SMTP is the Internet standard for sending and receiving e-mail and is used in Exchange 2000 Server for Internet messaging. To optimize how SMTP works with Exchange 2000, you must understand how Exchange Server interacts with SMTP. Here’s how you can customize your SMTP implementation.
What a lot of people don’t realize is that the SMTP services aren’t really native to Exchange. Instead, SMTP is a native IIS component. Since Exchange piggybacks on top of IIS, Exchange is able to make use of the IIS SMTP services. Exchange does however, extend the SMTP stack as a way of offering additional functionality.
Exchange implements the SMTP services in the form of virtual servers, which allow you to host mail services for multiple organizations on a single server. You can access the SMTP services by opening the Exchange System Manager and navigating through the console tree to your organization | Administrative Groups | your administrative group | Servers | your server | Protocols | SMTP. If you expand the SMTP container, you will see any virtual SMTP servers that exist on the machine.
Even if you haven’t defined any virtual servers, there will always be the Default SMTP Virtual Server. If your Exchange Server only hosts mail for a single organization, it’s the Default SMTP Virtual Server that handles the SMTP services for that organization. You can create a new SMTP Virtual Server by right clicking on the SMTP container and selecting New | SMTP Virtual Server. However, since most organizations use only the Default SMTP Server, I will focus on showing you the options available for this virtual server. Any of the techniques that I’m going to show you can be applied to other SMTP virtual servers.
To configure the server’s SMTP settings, right click on the Default SMTP Virtual Server container and select Properties. When you do, Windows will display the Default SMTP Virtual Server Properties sheet.
The General tab
When the properties sheet appears, the General tab is initially selected (see Figure A).
|The General tab allows you to set the virtual server’s IP address, maximum number of connections, and logging options.|
The first thing that you’ll notice on the General tab is the IP Address drop-down list. The idea is that SMTP traffic sent from the virtual server will appear to come from this IP address. Microsoft has included this drop-down list because a server that contains multiple NICs will also contain multiple IP addresses. Likewise, it’s possible to assign multiple IP addresses to a single NIC. If multiple IP addresses are used on the Exchange Server, then it’s important to designate which address will handle SMTP traffic for this particular virtual SMTP server.
The next set of options on the General tab deals with the actual connections. There’s an option to limit the number of simultaneous connections and an option to set the connection time-out period. By default, the connection time-out period is set to 10 minutes. This setting will work fine for most environments. The default setting for the maximum number of connections is no limit. (Generally, you would want to limit the maximum number of simultaneous connections only if the server were having performance problems that were directly related to excessive SMTP requests.)
The final portion of the General tab is the logging section. By default, logging is disabled, and you should leave it disabled because SMTP logging can fill up your log files very quickly. Normally, you would enable SMTP logging only for diagnostic purposes or in extremely high-security environments. If you do choose to enable SMTP logging, you should use the W3C Extended Log File format. This particular type of logging is native to IIS and tends to provide the most useful logging information.
The Access tab
The next tab that you’ll encounter is the Access tab (see Figure B), which deals with SMTP security. The Access tab is divided into four sections: Access Control, Secure Communications, Connection Control, and Relay Restrictions.
|The Access tab contains settings related to SMTP security.|
As you can see in the figure, the Access Control section contains a single button marked Authentication. This button opens a screen that contains the various authentication options available for those sending SMTP mail through the virtual server. The types of supported authentication include:
- Anonymous Access
- Basic Authentication
- Integrated Windows Authentication
By default all three types of authentication are selected. At first, it might seem like a huge security risk to allow all three authentication types. However, each has its place. Remember, SMTP is used to send Internet mail. Anonymous Access is often used by applications to send e-mail based alerts.
Basic Authentication tends to be used a lot in environments that support OWA. If no one is using OWA, or accessing an Exchange mailbox from outside of the network, you can probably disable basic authentication.
Integrated Windows Authentication is the most secure authentication method. I have yet to see a situation in which it was appropriate to disable Integrated Windows Authentication.
The Secure Communications section allows you to link your SMTP virtual server with a certificate authority. Entire books have been written on this subject, but I will briefly explain how this works. If you click the Certificate button, Exchange will launch the Web Server Certificate Wizard. Click the Wizard’s Next button and you’ll see a screen that allows you to choose which method you want to use to assign a certificate to the mail server. You can create a new certificate, assign an existing certificate, or you can import a certificate from a key management backup file. For the purposes of this article, select the Assign An Existing Certificate option and click Next.
At this point, you will see a list of the certificates that have been issued to the server by a certificate authority. Select the certificate and click Next. You’ll see a summary of the certificate. If the summary looks good, click Next and Finish to assign the certificate to the SMTP virtual server.
The next section on the Access tab is the Connection Control section. You can access this section by clicking the Connection button. The Connection section is a security mechanism that allows you to control who can and who can’t use the SMTP virtual server for the purpose of sending Internet mail. By default, everyone is allowed to send SMTP mail (assuming they have either authenticated or anonymous access is allowed).
