Microsoft IIS 6.0Administrator's Consultant

As you’ve seen in the previous chapter, there’s a lot to configuring and managing e-mail services for Internet, intranet, and extranet sites. Working with Simple Mail Transfer Protocol (SMTP) and Post Office Protocol 3 (POP3) isn’t as straightforward as working with Web or File Transfer Protocol (FTP) services— there’s a lot going on behind the scenes and a lot of configuration options to consider. With all the options available, don’t overlook the importance of securing connections and properly managing message delivery. Not only do these advanced configuration options ensure that the e-mail services work properly, but they also help safeguard the system.

Securing Incoming Connections

You can control incoming connections to SMTP virtual servers in several ways. You can do the following:

• Grant or deny access using Internet Protocol (IP) addresses or Internet domain names

• Require secure incoming connections

• Require authentication for incoming connections

• Restrict concurrent connections and set connection time-out values

Each of these tasks is discussed in the sections that follow.

Securing Access by IP Address, Subnet, or Domain

By default, virtual servers are accessible to all IP addresses, which presents a security risk that might allow your messaging system to be misused. To control use of a virtual server, you might want to grant or deny access by IP address, subnet, or domain.

• Granting access allows a computer to access the virtual server but doesn’t necessarily allow users to submit or retrieve messages. Users still need to authenticate themselves if you require authentication.

• Denying access prevents a computer from accessing the virtual server. As a result, users of the computer can’t submit messages to, or retrieve messages from, the virtual server—even if they could have authenticated themselves with a user name and password.

To grant or deny access to a virtual server by IP address, subnet, or domain, follow these steps:

1. In the Internet Information Services (IIS) snap-in, right-click the SMTP virtual server you want to manage and then choose Properties.

2. Click Connection in the Access tab. As shown in Figure 11-1, the Computers list shows the computers that currently have connection controls.

   Figure 11-1: You can control connections by IP address, subnet, or domain.

3. To grant access to specific computers and deny access to all others, click Only The List Below.

4. To deny access to specific computers and grant all others access, click All Except The List Below.

5. Create the Access list. Click Add and then, in the Computer dialog box, specify Single Computer, Group Of Computers, or Domain. When you have specified the computer or group, click OK.

   • With a single computer, enter the IP address for the computer, such as 192.168.5.50.

   • With a group of computers, enter the subnet address, such as 192.168.10.0, and the subnet mask, such as 255.255.255.0.

   • With a domain name, enter the fully qualified domain name (FQDN), such as eng.domain.com.

     Caution

     When you grant or deny by domain, the SMTP service must perform a reverse Domain Name System (DNS) lookup on each connection to determine if the connection comes from the domain. These reverse lookups can severely affect the performance of the SMTP service, and this performance impact increases as the number of concurrent users and connections increases.

6. If you want to remove an entry from the Access list, select the related entry in the Computers list and then click Remove.

7. Click OK.

Controlling Secure Communications for Incoming Connections

By default, mail clients pass connection information and message data through an insecure connection. If corporate security is a high priority, however, your information security team might require that mail clients connect over secure communication channels. You configure secure communications by completing the following steps:

1. Create a certificate request for the SMTP virtual server for which you want to use secure communications. Each server that will be exchanging messages with other secure SMTP virtual servers must have a certificate.

2. Submit the certificate request to a certificate authority (CA). The CA then issues you a certificate (usually for a fee).

3. Install the certificate on the SMTP virtual server. Repeat steps 1 to 3 for each SMTP virtual server that needs to communicate over a secure channel.

4. Configure the server to require secure communications on a per virtual server basis.

You can create, install, and enable a certificate for use on a virtual server by completing the following steps:

1. In the IIS snap-in, right-click the SMTP virtual server on which you want to secure communications and then select Properties.

2. In the Access tab, click Certificate. This starts the Web Server Certificate Wizard. Use the wizard to create a new certificate.

3. Send the certificate request to your CA. When you receive the certificate back from the CA, access the Web Server Certificate Wizard from the virtual server’s Properties dialog box again. Now you’ll be able to process the pending request and install the certificate.

