Preparing to install GFI MailSecurity on an IIS mail relay server

In order to install GFI MailSecurity on a mail relay/gateway machine, it must be running the IIS SMTP Service and World Wide Web service. You must also configure the machine as an SMTP relay to your mail server. This means that the MX record of your domain must be pointing to the gateway machine. This section describes how you can configure your mail relay and install GFI MailSecurity.

About Windows 2000/2003 IIS SMTP & World Wide Web services

The SMTP service is part of IIS, which is part of Windows 2000/2003/XP. It is used as the message transfer agent of Microsoft Exchange Server 2000/2003, and has been designed to handle large amounts of mail traffic.

The World Wide Web service is also part of IIS. It uses the HTTP protocol to handle web client requests on a TCP/IP network.

The IIS SMTP service and World Wide Web service are included in every Windows 2000/2003/XP distribution.

Step 1: Verify installation of IIS SMTP and WWW services

GFI MailSecurity uses the Windows 2000/2003/XP IIS SMTP service as its SMTP server.

1. On the taskbar, click Start > Settings > Control Panel. Double-click Add/Remove Programs and then click Add/Remove Windows Components.

2. From the dialog on display, locate and click the Internet Information Services (IIS) component, then click Details.

3. Select the SMTP Service check box and World Wide Web Service check box. Click OK to start the installation of the selected services. Follow the onscreen instructions and wait until the installation completes.

Step 2: Specify mail relay server name and assign an IP

1. On the taskbar, click Start > Settings > Control Panel. Double-click Administrative Tools and then double-click Internet Information Services.

2. Expand the server name node, right-click the Default SMTP Virtual Server node and then click Properties.

Screenshot 2 - Assign an IP address to the mail relay server

3. Assign an IP address to the SMTP relay server from the IP address list and then click OK.

Step 3: Configure the SMTP service to relay mail to your mail server

Now you must configure the SMTP service to relay inbound messages to your mail server.

Start by creating a local domain in IIS to route mail:

1. On the taskbar, click Start > Settings > Control Panel. Double-click Administrative Tools and then double-click Internet Information Services.

2. Expand the server name node then expand the Default SMTP Virtual Server and then click Domains. By default, you should have a Local (Default) domain with the fully qualified domain name of the server.

3. Configure the domain for inbound message relaying as follows:

a) Right-click the Domains node, and then click New > Domain.

Screenshot 3 - SMTP Domain Wizard - Selecting domain type

b) Select Remote and then click Next.

c) Type the domain name in the Name box and then click Finish.

 

IMPORTANT NOTE ABOUT LOCAL DOMAINS

NOTE: Upon installation, GFI MailSecurity will import Local Domains from the IIS SMTP service. If you add additional Local Domains in IIS SMTP service, you must also add these domains to GFI MailSecurity because this does not detect newly added Local Domains automatically. You can add more/new Local Domains using the GFI MailSecurity configuration. For more information, refer to the ‘Adding local domains’ section in the General Settings chapter of this manual.

Configure the domain to relay email to your mail server:

1. Right-click the domain you just created and then click Properties. Select the Allow the Incoming Mail to be relayed to this domain check box.

2. In the Route domain dialog box, click Forward all email to smart host and type the IP address (in square brackets) of the server which will handle the emails addressed to this new domain. For example, [123.123.123.123]

NOTE: The square brackets are used to differentiate an IP address from a hostname (which does not require square brackets), i.e., the server detects an IP address from the square brackets.

3. Click OK.

 

Screenshot 4 - Configure the new domain

Step 4: Secure your mail relay server

In this step, you will set up your SMTP virtual server’s mail Relay Restrictions. This means that you must specify which machines may relay email through this virtual server (i.e., effectively limit the servers that can send email via this server).

1. Right-click the Default SMTP Virtual Server node and then click Properties.

2. In the properties dialog box, click the Access tab and then click Relay to open the Relay Restrictions dialog box.

Screenshot 5 - Relay Restrictions dialog

3. Click Only the list below and then click Add to specify the list of permitted computers.

Screenshot 6 - Specify machines which may relay email via virtual server

4. In the Computer dialog box, specify the IP of the mail server that will be forwarding the email to this virtual server and then click OK to add the entry to the list.

