Preparing to install GFI MailSecurity on a mail relay server
In order to install GFI MailSecurity on a mail relay/gateway machine, it must be running the IIS SMTP service and World Wide Web service. The machine must also be configured as an SMTP relay to your mail server. This means that the MX record of your domain must be pointing to the gateway machine. This section describes how you can configure your mail relay and install GFI MailSecurity. For more information, please visit http://support.microsoft.com/support/kb/articles/Q293/8/00.ASP.
Installing and configuring IIS SMTP & World Wide Web services
GFI MailSecurity uses the Windows 2000/2003/XP IIS SMTP service as its SMTP server. However, you must first configure this service as a mail relay server in order to enable GFI MailSecurity to scan all inbound and outbound emails before they reach your mail server.
About Windows 2000/2003 IIS SMTP & World Wide Web services
The SMTP service is part of IIS, which is part of Windows 2000/2003/XP. It is used as the message transfer agent of Microsoft Exchange Server, and has been designed to handle large amounts of mail traffic.
The World Wide Web service is also part of IIS. It uses the HTTP protocol to handle web client requests on a TCP/IP network.
The IIS SMTP service and World Wide Web service are included in every Windows 2000/2003/XP distribution.
To install and configure the IIS SMTP service as a mail relay server, you must:
Step 1: Verify the Installation of the SMTP and World Wide Web Services
1. Go to Start } Settings } Control Panel. Double-click on Add/Remove Programs and then click on Add/Remove Windows Components.
2. From the dialog on display, locate and click on the Internet Information Services (IIS) component; then click on the Details button.
3. Make sure that the SMTP Service and World Wide Web Service check-boxes are selected. If not, click on these check-boxes and click on the OK button. This should start the installation of the selected services. Follow the onscreen instructions and wait until the installation completes.
Screenshot 2 - Assign an IP address to the mail relay server
Step 2: Specify mail relay server name and assign an IP
1. Go to Start } Programs } Administrative Tools and click on Internet Information Services (IIS) Manager.
2. Expand the server name node. Right click on the Default SMTP Virtual Server node and select Properties.
3. Assign an IP address to the SMTP relay server and click on the Apply button to accept the changes and exit.
Step 3: Configure the SMTP service to relay mail to your mail server
Now you must configure the SMTP service to relay inbound messages to your mail server.
Start by creating a local domain in IIS to route mail:
1. Go to Start } Programs } Administrative Tools and click on Internet Information Services (IIS) Manager.
2. Expand the server name node, and then expand the Default SMTP Virtual Server. By default, you should have a Local (Default) domain with the fully qualified domain name of the server.
3. Configure the domain for inbound message relaying as follows:
a) Right-click the Domains node and go to New } Domain.
Screenshot 3 - SMTP Domain Wizard - Selecting domain type
b) Select Remote and click on the Next button.
c) Type the domain name in the Name box and click on the Finish button.
IMPORTANT NOTE ABOUT LOCAL DOMAINS
NOTE: Upon installation, GFI MailSecurity will import Local Domains from the IIS SMTP service. If you add additional Local Domains in IIS SMTP service, you must also add these domains to GFI MailSecurity because this does not detect newly added Local Domains automatically. You can add more/new Local Domains using the GFI MailSecurity configuration. For more information, refer to the `Adding local domains' section in the General Settings chapter of this manual.
Screenshot 4 - Configure the new domain
Configure the domain to relay email to your mail server:
1. Right click on the domain that you have just created and select Properties. Select the Allow the Incoming Mail to be relayed to this domain check-box.
2. In the Route domain dialog box, select the Forward all email to smart host option and specify the IP address (in square brackets) of the server which will handle the emails addressed to this new domain. E.g., [123.123.123.123]
NOTE: The square brackets are used to differentiate an IP address from a hostname (which does not require square brackets), i.e., the server detects an IP address from the square brackets.
3. Click on the OK button to save the entries and close the dialog.
Screenshot 5 - Relay Restrictions dialog
Step 4: Secure your mail relay server
In this step you will set up your SMTP virtual server's mail Relay Restrictions. This means that you must specify which machines may relay email through this virtual server (i.e., effectively limit the servers that can send email via this server).
1. Right click on Default SMTP Virtual Server and select Properties.
2. In the properties window, click on the Access tab and then click on the Relay button to open the relay restrictions dialog.
