Smtp relay windows простой — Ваш верный помощник с OS Windows

Вы можете установить SMTP сервер с помощью встроенных средств во всех версиях Windows Server. Такой SMTP сервер внутри организации может работать в качестве почтового релея, который должен принимать и пересылать через себя SMTP сообщения от различных устройств (к примеру, сендеров, сканеров, устройств СКД и пр.) и приложений (веб приложения, SQL Reporting Services, SharePoint), которым необходимо иметь возможность отправлять почту через SMTP сервер. Такой релей может пересылать сообщения на полноценные Exchange сервер или на публичные почтовые сервисы в Интернет типа Gmail, Mail.ru, Office 365 и т.д (ведь не всегда целесообразно разворачивать полноценную внутреннюю почтовую инфраструктуру на базе Microsoft Exchange Server или других почтовых служб).

В этой статье мы покажем, как установить, настроить и протестировать работу SMTP сервера на Windows Server 2012 R2, 2016 и 2019, который будет функционировать в качестве mail релея. Такой SMTP сервер не хранит почтовые сообщения и на нем отсутствуют почтовые ящики, он сможет только отправлять или пересылать почту.

Содержание:

Установка службы SMTP на Windows Server 2016/2012 R2
Настройка SMTP сервера на Windows Server
Автозапуск службы SMTPSVC
Проверка работы SMTP сервера на Windows Server

Установка службы SMTP на Windows Server 2016/2012 R2

SMTP сервер – это один из компонентов Windows Server, который можно установить через Server Manager. Для этого откройте консоль Server Manager Dashboard (servermanager.exe), перейдите в режим Add roles and features и на этапе выбора функций отметьте чекбокс у пункта SMTP Server. Для управления службой SMTP нужно установить консоли управления, которые входят в комплект роли Web Server IIS (вам будет предложено установить IIS Management Tools).

Оставьте все предлагаемые опции роли Web Server (IIS) и запустите установку.

Также вы можете установить компонент SMTP сервера с помощью одной команды PowerShell:

Install-WindowsFeature smtp-server

После окончания установки компонентов может потребоваться перезагрузка системы.

Настройка SMTP сервера на Windows Server

Управляется SMTP сервер консоль управления Internet Information Services (IIS) Manager 6. Открыть эту консоль можно через Server Manager: Tools-> Internet Information Services (IIS) 6.0 Manager или командой inetmgr6.exe.

В консоли IIS 6 Manager разверните ветку с именем сервера, щёлкните ПКМ по SMTP Virtual Server и откройте его свойства.

На вкладке General, если необходимо, выберите IP адрес, на котором должен отвечать SMTP сервер (если у сервера несколько IP адресов), и включите ведение логов Enable logging (чтобы сохранялась информация обо всех полученных письмах).

Затем перейдите на вкладку Access.

Здесь нажмите на кнопку Authentication и убедитесь, что разрешен анонимный доступ (Anonymous access).

Вернитесь на вкладку Access и нажмите кнопку Connection. Здесь вы можете указать IP адреса устройств, которым разрешено отправлять почту через наш SMTP релей. Нужно выбрать опцию Only the list below и указать список IP адресов, не забыв самого себя (127.0.0.1).

Аналогичным образом настройте список разрешенных IP в настройках Relay (нажмите соответствующую кнопку). В этой секции указано каким IP адресам (или подсетям) можно пересылать почту через ваш SMTP сервер.

Примечание. Как правило, обязательно стоит включать эту опцию, как минимум ограничив список обслуживаемых устройств диапазоном IP адресов. В противном случае ваш SMTP сервер может использоваться спамерами и другими злоумышленниками как открытый релей для массовых почтовых рассылок.

Перейдите на вкладку Messages. Здесь указывается email, на который будут отправляться копии всех NDR отчетов (Send copy of Non-Delivery Report to:). Также здесь можно указать ограничения на максимальный размер писем (Limit message size KB) и количество получателей (Limit number of recepients per message).

Перейдите на вкладку Delivery:

Затем нажмите на кнопку Outbound Security. Здесь указывается, как нужно авторизоваться на почтовом сервере, на который ваш SMTP-сервере будет пересылать (relay) всю почту. К примеру, если вся почта будет отправляться на почтовый сервер Gmail и уже с него пересылаться адресатам, вам нужно выбрать тип аутентификации Basic authentication, указав в качестве пользователя и пароля данные для доступа к почтовому ящику на сервисе Gmail (в настройках аккаунта Google нужно разрешить отправку через smtp сервера gmail).

Затем нажмите на кнопку Advanced.

