How To Prevent Mail Relay in the IIS SMTP Virtual Server in Windows Server 2003


This step-by-step article describes how to prevent mail relays for an Internet Information Services (IIS) Simple Mail Transport Protocol (SMTP) virtual server.

IIS in Windows Server 2003 includes a full-featured SMTP virtual server that you can use to receive and relay e-mail messages to other SMTP servers on your network or to servers on the Internet. The relay function is useful for internal network clients that may have to forward mail to other SMTP servers and for IIS programs that need access to an SMTP server to forward mail.

When the SMTP virtual server relays e-mail messages, it may forward mail that is addressed to any e-mail domain. With this feature, the SMTP virtual server can forward mail to any internal or external network SMTP server for which is can resolve an MX record. However, if the SMTP virtual server is accessible to Internet users, mail relay is not good because unscrupulous users can forward mail to your SMTP virtual server and as a result, distribute unsolicited commercial e-mail to large numbers of computers. This can have a very adverse impact on available bandwidth for your internal connection, and cause your mail server to be placed on "black hole" lists of open mail relays.

For a user or computer to relay e-mail messages through an SMTP virtual server, the following two conditions must be met:
  • The user or computer must be able to access the SMTP virtual server.
  • The SMTP virtual server must be configured to relay e-mail messages to other domains.

How to Prevent the IIS SMTP Virtual Server from Relaying E-mail Messages

  1. Start Internet Information Services Manager or open the Internet Information Services (IIS) snap-in.
  2. Expand Server_name, where Server_name is the name of the server, right-click Default SMTP Virtual Server, and then click Properties.
  3. Click the Access tab, and then under Access control, click Authentication.
  4. Click to select either or both the Basic authentication and the Integrated Windows authentication check boxes, click to clear the Anonymous access check box (if it is selected), and then click OK.

    By doing so, authentication is required before access is granted to the SMTP virtual server. In this case, if the user or computer does not successfully authenticate, the user or computer cannot send mail to the server.

    NOTE: If you click to select the Anonymous accesscheck box and do not click to select the Basic authenticationand the Integrated Windows authentication check boxes, all users and computers are able to access the SMTP virtual server.

    This disables authentication.
  5. Under Relay restrictions, click Relay.
  6. Note the options that are available in the Relay Restrictions dialog box. By default, the Only the list belowoption is selected and this list is empty. Additionally, the Allow all computers which successfully authenticate to relay, regardless of the list above option is selected. With this feature, users and computers that can authenticate with the server can relay through the server. All computers are blocked except those that meet the authentication requirements that you configured earlier in the Authentication dialog box of the Access tab.

    Note that if you allow only anonymous access, the server does not authenticate users or computers.
  7. Click Add, and then do one of the following to add a single computer, group of computers, or a domain:
    • Click Single computer.
      Type the IP address of the computer that you want in the IP Address box, and then click OK.
    • Click Group of computers.
      Type the subnet address and the Subnet mask of the group into the corresponding boxes, and then click OK.
    • Click Domain.
      Type the domain name that you want in the Name box, and then click OK.
    • If you do not want to add a computer, group or computers, or a domain, click Cancel.
  8. Click OK, and then click OK.


By default, Microsoft SMTP Service blocks computers from relaying e-mail that you do not want through the SMTP virtual server. The information in this article helps you to evaluate whether the configuration of your SMTP virtual server has changed in a way that allows it relay messages that are sent by unintended hosts.


For additional information about how to configure a remote SMTP mail relay server, click the following article number to view the article in the Microsoft Knowledge Base:
324272 HOW TO: Configure a Remote Domain for an Internet Information Services (IIS) SMTP Mail Relay Server in Windows Server 2003