How to Configure Access Controls and Authentication Methods


Topic Last Modified: 2005-05-24

For SMTP virtual servers, you can specify what types of connections are accepted or denied, and you can require user authentication before mail delivery. If you support IMAP or POP clients that connect from the Internet, authentication methods are useful. However, on an SMTP virtual server that acts as an Internet gateway, you cannot require authentication if you want to receive mail from users on the Internet.

Before you perform the procedure in this topic, read Connecting Exchange to the Internet.

The following permissions are required to perform this procedure:

  • Member of the local administrators group and a member of a group that has had the Exchange Administrators role applied at the administrative group level

  1. Right-click Default SMTP Virtual Server, and then click Properties.

  2. Click the Access tab, and then, under Access control, click Authentication to specify the ways in which users must be authenticated prior to sending mail to this server. The Authentication dialog box appears.

    The Authentication dialog box

  3. In Authentication, the following check boxes are available:

    • Anonymous access   Typically, you select this check box for servers that are directly connected to the Internet. If you select this check box, other servers on the Internet will not authenticate to this server prior to sending mail. For increased security, disable anonymous access on your internal SMTP virtual servers that do not accept incoming Internet mail. For similar security purposes, you can also disable anonymous access on dedicated SMTP virtual servers that are used for remote IMAP and POP users.

      If the Anonymous access check box is not selected on your Internet gateway servers, you may not receive incoming mail from the Internet. However, for internal SMTP virtual servers or SMTP virtual servers that are used exclusively by IMAP and POP users, you can clear this check box because they must authenticate.
    • Basic authentication   Use this check box for mail clients (such as Microsoft Outlook) that use Post Office Protocol version 3 (POP3) or Internet Message Access Protocol version 4rev1 (IMAP4) to connect to the server. To send e-mail messages, these clients authenticate to the server.

      If you select the Basic authentication (password is sent in clear text) check box, user names and passwords are sent across the network in clear text. This information can be easily intercepted on the Internet. If you use basic authentication, consider implementing Transport Layer Security (TLS) for more security.
    • Requires TLS encryption   Use this check box if you have a digital certificate, which is common in a high-security environment. If you select this check box, in the corresponding Default domain box, you must type the Windows 2000 or Windows Server 2003 domain name that the user should authenticate against if he or she does not specify a domain. For more information about TLS encryption, see the Exchange online documentation.

    • Integrated Windows Authentication   This check box is used only by Windows user accounts. Using the NTLM protocol, user names and passwords are encrypted and are then passed to the SMTP virtual server for authentication purposes.

      By default, the Anonymous access, Basic authentication, and Integrated Windows Authentication check boxes are selected. If you are using a single default virtual server, it is recommended that you use the default settings; this allows users to authenticate by using the most common methods.
  4. In <SMTP Virtual Server> Properties, on the Access tab, under Secure communication, click Certificate to configure a certificate (used for TLS encryption) that encrypts messages as they move from server to server. For more information about TLS encryption, see the Exchange online documentation.

  5. On the Access tab, under Connection control, click Connection to allow or deny access to the server based on IP address. If you are using multiple SMTP virtual servers, and you want to deny access to specific hosts, you must perform the following procedure for each virtual server:

    1. In Connection, click All except the list below for servers directly connected to the Internet.

    2. To list only those hosts from which you do not want to receive mail, click Add and then follow the instructions in the Computer dialog box. You can include any servers that you consider to be the source of spam.

    3. Click OK twice to apply the settings.