NOTE: You can specify the IP of a single computer, group of computers or a domain:

•	Single computer: Select this option to specify one particular host that will relay email via this server. If you want to look up the IP address of a specific host, click DNS Lookup.

•	Group of computers: Select this option to specify the base IP address for the computers that you want to relay.

•

Domain: Select this option to include all the computers of a specified domain. This means that the domain controller will openly relay emails via this server. Please note that this option adds processing overhead, and may reduce SMTP service performance because it includes reverse DNS Lookups to verify the domain name of all IP addresses that try to relay.

Step 5: Configure your mail server to relay email via the Gateway server

After you have configured the IIS SMTP service to send and receive email, you must configure your mail server to relay all email to the mail relay server:

 

If you have Microsoft Exchange Server 4/5/5.5:

1. Start the Microsoft Exchange Administrator and double-click on Internet Mail Service to open the properties configuration dialog box.

Screenshot 7 - The Microsoft Internet mail connector

2. Click the Connections tab and in the Message Delivery area click Forward all messages to host. Type the computer name or IP of the machine running GFI MailSecurity.

3. Click OK and restart the Microsoft Exchange Server from the services applet.

 

If you have Microsoft Exchange Server 2000/2003:

You will need to set up an SMTP connection that forwards all email to GFI MailSecurity:

1. Start the Exchange System Manager.

2. Right-click the Connectors Node, click New > SMTP Connector and then specify the connector name.

3. Click Forward all mail through this connector to the following smart host, type in the IP of the GFI MailSecurity server (the mail relay/Gateway server) and then click OK.

NOTE: Always enclose the IP address within square brackets [ ]. For example, [100.130.130.10].

4. Select the SMTP Server that must be associated to this SMTP Connector. Click the Address Space tab, and then click Add. Click SMTP and then click OK to accept the changes.

5. Click OK. All emails will now be forwarded to the GFI MailSecurity machine.

 

If you have Lotus Notes:

1. Double-click the Address Book in Lotus Notes.

2. Click on Server item to expand its sub-items.

3. Click Domains and then click Add Domains.

4. In the Basics section, click Foreign SMTP Domain from the Domain Type field and in the Messages Addressed to area, type “*” in the Internet Domain box.

5. Under the Should be routed to area, specify the IP of the machine running GFI MailSecurity in the Internet Host box.

6. Save the settings and restart the Lotus Notes server.

 

If you have an SMTP/POP3 mail server:

1. Start the configuration program of your mail server.

2. Search for the option to relay all outbound email via another mail server. This option will be called something like Forward all messages to host. Enter the computer name or IP of the machine running GFI MailSecurity.

3. Save the new settings and restart your mail server.

Step 6: The MX record of your domain must point to the mail relay server

NOTE: If your ISP manages the DNS server, ask this provider to update it for you.

Since the new mail relay server must receive all inbound email first, you must update the MX record of your domain to point to the IP of the new mail relay/Gateway server. Otherwise, email will continue to go to your mail server and by-pass GFI MailSecurity.

Verify the MX record of your DNS server as follows:

1. Open the command prompt, type nslookup and press Enter.

2. Type set type=mx and press Enter.

3. Type your mail domain and press Enter.

4. The MX record should return a single IP that must correspond to the IP of the machine running GFI MailSecurity.

Screenshot 8 - Checking the MX record of your domain

Step 7: Test your new mail relay server

Before you proceed to install GFI MailSecurity, verify that your new mail relay server is working correctly.

1. Test the IIS SMTP inbound connection of your mail relay server by sending an email from an external account to an internal user (you can use web-mail, for example MSN Hotmail, if you do not have an external account available). Verify that the email client received the email.

2. Test the IIS SMTP outbound connection of your mail relay server by sending an email to an external account from an email client. Verify that the external user received the email.

NOTE: Instead of using an email client, you can send email manually through Telnet. This will give you more troubleshooting information. For more information, refer to this Microsoft Knowledge Base article:

http://support.microsoft.com/support/kb/articles/Q153/1/19.asp

Step 8: Install GFI MailSecurity on the mail relay server

For information on how to install GFI MailSecurity, refer to the ‘Installing GFI MailSecurity’ section in this chapter.