Using a Windows SMTP Relay Server in a Perimeter Network

  • Article

 

Many organizations use a stand-alone Windows 2000 or Windows Server 2003 SMTP server in a perimeter network as a mail relay server for incoming and outgoing Internet mail. In this configuration, your Exchange organization is in an internal domain behind the firewall and the SMTP server is in a separate domain in a perimeter network. Internal Exchange bridgehead servers route outgoing mail through a connector to the SMTP relay server, which assumes responsibility for DNS resolution and mail delivery. Similarly, you can configure the SMTP relay server to accept incoming Internet mail and route it internally.

The following figure illustrates this topology.

Windows Server 2003 relay server in a perimeter network

7f842af7-2e30-4ccd-b493-fbeb150e36cc

Advantages to using an SMTP relay server in a perimeter network include:

  • Limited Internet exposure   The internal network protects your Exchange servers that contain your user information and other configuration data.

  • Additional security   You can install virus-scanning software to scan incoming mail before it reaches your internal network.

Basic Configuration

The basic configuration consists of the following:

  • Windows Server 2003 SMTP relay server

    The SMTP relay server is configured with a default public domain. It is also configured to relay messages for only SMTP mail domains within the Exchange organization—it does not relay messages to other domains. For detailed steps that describe how to configure the SMTP relay server, see "To configure a Windows Server 2003 server as a relay server or smart host" later in this section.

  • DNS Server

    • Your external DNS server is configured with an MX record that points to the IP address of your SMTP relay server's domain.

    • All Exchange servers point to your internal DNS server.

  • Exchange bridgehead server

    The Exchange bridgehead server is connected to the Internet through the firewall on port 25.

  • SMTP virtual server

    The SMTP virtual server is configured to send and receive Internet mail with the following default settings:

    • IP address of port 25 (the standard SMTP port).

    • Allow anonymous access. You must allow anonymous access to your SMTP virtual server on your Exchange bridgehead because Internet SMTP servers that send mail to this domain will not expect to authenticate.

    • Does not relay mail.

  • SMTP connector

    • The SMTP virtual server hosts the connector.

    • The connector is configured with an address space of * (asterisk) to force all outgoing mail to use the Exchange bridgehead server.

    • The connector is configured to use the SMTP relay server as a smart host to relay mail.

    • All other settings remain at their default values.

  • Other Exchange member servers

    • Member servers do not have a direct connection to the Internet.

    • All member servers use the default SMTP virtual server with its default settings.

  • Firewall

    • The firewall is configured according to your organizational guidelines and vendor specifications.

    Note

    A complete discussion about firewall configuration is outside the scope of this guide. There are many ways that you can configure a firewall to work with an SMTP relay server. You can allow either the firewall or the SMTP relay server to perform network address translation (between internal and external addresses). For the purposes of this guide, mail flow through the firewall is treated as if it were transparent.

For detailed instructions, see How to Configure a Windows Server 2003 Server as a Relay Server or Smart Host.

For more information about how to configure a Windows server as a relay server or smart host, see Microsoft Knowledge Base article 293800, "XCON: How to Set Up Windows 2000 as a SMTP Relay Server or Smart Host."

Inbound Internet Mail

When using a relay server in a perimeter network, inbound Internet mail flows into the Exchange organization in the following manner:

  1. Incoming Internet mail flows through port 25 on the firewall.

  2. Mail is then sent to port 25 of the SMTP relay server in the perimeter network.

  3. The SMTP relay server routes the mail back through the firewall to the Exchange bridgehead server.

  4. The Exchange bridgehead server uses SMTP and internal routing to deliver mail to the Exchange server that hosts the user's mailbox.

Outbound Internet Mail

When using a relay server in a perimeter network, outbound Internet mail flows out of the Exchange organization in the following manner:

  1. An internal user submits a message to a remote user.

  2. The Exchange server on which the user's mailbox resides forwards mail to the SMTP connector on the Exchange bridgehead server.

  3. The SMTP connector relays the mail through the firewall to the SMTP relay server in the perimeter network.

  4. The SMTP relay server uses DNS to find the MX record and IP address of the remote user's SMTP server.

  5. The SMTP relay server sends mail back through the firewall to port 25 of the remote user's SMTP server.