HOW TO: Prevent Mail Relay in the IIS 5.0 SMTP Server in Windows 2000

This step-by-step article describes how to prevent mail relays in the Internet Information Server (IIS) version 5.0 SMTP server. IIS 5.0 includes a full-featured SMTP server. You can use the IIS 5.0 SMTP server to receive and relay e-mail messages to other SMTP servers on your network or to servers on the Internet. The relay function is helpful for internal network clients that may need to forward mail to other SMTP servers and for IIS programs that need access to an SMTP server to forward mail.

When the IIS SMTP server relays e-mail messages, it may forward mail that is addressed to any e-mail domain. This feature allows the IIS SMTP server to forward mail to any internal or external network SMTP server for which is can resolve an MX record. However, if the IIS 5.0 SMTP server is accessible to Internet users, mail relay is undesirable because unscrupulous users can forward mail to your SMTP server to distribute unsolicited commercial e-mail to large numbers of computers. This can have an very adverse impact on available bandwidth for your internal connection, and cause your mail server to be placed on "black hole" lists of open mail relays.

For a user or computer to relay e-mail messages through an IIS 5.0 SMTP server, the following two conditions must be met:

• The user or computer must be able to access the IIS 5.0 SMTP server.
• The IIS 5.0 SMTP server must be configured to relay e-mail messages to other domains.

Preventing the IIS 5.0 SMTP Server from Relaying E-mail Messages

1. Start Internet Services Manager from the Administrative Tools menu.
2. In the Internet Information Services console, right-click the Default SMTP Server node, and then click Properties.
3. Click the Access tab, and then click Authentication.
4. If you click to select the Anonymous access check box and do not select any of the other checkboxes, all users and computers will be able to access the IIS SMTP server. This effectively disables authentication. If you click to select either or both the Basic Authentication or the Windows security package check boxes and do not click to select the Anonymous access check box, authentication will be required before access is granted to the IIS 5.0 SMTP server. In this case, if the user or computer does not successfully authenticate, the user or computer cannot send mail to the server. Select either or both of these options, click to clear the Anonymous access check box, and then click OK.
5. Click Relay.
6. You have several available options in the Relay Restriction dialog box. The default option is Only the list below. Note that there are no entries in the default configuration. By default, the Allow all computers which successfully authenticate to relay, regardless of the list above option is enabled. This allows users and computers that can authenticate with the server to relay through the server. Note that if you allow only anonymous access, the server will not be able to authenticate users or computers.
7. Click Add. You can allow a single computer, a group of computers, or an entire domain to relay through the server by making the appropriate selection in the Computer dialog box. Click Cancel if you do not want to make a change.
8. In the Relay Restrictions dialog box, click OK.
9. In the Default SMTP Virtual Server Properties dialog box, click Apply, and then click OK.

Troubleshooting

The default IIS 5.0 SMTP server configuration does not allow unauthenticated users to relay through the server. The information in this article should help you to evaluate whether the IIS 5.0 server configuration has changed in a way that does allow it relay messages that are sent by unintended hosts.