or explicitly exclude addresses. I’m assuming that you’re primarily using the SMTP service for outgoing mail from your own network. Choose the option Only The List Below and explicitly add the IP addresses, subnet, or domain of the computers that need access.

Relay restrictions
When you set up an SMTP server, you need to concern yourself with mail relay and relay restrictions. If you don’t, you might find your mail server or even your domain blacklisted by other mail servers. Use the Access tab of the SMTP server’s properties to configure relay restrictions. Click Relay and then explicitly allow or exclude clients as you did when specifying connection properties.

Assuming that you’re only supporting outgoing mail for the local network, the best approach is to deny relay to all but those clients you explicitly allow. Select the option Only The List Below and then click Add to add the individual IP address, address range, or domain name of clients that will be allowed to send mail through the SMTP server.

Setting message limits
You can use the Messages tab to set limits on outgoing messages and specify how the server should handle nondeliverable mail. The following options control message and connection limits:

  • Limit Message Size – Sets a maximum size for outgoing messages. Increase this value if you need to send larger files.
  • Limit Session Size – Sets the total amount of data that the server will accept during a session. The default value is 10 Mb.
  • Limit Number of Messages per Connection – Limits the number of messages that a client can send in a given session. Keeping this value relatively low can help prevent or reduce spamming and improve performance.
  • Limit Number of Recipients per Message – Use this option to limit the number of recipients that the server will process in one operation for a given message. The service sends the maximum and then immediately opens another session to continue sending the message to the remaining recipients.
  • Send Copy of Non-Delivery Report To – Specifies the e-mail address to which you want a copy of all nondelivery receipts (NDR) sent. Enter an e-mail address that you monitor regularly.
  • Badmail Directory – The SMTP service places in this folder the messages that it can’t deliver. Check this folder periodically to review messages and clean out the folder.

Setting delivery options and restrictions
Use the Delivery tab to specify how the SMTP service should handle outgoing messages. The retry intervals define how often the SMTP service attempts to resend messages after a delivery problem occurs because of a network or recipient server problem.

The Delay Notification setting in the Outbound Control Group specifies how long the service waits after a failed delivery attempt before it sends a delay notification to the sender. The Expiration Timeout settings in the Outgoing Group specify how long the SMTP service will attempt to deliver a message before it gives up and returns an NDR. The Delay Notification And Expiration Timeout settings in the Local Control Group specify the same behaviors for local message delivery.

Configuring connections to remote servers
Click Outbound Security if you need to configure the way the SMTP service communicates with remote e-mail servers. You can leave the default setting of Anonymous Access selected if you’re using the SMTP server only for outgoing mail to anonymous servers. The only reason to use a different authentication method is if you need to connect to a known remote server that requires authentication or encryption. For these, choose either Basic or Integrated Windows Authentication according to the remote server’s requirements, and then specify the user name and password.

Limiting outbound connections
Click Outbound Connections on the Delivery tab to open the Outbound Connections dialog box, and use it to set the following properties:

  • Limit Number of Connections to – Sets the maximum number of concurrent outgoing connections.
  • Time-Out – Sets the timeout period for each connection. The service drops the connection if the timeout period is reached.
  • Limit Number of Connections per Domain to – Sets the maximum number of connections to a given remote domain. For example, if set to 100, the SMTP service would establish a maximum of 100 concurrent connections to techrepublic.com to deliver messages to that domain. This value should not be greater than the value of Limit Number Of Connections To.
  • TCP Port – Specifies the TCP port the service should use to connect to the remote e-mail server(s). All of the remote servers must listen on the specified port, so you’ll usually change this only if you’re connecting to one or more well-known servers that use the same nonstandard port.

Setting advanced delivery options
Click Advanced on the Delivery tab to open the Advanced Delivery dialog box and set advanced options:

