IIS 6: The Complete Reference
|
|
IIS 6 offers many options and configurations for establishing SMTP security. These options relate to users performing administrative tasks for the SMTP service and clients accessing a given SMTP virtual server. Configuring these options may be performed using the Computer Manager MMC snap-in to obtain the Properties window for a given SMTP virtual server.
Security settings for performing administrative tasks may be configured using the settings on the Security tab for the Properties window. The settings that relate to clients accessing a given SMTP server are configurable under the Access tab. Refer to Chapter 2 for more information on secure communication found on the Access tab. The certificate wizard and setting key pairs and certificates tasks are the same as they are for the WWW service, and they are covered in Chapter 2 as well.
User Administrative Permissions
To enable configuration of an SMTP virtual server, permissions must be set for Windows users or groups on the host or other authenticating server that has a trusted relationship with the host server of the SMTP virtual server. The users or groups that must perform administrative tasks for the SMTP virtual server must be designated as an operator for the SMTP virtual server. By default, the administrators group, the Windows NT AUTHORITY\LOCAL SERVICE, and the Windows NT AUTHORITY\NETWORK SERVICE accounts are designated as operators for any given SMTP virtual server.
Here’s how to designate a user as an operator for a given SMTP virtual server:
-
Open the Properties window for the SMTP virtual server in the Computer Manager MMC snap-in, and click the Security tab.
-
You’ll see a list box that shows the administrators group and the users that are designated as operators. Below the list are an Add button and a Remove button. Click the Add button to open the Select Users Or Groups dialog box and select a user or group. The selected users or groups are added to the list of designated operators for the SMTP virtual server. Close the dialog by clicking OK.
-
To remove a user or group from the list, first select the user or group and then click the Remove button. The administrators group cannot be removed. Click OK when you’re done.
Authenticating Incoming Connections
Clients connecting to the SMTP virtual server can be authenticated. You can configure authentication for clients sending incoming messages using the Access tab of the Properties window for a SMTP virtual server. To set the authentication for clients to be able to send messages using a given SMTP virtual server, open the Properties window, select the Access tab, and click the Authentication button found in the Access Control area. An Authentication window will open with the following settings:
-
Anonymous Access No credentials are required to authenticate and use the SMTP virtual server.
-
Basic Authentication Specified username and password are transmitted to the host server for authentication using clear text.
-
Requires TLS Encryption Clients connecting to this SMTP virtual server must use TLS encryption or they will not be allowed to access the server. This setting is enabled when basic authentication is selected.
-
Default Domain The domain name that is appended to the username during authentication when basic authentication used. This setting is enabled when basic authentication is selected.
-
Integrated Windows Authentication Authentication is performed using a special Windows cryptic technique for transmitting information without sending the specified password to the host server for authentication.
The authentication protocols are not mutually exclusive selections, so one or more may be selected. If the basic authentication is selected, the Requires TLS Encryption setting becomes enabled so that it, too, may be selected. The default domain setting also becomes enabled when Basic Authentication is selected so that when a user authenticates using Basic Authentication, the default domain name may be appended to the credential submitted. Anonymous Access is the default setting for authentication.
Restricting Based on IP Address or Domain Name
Computers that have a particular IP address or domain name may be restricted from using a given SMTP virtual server or exclusively allotted access to use a given SMTP virtual server. Here’s how to set connection restrictions:
-
Open the Properties window, select the Access tab, and click the Connection button found in the Connection Control area.
-
In the Connection window, two explicit option selectors are listed at the top, along with a list in the middle and Add and Remove buttons below the list. The two explicit options selectors are Only The List Below and All Except The List Below. Select one option to refresh the list to show the IP addresses or domain names that apply to the given restriction.
-
Click the Add button to open a window prompting for an IP address, a domain name, or subnets that should be added to the list for the given restriction.
-
Select an option from the list and click the Remove button to remove the selected IP address or domain name.
-
When the changes are complete, click OK to save the changes; otherwise, click Cancel and no changes are made in the SMTP virtual server’s configuration. By default, no restrictions are set for a given SMTP virtual server.
Restrictions for Relay from Virtual Servers
Connection restrictions may also be set for an SMTP virtual server for relaying messages. To set connection restrictions that pertain to relaying messages:
-
Open the Properties window select the Access tab, and click the Relay button found in the Relay Restrictions area.
-
The Relay Restrictions window that opens is almost identical to the Connection window. Two exclusive options are shown at the top of the window, and the list boxes function in about the same way as those in the Connection window.
Note In this window, unlike the Connection window, a checkbox is labeled Allow All Computers Which Successfully Authenticate To Relay, Regardless Of The List Above. Checking this setting, which is checked by default, allows servers that authenticate according to the settings for authentication to relay messages regardless of the IP or domain restrictions set.
|
|