Configuring SMTP routes

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

This topic describes how to define the mail flow in your organization. The first step in creating the e-mail policy is to configure how Forefront TMG routes mail traffic to and from the internal Simple Mail Transfer Protocol (SMTP) servers in your organization. The Exchange Edge Transport server installed on your Forefront TMG server acts as a relay between your internal SMTP servers and those outside your organization, and applies the e-mail policy that you create to mail in transit.

In Forefront TMG, these mail routes are called SMTP routes. You must create at least two routes, as follows:

  • On the Internal_Mail_Servers route, you enter the IP addresses of your internal mail servers and the SMTP domains of your mail organization (what are known as accepted authoritative domains in Microsoft Exchange), and networks from which mail may be sent. This instructs Forefront TMG to accept and relay internal mail only from these authorized networks, IP addresses and domains.

  • On the External_Mail_Servers route, you define from which networks mail is allowed to enter the mail organization, select the mail routing method to use to send internal mail to external networks, and enter the publicly registered FQDN or IP address that external mail servers should use as the address for your mail organization.

Each SMTP route has an e-mail listener which responds to mail requests from permitted IP addresses and networks.

You can create these initial SMTP routes with the E-Mail Policy Wizard; and then create additional routes by using the Create SMTP Route Wizard.

This topic describes the procedures for:

  • Configuring the initial SMTP routes

  • Configuring additional SMTP routes

Prerequisites

In order to configure SMTP routes, you must install the Exchange Edge Transport server role and Forefront Protection 2010 for Exchange Server (FPES)on each Forefront TMG server in the array, as described in Installing prerequisites for e-mail protection.

Before you begin

To configure SMTP routes, you will need the following information about your internal SMTP mail organization:

  • The computer names and IP addresses of your internal SMTP servers

  • The accepted authoritative domains from which your mail organization accepts mail messages

  • The mail exchanger (MX) resource record registered in public DNS for this organization’s mail. Forefront TMG will respond to SMTP session initiation messages (HELO, EHLO) with this public domain name or IP address.

Configuring the initial SMTP routes

Warning

If you have already configured SMTP routes, running the E-Mail Policy Wizard deletes all existing settings. To modify the current settings, right-click the relevant route in the details pane of the E-Mail Policy tab and click Properties.

To configure the initial SMTP routes

  1. In the Forefront TMG Management console, in the tree, click the E-Mail Policy node.

  2. In the Tasks tab, click Configure E-Mail Policy, and then follow the directions in the wizard.

  3. On the Internal Mail Server Configuration page, do the following:

    • Under Internal mail servers, click Add and type the computer name and IP address of your internal SMTP server (for example, mail.internal.contoso.com). Do this for each of your internal SMTP servers.

      Note

      If you are using a Microsoft Exchange messaging organization, type the computer name and IP address of the appropriate Hub Transport server.

    • Under Accepted authoritative domains, click Add and type the SMTP domain names or IP addresses from which your internal SMTP servers accept mail messages (for example, mailsrv.internal.contoso.com). Do this for each internal SMTP server.

  4. On the Internal E-Mail Listener Configuration page, under Networks, select the networks that Forefront TMG should listen to for mail requests from within your organization, which Forefront TMG will then relay to external SMTP servers. A typical selection is the Internal network.

    Note

    • If you are using network load balancing or otherwise want to specify the IP addresses from which Forefront TMG will respond to internal mail requests, click Select Addresses and select the appropriate option from the list.

    • The internal e-mail listener only accepts mail from the IP addresses of the internal SMTP servers you defined on the previous page of the wizard. This prevents a compromised client machine from sending mail directly to Forefront TMG in an attempt to circumvent the mail protections on the internal SMTP server.

  5. On the External E-Mail Listener Configuration page, do the following:

    • Select the networks that Forefront TMG should listen for mail requests and relay them to your internal SMTP servers. A typical selection is the External network.

      Note

      • The IP address you enter here should match the one registered in DNS as the organization's MX record.

      • If you are using network load balancing or otherwise want to specify the IP addresses from which Forefront TMG will respond to external mail requests, click Select Addresses and select the appropriate option from the list.

    • Type the FQDN or IP address that the external listener will use to respond to mail requests from outside the corpnet (for example, mail.corp.contoso.com).

  6. On the E-Mail Policy Configuration page, click the mail protection features you want to enable.

  7. Click Finish.

    Note

    If this is the first time you are setting up SMTP routes, a dialog box opens asking if you want to enable system policy rules for e-mail policy. Click Yes.

  8. On the Apply Changes bar, click Apply.

Configuring additional SMTP routes

After creating the initial SMTP routes by using the E-mail Policy Wizard, you can create additional SMTP routes as necessary by using the Create SMTP Route Wizard.

To configure an additional SMTP route

  1. In the Forefront TMG Management console, in the tree, click the E-Mail Policy node.

  2. In the Tasks tab, click Create SMTP Route Wizard, and then type a name for the new SMTP route.

  3. On the SMTP Route Type page, select whether this route is to a server on the Internal network or to an external server. Note the following:

    • For Internal mail servers, click Add and type the computer name and IP address of the appropriate internal SMTP server. For example, type mail.internal.contoso.com. You can add multiple internal SMTP servers.

    • For External mail servers, click According to FQDN or IP address, and type the fully qualified domain name (FQDN) or IP address to forward mail, or click Use domain name system (DNS) “MX” records to route mail automatically.

      Note

      • Forefront TMG uses this FQDN or IP address to route mail to the address spaces (that is, domain names) associated with the route.

      • To use DNS to route outbound mail, select this option. Forefront TMG uses DNS to locate the Mail Exchange (MX) record of the remote SMTP server. The MX record lists the IP address of the remote server, which Forefront TMG uses to deliver the mail. If you select this routing method, verify that your DNS server can successfully resolve names on the Internet.

  4. On the Domain Names page, click Add, and type either an accepted authoritative domain of the FQDN associated with this route.

    Note

    To add more than one FQDN, use a wildcard prefix to specify multiple FQDNs in one line (*.contoso.com).

  5. On the Internal E-Mail Listener Configuration page, do the following:

    • Select the networks that Forefront TMG should listen for mail requests and relay them.

      Note

      If you selected Internal mail servers in step 3, you should select internal networks here. If you selected External mail servers, you should select the External network.

      Note

      If you are using network load balancing or otherwise want to specify the IP addresses from which Forefront TMG will respond to mail requests, click Select Addresses and select the appropriate option from the list.

    • Type the FQDN that the listener for this route will use to respond to mail requests (for example, mail.corp.contoso.com).

  6. Click Finish, and then on the Apply Changes bar, click Apply.

Note

The Create SMTP Route Wizard is not reentrant: after you create the route, you cannot edit it via the wizard. To edit the configuration, right-click the route in the details pane of the E-Mail Policy tab and click Properties.

Tasks

Installing prerequisites for e-mail protection

Concepts

Configuring protection from e-mail-based threats
Planning to protect against e-mail threats