Tuesday, April 26, 2011

IIS 7.5 installing a SMTP service & securing it

Often the applications we deploy have a requirement to send alerts or messages to end users via system generated e-mails. If you have a mail server, such as Microsoft Exchange, installed in the same environment this usually handles this functionality for you. However, if the application is a standalone application which will deployed into an environment where no e-mail services exist, you will either need to implement a mail server which might be overkill if you are just going to be sending alerts and system generated messages, or create an SMTP service on the application server.
A simple way to get this done is to install the SMTP server feature that is part of Windows Server 2008 R2 as well as every version of Windows Server before that. Once installed you would need to configure the SMTP service, test it and secure it. Below are the steps to follow:
Step 1 – Install the SMTP Service
Open Server Manager and go to ‘Add Features’ and Select ‘SMTP Server’. If you do not have IIS installed the server will prompt you to ‘Add Role Services and Features Required for SMTP Server’
Click ‘Next’ and the wizard will install the SMTP Server for you.
Step 2 – Set the SMTP Service to Automatic Start
By default Windows installs the service and sets it to manual start. If you restart the server at any time the SMTP service will not start automatically which will result in your application not being able to send any e-mail. Open the MMC Services Snap-In, Find the ‘Simple Mail Transfer Protocol (SMTP)’ Service and double-click it.
Set the ‘Start-Up Type’ to ‘Automatic’ Apply and close the window.
Step 3 – Open IIS 6.0 Manager
You will note on Windows Server 2008 (& R2) that it will install two IIS Managers. The SMTP server is managed through IIS 6.0 and not IIS 7.5.
Step 4 – Add a new Mail Domain
You now need to configure the mail domain. Expand the virtual folders on the left pane and then right-click on the centre pane. Select ‘New’ and ‘Domain…"’
Select the ‘Remote’ radio button and then click ‘Next’
Type your domain name in the text box provided and click on ‘Finish’. Do not add the @ symbol as per the example below.
Step 5 – Configure the New Domain
You now need to configure your new domain. Right-Click on the domain you have created and select ‘Properties’
Click on ‘Outbound Security’ and select your authentication type. In this example I am leaving the authentication to ‘Anonymous Access’ as I will lock down the server through limiting relay.
Click ‘Ok’ and close all the domain windows.
Step 6 – Configure the SMTP Server
You now need to configure the SMTP Virtual Server. Right-click on the Virtual Server in the left pane and select ‘Properties’
Select the ‘Access’ Tab and Click on ‘Authentication’
Your Authentication at this level must match the authentication set at the domain level as per Step 5. In this example Anonymous Access is our preferred method.
Click on ‘Ok’ which will take you back to the previous window. Now click on ‘Relay’
An ‘Open Relay’ is the greatest risk to your SMTP server as it could be used by SPAMMERS to send their malware and other unsolicited mail. We are going to restrict this server to only accept mail and relay it for the localhost on which the application resides.
Ensure the Radio Button which states ‘Only the list below’ is selected. Untick the box which states ‘Allow all computers that successfully authenticate to relay, regardless of the list above’. Click on ‘Add’ and in the window provided type in the IP address of your server. Once done click ‘OK’

Your ‘Relay Restrictions’ dialogue box should now look like the one below.
Click ‘Ok’. Your SMTP Server is now ready to send e-mail. You can click through the other configurations and change mail size limits and retry intervals etc. But by default the settings are good enough for this example.
Step 7 – Testing the SMTP Service
You can test the service using a Telnet session from the Command Line. Note that since Windows Server 2008 the Telnet Client is not part of the base install. You will need to install it using the ‘Add Features’ wizard as we did to install the SMTP Server in Step 1 above. If the server is situated behind a Firewall ensure that it will allow SMTP (TCP Port 25) outbound from your SMTP server.
Follow these steps as per http://support.microsoft.com/kb/153119
Open the Command Prompt and type ‘Telnet’ to start the Telnet client.
Type ‘set localecho’ hit enter and then type ‘open 25’ and hit Enter.
You will be presented with the SMTP Server Header as per the example below.
Now type ‘helo me’ note the single ‘l’ and hit Enter. The server will respond with Hello and the IP Address.
Now type ‘mail from:<yourname>@<yourdomain.com>’ and hit Enter. 
Now enter the address you want to send mail to by typing ‘rcpt to:<name>@<senddomain.com>.
Now type ‘Data’ and hit Enter.
Type ‘Subject:This is a test’ and hit Enter twice.
Type ‘Testing’ or anything else you want to send as body text and hit Enter.
type ‘.’ i.e. full stop and hit Enter.
Your mail should now be sent and should be received within standard e-mail timeframes.
Some notes:
Note that with Telnet if you mistype and delete or backspace a character to rectify, the client does not receive this and will respond with an error when you hit enter.
A telnet 250 response means all good.
Your test message may end up in ‘Junk Mail’ so check that folder if you have not received the mail within an acceptable time frame.
If you ever need to check the mail queue you can do this by opening Windows Explorer and navigating to C:\inetpub\mailroot\queue