Здесь указывается FQDN имя вашего SMTP сервера. Нажмите кнопку Check DNS, чтобы проверить корректность записи в DNS.

Если сервер должен пересылать почту внешнему smtp серверу, нужно указать его имя в поле Smart host (к примеру smtp.gmail.com или smtp.office365.com).

Некоторые внешние почтовые сервера принимает почту только при использовании защищенного SMTP соединения с помощью TLS Encryption (используется порт TCP 587). Это настраивается в разделе Delivery-> Outbound Security и Outbound Connections. Ознакомитесь с документацией вашего почтового провайдера.

Сохраните настройки SMTP сервера и перезапустите ваш виртуальный SMTP сервер для применения изменений.

Примечание.

Настройки DNS критичны с точки зрения работоспособности почтовой системы. Если ваш SMTP сервер не может корректно разрешить DNS имена доменов, на которые он пытается отправить письма, доставка не удастся.
Если ваш сервер сам будет отправлять почту в другие домены, важно, чтобы для вашего адреса была сформирована правильная PTR запись для разрешения обратных DNS запросов. PTR запись для белого IP адреса должна указывать на FQDN имя. В противном случае большинство внешних smtp серверов не будут принимать от вас почту, считая ваш сервер спамерским.

Автозапуск службы SMTPSVC

Осталось настроить автозапуск службы SMTP сервера. Быстрее всего это сделать из командной строки PowerShell:

set-service smtpsvc -StartupType Automatic

Запустим службу:

start-service smtpsvc

Проверим, что запущена служба SMTPSVC :

get-service smtpsvc

Status Name DisplayName
—— —- ————
Running smtpsvc Simple Mail Transfer Protocol (SMTP)

set-service smtpsvc - управление службой SMTP

Проверка работы SMTP сервера на Windows Server

Ну и последнее, что осталось сделать, проверить работу созданного SMTP сервера. Проще всего это сделать, создав на рабочем столе текстовый файл smtp-test-email.txt и скопировав в него следующий текст, заменив имя отправителя и получателя на ваши.

From: [email protected] To: [email protected] Subject: Email test

This is the test email

Скопируйте файл smtp-test-email.txt в каталог C:\inetpub\mailroot\Pickup. SMTP сервер следит за появлением файлов в этой каталоге и при обнаружении файла прочтет его содержимое и попытается отправить письмо с данной темой и текстом адресату, указанному в разделе To:.

Проверьте ящик получателя, в него должно прийти такое письмо.

Совет. Протестировать работу SMTP сервера можно и из командой строки telnet, скрипта vbs или PowerShell:

Send-MailMessage -SMTPServer localhost -To [email protected] -From [email protected] -Subject "Email test" -Body "This is the test email sent via PowerShell"

Если вы хотите, чтобы вы включили Basic Authentication (Обычная проверка подлинности) для авторизации всех ваших SMTP клиентов (вместо анонимной аутентификации), вы можете отправить письмо с smtp-аутентификацией через telnet следующим образом.

Также убедитесь, что на вашем SMTP сервере не блокируется порт TCP 25 при удаленном подключении (локальным файерволом, антивирусом или межсетевым экраном). Проще всего это сделать с компьютера Windows, IP адрес которого добавлен в разрешенные. Проверку доступности порта можно выполнить с помощью командлета Test-NetConnection:

Test-NetConnection smtpsrv1.name.local –port 25

Если 25 порт блокируется, проверьте настройки Windows Firewall, антивируса и аппаратных межсетевых экранов.

Итак, вы настроили собственный почтовый SMTP релей на Windows Server 2016/2012 R2 и протестировали отправку писем через него.

Источник

Posted on April 5, 2014

This tutorial with show how Windows SMTP Server relay mails through Gmail or any other mail server. This is useful if your server is located on a network with dynamic IP address.

I had this issue when a monitoring software needed to send notification mails but there was no option of authenticating to the SMTP server. I installed Windows SMTP server but all my mails ware blocked by the SPAM filters. The solution was to relay all mails through a mail server.

If you are sending small number of mail this is good solution, but if your system sends a lots of mails you can be blocked by Gmail’s limits. In this case use your own mail server.

Install Windows SMTP Server

Open the Windows Server 2008 Server Manager and under Features, select Add Features

You need to check box next to SMTP Server and click Next

If you don’t have IIS 6 Management Console installed Windows 2008 will install the missing Roles for the SMTP Server to work, just click the Add Required Role Services button, and click Next on the previous screen.

As you can see now it will install the IIS 6 Management Compatibility, IIS 6 Management Console and the SMTP Server. Press Install as shown on the screen.

Now the installation will begin and it will can take several minutes for this process to finish.

