Basic question on securing smtp

I am a beginner with Windows 2003 server (standard) and I use my Windows
2003 server computer as both a pop3 server and an smtp server (built-in IIS
smtp server). However, the problem I am having is that people sending
e-mail to my server's host domain are not able to send the e-mail if the
smtp "anonymous" authentication option is not enabled. However, I can't
enable this because this will allow anyone (including people sending spam)
to access my server and use it to send their e-mail via my smtp IIS server.
The question becomes, is it possible to have both SMTP and POP3 services
enabled on one computer without enabling anonymous authentication in the
smtp options?

Bill

The answer to your question is that you need to restrict relaying
You are right, you still need anonymous authentication enabled to allow other internet mail servers to send email to your local domain ie "(E-Mail Removed)". What you don't want them to go and do is then get your server to on-send it to another domain ie "(E-Mail Removed)". This process is called relaying and a quick search on the Microsoft Support site should show lots of information on the various ways to restrict relaying
The safest way to restrict relaying is to lock it down to only computers with IP Addresses from your internal network. To do this
1. Open IIS Manage
2. Right click on "Default SMTP Virtual Server" and choose properties
3. Click on the "Access" ta
4. Press the "Relay" button
5. Choose "Only the list below" and add your Internal IP Address range to the list
6. As an additional security measure I would suggest unticking the box "Allow all computers which sucessfully authenticate to relay, regardless of the list above" because I am finding persistent spammers are now trying to guess credentials of your users in order to spam through your server

As another extra security setting, I also disable Basic Authentication and Integrated Windows Authentication on the security tab

By default Windows 2003 server should pretty much have all of these settings set correctly for you due to Microsoft's big push for "Secure by Default", but I always double check

Sincerely
Elizabeth

"Bill" <(E-Mail Removed)> wrote in message
news:4ladnTCTJtTKJzvd3cwC-(E-Mail Removed)...
> I am a beginner with Windows 2003 server (standard) and I use my Windows
> 2003 server computer as both a pop3 server and an smtp server (built-in
IIS
> smtp server). However, the problem I am having is that people sending
> e-mail to my server's host domain are not able to send the e-mail if the
> smtp "anonymous" authentication option is not enabled. However, I can't

In thier mail client (Outlook Express?) they must specifically tell the
software that the SMTP Service requires authentication and supply
credentials or tell it to use the same credentials as the POP3 Service. If
you don't do this, the only thing that works is anonymous.

I don't like the "approve by source IP#" to be very suitable if the clients
travel or connect from different locations or from different providers
because you'd have such a huge list of IP# Ranges that there wouldn't be any
point in doing it in the first place.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com