4. When you’re finished installing the certificate, don’t close the Properties dialog box. Instead, click Communicate in the Access tab.

5. In the Security dialog box, click Require Secure Channel, and then, if you’ve also configured 128-bit security, select Require 128-Bit Encryption.

6. Click OK and then click OK again to save your settings.

Controlling Authentication for Incoming Connections

The SMTP service supports the following authentication modes:

• Anonymous access With anonymous access, users are able to connect to the server and submit messages for delivery anonymously. Most Web servers have SMTP virtual servers configured for anonymous connections. This allows applications and external users to submit mail for delivery to the domain without needing to be authenticated. The way you prevent users from abusing the system is to set restrictions that allow only authorized users to relay mail on the server.

• Basic authentication With basic authentication, users are prompted for logon information before they’re allowed to connect to the SMTP virtual server. When the logon information is entered, the information is transmitted unencrypted across the network. If you’ve configured secure communications on the server as described in the section of this chapter entitled “Controlling Secure Communications for Incoming Connections,” you can require that clients use Secure Sockets Layer (SSL). When you use SSL with basic authentication, the logon information is encrypted before transmission.

• Integrated Windows authentication With integrated Windows authentication, the SMTP service uses standard Windows security to validate the user’s identity. Instead of prompting for a user name and password, clients relay the logon credentials users supply when they log on to Windows. These credentials are fully encrypted without the need for SSL and include the user name and password needed to log on to the network.

All three authentication methods are available for SMTP virtual servers. As necessary, you can enable or disable support for these authentication methods by performing the following steps:

1. In the IIS snap-in, right-click the SMTP virtual server that you want to work with and then select Properties.

2. On the Access tab, click Authentication. This displays the dialog box shown in Figure 11-2.

3. You can now choose the acceptable authentication methods. Keep in mind that if you disable anonymous access, clients must authenticate themselves before they can submit messages for delivery and you might need to reconfigure Web-based applications on your server so that they use authentication.

4. If you enable basic authentication, you can set a default domain that should be used when no domain information is supplied during the logon process. Setting the default domain is useful when you want to ensure that clients authenticate properly.

   Figure 11-2: You can enable or disable authentication methods to meet your organization’s needs. With basic authentication it’s often helpful to set a default domain as well.

5. With basic authentication, you can also require Transport Layer Security (TLS) encryption. With TLS encryption, clients must have smart cards or certificates installed to establish a secure connection to the server.

6. Click OK and then click OK again to save your settings.

Restricting Incoming Connections and Setting Time-Out Values

You can control incoming connections to SMTP virtual servers in two key ways. You can set a limit on the number of simultaneous connections, and you can set a connection time-out value.

Normally, SMTP virtual servers accept an unlimited number of connections, and this is an optimal setting in most environments. However, when you’re trying to prevent a virtual server from becoming overloaded, you might want to limit the number of simultaneous connections. Once the limit is reached, no other clients are permitted to access the server. The clients must wait until the connection load on the server decreases.

The connection time-out value determines when idle connections are disconnected. Normally, connections time out after they’ve been idle for 10 minutes. In most situations, a 10-minute time-out is ideal. Still, there are times when you’ll want to increase the time-out value, and this primarily relates to clients that get disconnected when transferring large messages. If you discover that clients get disconnected during large message transfers, the time-out value is one area to examine.

You can modify connection limits and time-outs by completing the following steps:

1. In the IIS snap-in, right-click the SMTP virtual server that you want to work with and then select Properties. This displays the Properties dialog box shown in Figure 11-3.

   Figure 11-3: Connection limits and time-outs can help reduce server load. They can also help to resolve connection problems.

2. To set a connection limit, select Limit Number Of Connections To and then type the limit value. To remove connection limits, clear Limit Number Of Connections To.

3. The Connection Time-Out field controls the connection time-out. Type the new time-out value in minutes. In most cases you’ll want to use a time-out value between 10 and 30 minutes.

4. Click OK to save your settings.