As you can see the Installation succeeded on the screen the installation of the Windows SMTP Server is complete. Press Close and we can start the configuration.

Configure Windows SMTP Relay

Open Internet Information Services (IIS) 6.0 Manager, right click SMTP Virtual server, select Properties, select the Access tab and click Relay

You can add here list of servers that will send mails trough this server. Click on Add to add all the servers you need, and click OK

Select the Delivery tab and click Outbound Security…

Select Basic Authentication, enter your Gmail account (i.e. [email protected]), enter your Gmail password, check TLS encryption and press OK

Select the Delivery tab and click Outbound connections…

Set TCP port to 587 and click OK

Select the Delivery tab and click Advanced…

Enter the Full-quailified domain name – this should be what you want this SMTP server to be called. If your server name is SMTP and your domain is YOURDOMAIN.COM then the entry should be smtp.yourdomain.com
Enter smtp.gmail.com as the Smart host and click OK

Now you can configure your servers to use smtp.yourdomain.com as SMTP server and it will relay the mails trough your Gmail account.

One final note: Don’t forget to set the Simple Mail Transfer Protocol (SMTP) service to start automatically. Start your Services console, right click Simple Mail Transfer Protocol (SMTP), select Properties and change Startup type: Automatic

You need to have Gmail Account or create one at: http://www.gmail.com
Enable the Gmail account for POP3 in Gmail, you can follow the instructions on how to do this here: http://mail.google.com/support/bin/answer.py?answer=13273&cbid=wl8yzeug2lob&src=cb&lev=topic

Источник

Sending email is crucial for any organization, but configuring SMTP servers and relay can be tricky. This guide explores Windows Server 2022’s built-in capabilities for optimizing email architecture and deliverability. Learn to enable SMTP relay and TLS encryption, troubleshoot issues, utilize virtualization for scalability, and follow best practices for performance and redundancy. Master email on Windows Server 2022!

Overview of SMTP and Email Relay

Sending and receiving email is an essential part of business operations and personal communication in the digital age. But how exactly are emails able to traverse the internet and land in our inboxes? The answer lies in SMTP, or Simple Mail Transfer Protocol.
SMTP is a set of communication guidelines that allows mail servers to transmit emails across the internet. It establishes a standardized way for servers to negotiate the transfer of email messages, directing them to their final destinations. When you hit send on an email from your local device, your email client connects to your outgoing SMTP server, which then communicates with the recipient’s incoming SMTP server through a chain of relay hops, eventually depositing the email in their inbox.

Here’s a simple example:

You compose an email in Microsoft Outlook on your laptop.
Outlook connects to your company’s SMTP server (like smtp.yourcompany.com) using port 25 or 587.
Your SMTP server verifies your identity and access.
It establishes a connection with the recipient’s SMTP server and transfers the email message.
The receiving SMTP server accepts and stores the message for the recipient.
The recipient can now access the email in their inbox.

SMTP handles the routing, transport, and delivery details that occur behind the scenes, providing a standardized protocol so any mail server can communicate with any other mail server. This interoperability is key for global email transmission.

Of course, reality is more complex than this linear example. There are often multiple hops between the originating SMTP server and the final destination, involving intermediary servers that relay messages closer to the recipient’s server. This is where email relay enters the picture.

Email relay occurs when one mail server receives an email from another server and forwards it towards its ultimate destination instead of actually delivering it. Relaying through intermediate mail servers on the open internet is normal and expected.

But sometimes businesses will configure dedicated SMTP relay servers on their private network perimeter to control the flow of outgoing email more securely. By funneling all outbound mail through your owned relay machine, you can implement protections like spam filters, antivirus scans, and authentication requirements before allowing messages out to public servers.

A properly configured SMTP relay server provides key benefits:

Centralized control over external email delivery for security and policy enforcement
Reduced risk of blacklisting if spam originates from specific internal hosts
Flexibility to support different internal mail systems and email domains
Scalability to handle large volumes of outgoing email traffic
Resiliency through redundancy, load balancing, and failover capabilities

Whether you want your public-facing SMTP server to act as a relay or deploy a dedicated relay machine internally, careful configuration is required for proper mail routing and delivery. Protocols, authentication, encryption, andALLOWED_IP relay restrictions must be defined based on your infrastructure.

Microsoft Windows Server provides robust built-in capabilities for enabling an SMTP relay using Internet Information Services (IIS). Alternatives like hMailServer also exist if you need a standalone third-party relay solution. With the right setup, an SMTP relay can provide a critical intermediate stage in your email transmission process to enhance security, efficiency, and deliverability.