  • Maximum Hop Count – Sets the maximum number of routers the message can travel through before it is considered undeliverable. You should only need to increase this value if the traffic passes through a lot of local routers to reach the Internet.
  • Masquerade Domain – The domain you specify here replaces the domain name that appears in the Mail From portion of the message header. This value doesn’t affect what the e-mail client sees as the From address. It applies to the first hop only.
  • Fully-Qualified Domain Name (FQDN) – Specifies the host name in which your SMTP server is identified for message delivery. This value needs to match the MX record you have created in your DNS zone for your SMTP server. By default, the SMTP service uses the FQDN taken from the computer’s properties, but you can specify a different name in this field to use instead.
  • Check DNS – Click this button to perform a DNS lookup on the FQDN specified for the SMTP server to validate the name.
  • Smart Host – Use this option to route all outgoing mail to another e-mail server, which processes the messages for delivery. Enter the FQDN of the smart host or enter its IP address enclosed in square brackets, such as [192.168.1.10]. Including the brackets identifies the entry as an IP address and bypasses DNS lookup.
  • Attempt Direct Delivery Before Sending to Smart Host – Select this option if you’re using a Smart Host and want your SMTP service to attempt to deliver the messages before forwarding them to the Smart Host. The SMTP service forwards the message to the Smart Host if it is unable to deliver the message itself.
  • Perform Reverse DNS Lookup on Incoming Messages – Directs the SMTP service to attempt a reverse DNS lookup of the sender’s IP address with the host and domain submitted by the client when it establishes communications with your server. The SMTP service leaves the RECEIVED header in the message intact if the IP address resolves.

Configuring LDAP routing
The Lightweight Directory Access Protocol (LDAP) protocol enables directory services to exchange information and clients to look up information in a directory. Use the LDAP Routing tab to set up your SMTP service to use LDAP queries against a remote LDAP server to resolve destination addresses. For example, assume you have an Exchange 2000 Server installed in your organization and you’re using the SMTP service to deliver messages that originate from your Web site to recipients on the Exchange Server. Configure your SMTP service to look up addresses in Active Directory to resolve the addresses of both senders and receivers. This allows the SMTP service to accomplish such tasks as resolving a distribution list address into individual destination addresses.

You can set the following options:

  • Server – Specifies the name or address of the remote LDAP server. You don’t need to specify a server if you choose the Exchange LDAP Service schema type.
  • Schema – Selects from this drop-down list the type of directory service hosted by the remote LDAP server. Choose Active Directory to connect to AD on a Windows 2000 or Microsoft .NET domain controller. Choose Site Server Membership Directory to query against a Microsoft Commercial Internet System 2.0 e-mail server. Choose Exchange LDAP Service if you’re querying against a Microsoft Site Server 3.0 or later LDAP server.
  • Binding – Selects from this drop-down list the method the SMTP service uses to authenticate on the remote LDAP server.
  • Domain – If you choose the Plain Text or Windows SSPI binding type, enter in this field the domain name of the domain in which the specified user account resides (see the next option).
  • User Name – Specifies the user name to use to authenticate on the remote server. Use the distinguished name (DN) in the format cn=user,ou=users,o=company.
  • Password – Provides the password for the account specified by the User Name field.
  • Base – Specifies the container in the directory you want to begin the search.

Adding and configuring domains
IIS Setup creates a default domain using the FQDN of the computer hosting the SMTP service, which it obtains from the computer’s DNS settings. You can create additional domains for the SMTP service. The domain can be an alias to the local domain or can point to a remote domain. Incoming messages for the alias domain are delivered to the default domain’s drop folder. Incoming messages for a remote domain are forwarded to the remote domain through DNS resolution or a designated smart host.

To create an alias domain, open the IIS console and expand the Default SMTP Virtual Server branch. Right-click Domains and choose New | Domain. Specify the domain type and follow the wizard’s prompts to create the domain.

Remote domains act differently from alias/local domains. You can configure a remote domain so that messages for that domain are routed to the appropriate Smart Host or are simply routed using DNS. This turns the SMTP server into a mail relay agent. You can also use remote domains to prevent e-mail from being forwarded to remote domains. Just configure the remote domain in the SMTP server to not allow messages to be relayed to the domain.

When you create a remote domain, you need to configure the connection between the SMTP service and the remote domain, including authentication and other settings. Double-click the newly created domain to open the properties for the domain and configure the following options:

  • Allow Incoming Mail To Be Relayed To This Domain – Clear this option to prevent messages from forwarding to the remote domain.
  • Send HELO Instead of EHLO – Select this option to force the SMTP service to use SMTP rather than ESMTP.
  • Outbound Security – Sets the authentication method required by the remote domain’s server.
  • Use DNS To Route To This Domain – Select this option if you want the SMTP service to route mail for the remote domain using DNS lookups for the remote domain’s MX record(s).
  • Forward All Mail To Smart Host – Select this option to forward the mail to a smart host, which will forward the mail to the remote domain.

More on SMTP
If you would like to know more about SMTP and how it works, check out these excellent resources: