GFI
English Deutsch Français Italiano Nederlands Español
Table of ContentsPreviousNextIndex

Installing in SMTP gateway mode on a separate machine

In order for GFI MailSecurity to be installed on a separate machine, the IIS SMTP service must be installed and running on that machine and configured as an SMTP relay to your mail server. This means that the MX record of your domain must be pointing to the machine on which you will install GFI MailSecurity. This chapter describes how you can install the mail relay. For more information about this: http://support.microsoft.com/support/kb/articles/Q293/8/00.ASP

Installing & configuring the IIS SMTP service

GFI MailSecurity uses the Windows 2000/2003 IIS SMTP service as its SMTP server. Because GFI MailSecurity works with this SMTP service, you need to configure this service as a mail relay server first.

About the Windows 2000/2003 IIS SMTP service

The SMTP service is part of IIS, which is part of Windows 2000/2003. It is used as the message transfer agent of Microsoft Exchange Server, and has been designed to handle large amounts of mail traffic. The Windows 2000/2003 IIS SMTP service is included in every Windows 2000/2003 distribution, including Windows 2000 professional and XP.

To install & configure the IIS SMTP service as a mail relay server:

Step 1: Verify the Installation of the SMTP Service

In Control Panel, open Add/Remove Programs, click Add/Remove Windows Components. Click the Internet Information Services (IIS) component, click Details, and then verify that the SMTP Service check box is selected. If it is not selected, click to select it, click OK, and then follow the installation directions that are displayed.

Specify mail relay server name and assign IP
Step 2: Specify mail relay server name and assign an IP
  1. Click Start, point to Programs, click Administrative Tools, and then click Internet Services Manager.
  2. Expand the tree under the server name, and then expand the Default SMTP Virtual Server. Right click and select 'Properties'. Assign an IP to it.
Step 3: Configure the SMTP Service to relay mail to your mail server

In this step, you configure the SMTP service to relay inbound messages to your mail server.

Note: During installation, GFI MailSecurity will perform this step for you automatically. GFI MailSecurity will ask for your local domain name, and create it as a remote domain. You will see the domain listed in the right pane. However, if you do this step manually, you can confirm that your relay server is working properly before running the GFI MailSecurity installation.

Creating a local domain in IIS to route mail
  1. Click Start, point to Programs, click Administrative Tools, and then click Internet Services Manager.
  2. Expand the tree under the server name, and then expand the Default SMTP Virtual Server. By default, you should have a Local (Default) domain with the fully qualified domain name of the server.
  3. Configure the domain for inbound:
  4. Right-click the Domains icon, click New, and then click Domain.
  5. Click Remote, click Next, and then type the domain name in the Name box. Click Finish.

    6. Configure the domain

IMPORTANT NOTE ABOUT LOCAL DOMAINS

Note: Upon installation, MailSecurity will import local domains from the IIS SMTP service. If you want additional local domains, you have to add these local domains in the MailSecurity configuration. For more information see `Adding additional local domains' in the Advanced Topics chapter.

If you add additional local domains in IIS SMTP service, they will not be automatically recognized until you enter them in the MailSecurity configuration. This allows you to setup remote smart hosts for particular domains that are not local.

Configure the domain to relay mail to your mail server:
  1. In the properties for the domain that you just created, click to select the Allow the Incoming Mail to be Relayed to this Domain check box.
  2. If this is being set up for an internal domain, you should specify the server that receives email for the domain name by the IP address in the Route domain dialog box.
  3. Click the forward all email to smart host option, and then type the IP address of the server that is responsible for email for that domain in square brackets. For example:
    4. [123.123.123.123]
    Note: Typing the IP address of the server in square brackets is necessary so that the server recognizes this is an IP address and not a host name.
  4. Click OK.

    5. Relay options
Step 4: Secure your mail relay server.

In this step you will specify your mail server name, and any other mail servers that will send mail via this mail relay server. Effectively you will limit the servers that can send mail through this server:

  1. Open the properties of the Default SMTP Virtual Server.
  2. On the Access tab, click Relay.
  3. Click Only the list below, click Add, and then add the IP of your mail server that will be forwarding the mail to this server. You can specify a single computer, group of computers or a domain:
    1. Single computer: Specify one particular host that you want to relay off of this server. If you click the DNS Lookup button, you can lookup an IP address of a specific host.
    2. Group of computers: Specify a base IP address for the computers that you want to relay.
    3. Domain: Select all of the computers in a domain by domain name that will openly relay. This option adds processing overhead, and might reduce the SMTP service performance because it includes reverse DNS lookups on all IP addresses that try to relay to verify their domain name.
Step 5: Configure your mail server to relay mail via the mail relay server

After you have configured the IIS SMTP service to send and receive mail, you must configure your mail server to relay all mail to the mail relay server. To do this;

If you have Microsoft Exchange Server 4/5/5.5:

1. Start up Microsoft Exchange Administrator.

2. Go to the Internet Mail Service and double-click on it to configure its properties.

The Microsoft Internet mail connector

3. Go to the Connections tab.

4. Message Delivery section, select 'Forward all messages to host'. Enter the computer name or IP of the machine running GFI MailSecurity.

5. Click OK and restart Exchange server. This can be done from the services applet.

If you have Microsoft Exchange Server 2000/2003:

You will need to set-up an SMTP connector that forwards all mail to GFI MailSecurity:

  1. Start up Exchange System Manager
  2. Right-click on the Connectors Node->New->SMTP Connector and create a new SMTP connector. You will be prompted for a name.
  3. Now select the option "Forward all mail through this connector to the following smart host", and type in the IP of the GFI MailSecurity server (the mail relay server) enclosed within square brackets [ ] (e.g.: [100.130.130.10]. Click OK to ADD.
  4. Select the SMTP Server that the SMTP Connector will be working on. Go to the Address Space tab, and click Add. Select SMTP and click OK.
  5. Click OK to exit. All mails will now be forwarded to the GFI MailSecurity machine.
If you have Lotus Notes:
  1. Double click on the Address Book button in Lotus Notes
  2. Click on Server item to open it's sub-items
  3. Click on Domains
  4. Click on Add Domains
  5. In the Basics section, select Foreign SMTP Domain from the Domain Type field.
  6. In the Messages Addressed to section type '*' in the Internet Domain field.
  7. In the Should be routed to section enter the IP number of the Mail Essentials machine in the Internet Host field
  8. Save the settings and restart the Lotus Notes server
If you have an SMTP/POP3 mail server:
  1. Start-up the configuration program of your mail server.
  2. Search for the option to relay all outbound mail via another mail server. This option will be called something like 'Forward all messages to host'. Enter the computer name or IP of the machine running GFI MailSecurity.
  3. If necessary, click OK and restart your mail server.
Step 6: Point the MX record of your domain to the mail relay server.

Since the new mail relay server must receive all inbound mail first, you must update the MX record of your domain to point to the IP of the new mail relay server. Otherwise mail will continue to go to your mail server and by-pass GFI MailSecurity.

If you run your own DNS server you need update this in your DNS server. If your ISP manages it for you, you need to ask your ISP to update the MX record for you. After you have done this, check if the MX record is correct using the following procedure.

Checking if the MX record for your domain is set correctly
  1. Open command prompt. Type nslookup
  2. Now type 'set type=mx'
  3. Enter your mail domain.
  4. The MX record should return a single IP. This IP must be the IP of the machine on which GFI MailSecurity is installed!

    5. Checking the MX record of your domain
Step 7: Test your new mail relay server!

Before you proceed to install GFI MailSecurity, verify that your new mail relay server is working correctly.

1. Test IIS 5 SMTP inbound connection of your mail relay server by sending a mail from an external account to an internal user (you can use hotmail, if you don't have an external account available). Verify that the mail client received the email.

2. Test IIS 5 SMTP outbound connection of your mail relay server by sending a mail to an external account from a mail client. Verify that the external user received the email.

Note: Instead of using an email client, you can use Telnet and manually send an email. This will give you more troubleshooting information. Here is the link to the Microsoft KB article how to do it: http://support.microsoft.com/support/kb/articles/Q153/1/19.asp

Step 8: Running GFI MailSecurity set-up

Step 1: Run GFI MailSecurity set-up by double-clicking the file MailSecurity.exe on the SMTP relay machine. GFI MailSecurity will also prompt you to check for a later GFI MailSecurity version. We recommend you do this and always use the latest version.

Step 2: Confirm the License agreement.

Step 3: Enter your Name, company, and License key. If you are evaluating the product, leave the default `Evaluation'. Click Next.

Step 4: Set-up will now ask you to specify the administrator email address. Enter the e-mail address of the Administrator.

Specifying the administrator email address

Step 5: Set-up will now ask you where you want GFI MailSecurity to be installed. GFI MailSecurity will need approximately 30 MB of free hard disk space. In addition to this, you must reserve approximately 200 MB for temporary files.

Step 6: Set-up will now ask you to specify your mail server IP & port and your local domain.

The local domain is the last part of your internal e-mail address, for example gfi.com. You can use the Test IP function to test whether the IP and port you specified are correct

Is Active Directory installed?

Step 7a: This step only occurs if Active Directory is installed! If Active Directory is installed, set-up will ask you whether this server has access to all Network users in Active Directory. This step is relevant if you are installing GFI MailSecurity on a machine in the DMZ that is not part of the main domain, and therefore will not have all users listed in Active Directory. In this case you can select that GFI MailSecurity will not use Active Directory to retrieve users. Users will be based on SMTP e-mail addresses and not on Active Directory users. Users will be automatically added to a database as e-mail flows through the GFI MailSecurity scan engine. (Each internal email address is automatically added to the database)

Step 7b: This step only occurs if Active Directory is NOT installed! GFI MailSecurity will ask you what type of internal mail server you are running.

What mail server you are running

In this dialog you have 3 options:

  1. Microsoft Exchange Server 5.5. In this case, GFI MailSecurity will synchronize its users with the Exchange Server 5.5 user database. If you select this option, after installation the GFI MailSecurity User synchronization wizard will start and retrieve users from your Exchange 5.5 server. Note: Install Microsoft Exchange administrator on the machine running GFI MailSecurity!
  2. SMTP/POP3 server or Lotus Notes. In this case, GFI MailSecurity will automatically add users to a database as e-mail flows through the GFI MailSecurity scan engine. (Each internal email address is automatically added to the database)
  3. Microsoft Exchange Server 2000/2003. This option is identical to the SMTP/POP3 server or Lotus Notes option. If GFI MailSecurity is running on the DMZ, and does not have access to all network users in Active Directory, GFI MailSecurity will automatically add users to a database as e-mail flows through the GFI MailSecurity scan engine. (Each internal email address is automatically added to the database) Note: If GFI MailSecurity is running on the DMZ, and does not have access to Exchange 5.5, you can also select this option.

The set-up program will now copy all program files to the selected destination, and finish the installation by creating a GFI MailSecurity program group. Click Finish to finish setup.

The GFI MailSecurity services will now be started.

Step 8: You can check if GFI MailSecurity is running using the GFI MailSecurity monitor.

The GFI MailSecurity remote monitor

To monitor GFI MailSecurity: Click Start > Programs > GFI MailSecurity admin tools and select GFI MailSecurity monitor.

Table of ContentsPreviousNextIndex


   © 2009. All rights reserved. GFI Software Home Products Download Trials Support Ordering Site Map About Us Contact us
GFI solutions: exchange anti spam filter - exchange anti virus - isa server - network vulnerability scanner - event log management - usb security software - exchange archiving - fax server software