You can create an exclusion list of IP addresses that are not allowed to send SMTP mail. If you have higher security needs, you can change things around and provide a list of IP addresses that are allowed to send SMTP mail. If a computer’s IP address isn’t specifically included on this list, the computer will not be allowed to send SMTP mail through the virtual server.
The final section of the Access tab is Relay Restrictions, which you access by clicking the Relay button. Relay Restrictions controls who may relay SMTP mail. Like the Connection control, the Relay section contains an exclusion list that you can use to configure which users may or may not perform an SMTP relay.
An SMTP relay is a technique by which an SMTP message is passed through your server prior to being sent to its destination. A lot of security conscious people like to block mail relay, because relaying messages is a technique that’s commonly used by spammers. The idea is that if a spammer relays mail through your server, then the spam may appear to come from your server rather than from the spammer’s server. There are actually Web sites that contain lists of IP addresses of Exchange Servers that have mail relay enabled.
Before you panic and disable mail relay though, remember that there are legitimate reasons for leaving mail relay enabled. For example, if a user works offsite and connects to his or her Exchange mailbox via POP3 and SMTP, rather than using Outlook’s built in Exchange client, the user will usually be unable to send e-mail if mail relay is disabled. To put it simply, mail relay is a double-edged sword, and you must decide for yourself if the benefits outweigh the risks in your organization.
The Messages tab
The next portion of the SMTP Virtual Server Properties sheet is the Messages tab. The Messages tab contains options that are designed to allow you to place some threshold values on individual messages or sessions that will prevent them from draining your server of all its resources. For example, as you can see in Figure C, there are options that will allow you to specify a maximum size for an individual message or for an individual session. These limitations are disabled by default.
|The Messages tab allows you to set limits to messages and sessions.|
Beneath the size limitations is an option you can use to limit the number of messages per connection. The idea is that you can enhance Exchange’s performance by opening multiple connections should the number of messages exceed this value. The default value is 20, and is appropriate for most situations.
Next is an option to limit the number of recipients of a single message. The default value is 64,000. Depending on the size and nature of your organization, 64,000 might be way too high. If you have thousands of employees, or if you use Exchange to send out a newsletter to people who have subscribed to it through your Web site, then 64,000 recipients might be realistic.
However, for smaller organizations, there’s a really good chance that if a message is ever sent to 64,000 recipients, then the message is probably of a questionable nature. In such environments, you might consider setting this value much lower. You won’t see a performance gain by lowering the value, but doing so is good from a security standpoint.
The next section on the Messages tab deals with bad messages. You can use this section to control what happens when a message doesn’t reach its intended recipient. Options include a directory to store the message in, an e-mail address for the person that a non-delivery report should be sent to, and a forwarding address. In many organizations, the default settings are fine. However, I have seen organizations in which someone is designated to read over all bad mail to insure that messages make it to the customers and that the mail system isn’t being abused.
The Delivery tab
The final tab on the SMTP properties sheet is the Delivery tab, shown in Figure D. The Delivery tab tends to be one of the more complex tabs.
|The Delivery tab helps you control what happens to messages that are undeliverable.|
The main idea behind the Delivery tab is that, by its very nature, the Internet is not perfect. Routers, lines, and servers all go down from time to time. Therefore, if a message is undeliverable, it could be because of a bad e-mail address, but it could also be the result of a hardware failure somewhere on the Internet. Exchange knows this and consequently doesn’t give up after the first delivery failure. Exchange will actually keep trying to send the message until you tell it to stop. The Delivery tab is where you tell Exchange how often to retry sending the message and when to give up.
For outbound messages, Exchange tries a minimum of three times to resend the message. By default, these retries occur every 10 minutes. After that, Exchange tries every 15 minutes to resend the message for the next two days. After 12 hours, you’ll see a notification that the message has been delayed. After two days, the message is assumed to be undeliverable. However, the Delivery tab allows you to change all of these values. You can change the retry times for the first, second, and third retry attempts, the frequency of subsequent retry attempts, the expiration timeout, and the delay notification period.
The settings that I just explained apply to outbound messages. Exchange also uses SMTP to communicate between Exchange servers within your organization. You can also configure what happens when these inter-server communications fail. However, rather than being able to configure all of the retry intervals, you are able to configure only the delay notification and the expiration timeout.
You might have noticed in Figure D that there are three buttons at the bottom of the Delivery tab. The Outbound Security button is very similar to the Access tab. It allows you to configure the type of authentication required for outbound SMTP traffic. By default, anonymous access is selected, meaning that no authentication is required. This is fine for most organizations since the Access tab takes care of the first level of security.
Earlier, I showed you how you could limit the maximum number of messages per connection. If you click the Outbound Connections button, you can set the maximum number of connections. The default value is 1000. You can also use this dialog box to configure the maximum connections per domain, the time-out period for the connections, and the TCP port used for outbound connections.
Finally, you can click the Advanced button to configure the maximum hop count and the fully qualified domain name (FQDN). This section also allows you to specify a masquerade domain and a smart host, but this is hardly ever necessary.