Configuring SMTP Virtual Server Relay Restrictions
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1
IIS includes a full-featured SMTP virtual server that you can use to receive and relay e-mail messages to other SMTP servers on your network or to servers on the Internet. The relay function is useful for internal network clients that might have to forward mail to other SMTP servers, and it is useful for IIS programs that need access to an SMTP server to forward mail.
For a user or computer to relay e-mail messages through an SMTP virtual server, the following two conditions must be met:
The user or computer can access the SMTP virtual server.
The SMTP virtual server is configured to relay e-mail messages to other domains.
When an SMTP virtual server relays e-mail messages, it can forward mail that is addressed to any e-mail domain. With this feature, an SMTP virtual server can forward mail to any internal or external network SMTP server for which it can resolve an MX record. However, if the SMTP virtual server is accessible to Internet users, mail relay should not be enabled. With mail relay enabled, malicious users might forward e-mail to your SMTP virtual server, distributing unwanted messages to other computers and reducing the available bandwidth for your internal connection.
By default, the SMTP service blocks computers from relaying unwanted mail through the virtual server. To enable relay access through the SMTP virtual server, click Relay on the Access tab. By default, all computers are blocked except those that meet the authentication requirements that are designated in the Authentication box, which you can view by clicking Authentication on the Access the tab.
You can also allow messages to be relayed to a specific remote domain. The domain setting overrides the SMTP virtual server setting. For more information about relaying messages to a remote domain, see Configuring Remote Domains.
If you enable mail relay on your SMTP virtual server, then you can specify the relay restrictions that are described in the following table.
| Option | Description |
|---|---|
Only the list below |
This option allows only the computers specified in the list to relay messages through the SMTP virtual server. |
All except the list below |
This option allows all computers, except the computers that are specified in the list, to relay messages through the SMTP virtual server. This option is set by default, along with the Allow all computers which successfully authenticate to relay, regardless of the list above option. |
Add and Remove |
Clicking these buttons allows you to grant or deny relay access by adding to or removing from the list of computers. |
Allow all computers which successfully authenticate to relay, regardless of the list above |
This option allows computers that meet authentication requirements set in the Authentication box to relay messages to the SMTP virtual server. This option is set by default. |
Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc %systemroot%\system32\inetsrv\iis.msc".
Procedures
To add relay restrictions to an SMTP virtual server
In IIS Manager, right-click the SMTP Virtual Server for which you want to add relay restrictions, and then click Properties.
Click the Access tab, and then click Authentication.
To enable the appropriate level of authentication for your server, select either (or both) the Basic authentication or the Integrated Windows Authentication check box, clear the Anonymous access check box, and then click OK.
Note
If you enable Anonymous access and do not enable Basic authentication and Integrated Windows authentication, then authentication is no longer enabled, which means that all users and computers can access the SMTP virtual server.
On the Access tab, under Relay restrictions, click Relay.
In the Relay Restrictions box, click Add, and then do the following to add a single computer, a group of computers, or a domain:
To add a single computer, click Single computer, type the IP address of the computer that you want to add, and then click OK.
To add a group of computers, click Group of computers, type the subnet address and the subnet mask of the group into the corresponding boxes, and then click OK.
To add a domain, click Domain, type the domain name that you want to add, and then click OK.
To apply your configuration changes, click OK twice.
To remove relay restrictions from an SMTP virtual server
In IIS Manager, right-click the SMTP virtual server for which you want to remove relay restrictions, and then click Properties.
Click the Access tab, and then click Relay.
In the Relay Restrictions box, select either the Only the list below or the All except the list below check box.
If you want to add exceptions, click Add and then specify the computer, group of computers, or domain for which you want to retain relay restrictions.
Related Information
For information about setting IP access restrictions to the server, see Setting IP Access Restrictions to Servers.
For information about requiring TLS encryption, see Requiring TLS Encryption.