3. Click on the Only the list below option and then click on the Add button to specify the list of permitted computers.
Screenshot 6 - Specify machines which may relay email via virtual server
4. In the newly opened dialog, state the IP of the mail server that will be forwarding the email to this virtual server and click on the OK button to add the entry to the list.
NOTE: In this dialog you can specify the IP of a single computer, group of computers or a domain:
- Single computer: Select this option to specify one particular host that will relay email via this server. You can look up the IP address of a specific host by clicking on the DNS Lookup button.
- Group of computers: Select this option to specify the base IP address for the computers that you want to relay.
- Domain: Select this option to include all the computers of a specified domain. This means that the domain controller will openly relay emails via this server. Please note that this option adds processing overhead, and may reduce SMTP service performance because it includes reverse DNS Lookups to verify the domain name of all IP addresses that try to relay.
Step 5: Configure your mail server to relay email via the Gateway server
After you have configured the IIS SMTP service to send and receive email, you must configure your mail server to relay all email to the mail relay server:
If you have Microsoft Exchange Server 4/5/5.5:
1. Launch Microsoft Exchange Administrator and double-click on Internet Mail Service to open the properties configuration dialog.
Screenshot 7 - The Microsoft Internet mail connector
2. Click on the Connections tab and in the Message Delivery section; select Forward all messages to host. Enter the computer name or IP of the machine running GFI MailSecurity.
3. Click on the OK button and restart MS Exchange Server. This can be done from the services applet.
If you have Microsoft Exchange Server 2000/2003:
You will need to set up an SMTP connection that forwards all email to GFI MailSecurity:
1. Launch the Exchange System Manager.
2. Right-click on the Connectors Node, go to New } SMTP Connector and specify the connector name.
3. Select the Forward all mail through this connector to the following smart host option, type in the IP of the GFI MailSecurity server (the mail relay/Gateway server) and click on the OK button.
NOTE: Always enclose the IP address within square brackets [ ]. E.g., [100.130.130.10].
4. Select the SMTP Server that must be associated to this SMTP Connector. Click on the Address Space tab, and click on the Add button. Select SMTP and click on the OK button to accept the changes.
5. Click on the OK button to exit. All emails will now be forwarded to the GFI MailSecurity machine.
If you have Lotus Notes:
1. Double-click on the Address Book button in Lotus Notes.
2. Click on Server item to expand its sub-items.
3. Click on Domains and then click on Add Domains.
4. In the Basics section, select Foreign SMTP Domain from the Domain Type field and in the Messages Addressed to section, type "*" in the Internet Domain field.
5. In the Internet Host field of the Should be routed to section, specify the IP of the machine running GFI MailSecurity.
6. Save the settings and restart the Lotus Notes server.
If you have an SMTP/POP3 mail server:
1. Start-up the configuration program of your mail server.
2. Search for the option to relay all outbound email via another mail server. This option will be called something like Forward all messages to host. Enter the computer name or IP of the machine running GFI MailSecurity.
3. If necessary, click on the OK button and restart your mail server.
Step 6: Point the MX record of your domain to the mail relay server
Because the new mail relay server must receive all inbound email first, you must update the MX record of your domain to point to the IP of the new mail relay/Gateway server. Otherwise email will continue to go to your mail server and by-pass GFI MailSecurity.
Update the MX record of your DNS server as follows:
NOTE: If your ISP manages the DNS server, ask this provider to update it for you.
1. Open the command prompt and type in nslookup.
2. Now type set type=mx and enter your mail domain.
3. The MX record should return a single IP which must correspond to the IP of the machine running GFI MailSecurity!
Screenshot 8 - Checking the MX record of your domain
Step 7: Test your new mail relay server
Before you proceed to install GFI MailSecurity, verify that your new mail relay server is working correctly.
1. Test the IIS 5 SMTP inbound connection of your mail relay server by sending an email from an external account to an internal user (you can use webmail, e.g. MSN Hotmail, if you don't have an external account available). Verify that the email client received the email.
2. Test the IIS 5 SMTP outbound connection of your mail relay server by sending an email to an external account from an email client. Verify that the external user received the email.
NOTE: Instead of using an email client, you can use Telnet to manually send an email. This will give you more troubleshooting information. For more information refer to this Microsoft knowledge base article:
http://support.microsoft.com/support/kb/articles/Q153/1/19.asp
Step 8: Install GFI MailSecurity on the mail relay server
For information on how to install GFI MailSecurity, refer to the `Installing GFI MailSecurity' section in this chapter.