We’ll explore the technical specifics of configuring SMTP servers and relay options using Windows Server later in this article. First, let’s look at how to find your current email settings. Understanding your existing server details provides the foundation.

Checking Your Email Server Settings on Network Solutions

Before making any changes to your SMTP configuration, it’s important to understand your current email server settings within Network Solutions. This will show you the existing ports, servers, and encryption enabled on your account so you can determine if any modifications are needed.
Logging into your Network Solutions control panel is easy. Just go to networksolutions.com and click Sign In at the top right. Enter your username and password when prompted.

Once you’re logged in, click on the “Manage” button for your domain and select the “Email” tab. This will display your email account settings.

Under “Connection Details”, you’ll see various parameters defined:

Incoming mail server (IMAP) – The hostname of the IMAP server for retrieving incoming messages
Incoming mail server port – The port used by IMAP, usually 143 or 993 (SSL)
Outgoing mail server (SMTP) – The hostname of the SMTP server for sending outgoing messages
Outgoing mail server port – The port used by SMTP, usually 25, 587 (TLS) or 465 (SSL)
Requires sign-in – Whether authentication is needed to send mail through this SMTP server

It’s critical to identify both your IMAP and SMTP servers, as they may use different hostnames. IMAP handles retrieving email while SMTP deals with sending.

Next, check the encryption configured under “Advanced Settings”:

None – No encryption, insecure transmission of credentials and emails
SSL/TLS – Secure Sockets Layer and Transport Layer Security protocols for encrypted connections
STARTTLS – Opportunistic TLS, upgrades connection to use TLS encryption after establishing a cleartext connection

TLS (sometimes listed as STARTTLS) is recommended for secure transmissions without compatibility issues. Avoid using None if possible.

Additionally, toggle “Use SMTP Authentication” to On to enable sending username and password credentials when connecting to SMTP for added security.

Make note of each of these current settings from your Network Solutions control panel. This will allow you to determine if your Windows SMTP server needs to be reconfigured to match.

For example, if your Network Solutions outgoing SMTP server uses smtp.yourdomain.com on port 465 with SSL encryption, you would need to set the same server, port, and TLS/SSL parameters when configuring the new Windows SMTP server.

If the settings differ, it could lead to authentication errors, insecure connections, or emails being rejected or blocked. Syncing the configurations avoids these types of issues.

Sometimes, the existing settings may not be ideal and you’ll actually want to adjust your Windows SMTP environment to improve security or deliverability. Common changes include:

Enabling TLS encryption by specifying port 587 if currently set to None
Requiring authentication if not already mandatory
Adding allowed IPs instead of open relay access
Directing relay through a dedicated internal SMTP server rather than using Network Solutions’ SMTP

In these cases, update your Network Solutions SMTP settings after configuring Windows to match its improved security parameters going forward.

Carefully analyzing your current server details on Network Solutions empowers you to configure optimal aligned settings on Windows Server for sending emails securely and reliably. Don’t skip this important step!

Setting up an SMTP Server on Windows Server 2022

Windows Server 2022 includes robust built-in SMTP server capabilities through Internet Information Services (IIS). With the proper configuration, you can use it to send outgoing emails securely following industry best practices.
Let’s walk through considerations for installation, basic setup steps, allowing relay permissions, and securing connections with TLS encryption when deploying an SMTP server on Windows Server 2022.

Installing the SMTP Server Role

The first step is installing the SMTP Server role and required dependencies. You can use either the graphical Server Manager dashboard or PowerShell commands.

When installing on Server Core, you must use PowerShell since the GUI isn’t available. Here are the PowerShell commands to run elevated:

Install-WindowsFeature -Name SMTP-Server -IncludeManagementTools

This will install the SMTP Server role along with associated management tools for configuration.

If using Server Manager instead, navigate to Dashboard > Add Roles and Features to launch the wizard. Select Role-based or feature-based installation and click Next.

On the server selection screen, choose your desired server and click Next. Then on the server roles screen, expand the Application Server category and check the box for SMTP Server.

The wizard will automatically include required features like Web Server (IIS) if they aren’t already installed. Click Next until you reach the confirmation page and then Install to finish.

Basic SMTP Server Configuration

Once installation completes, some basic configuration is required before you can start sending emails. Open the IIS 6 Management Console located at:

Start > Administrative Tools > Internet Information Services (IIS) Manager

Right-click the SMTP Virtual Server node and select Properties. Go to the Access tab and click Authentication. Check the Basic Authentication box to enable encrypted credentials when sending emails.

Next, go back to the Properties window and click Advanced under Delivery. Set the Fully Qualified Domain Name (FQDN) field to a hostname like smtp.contoso.com.

You may also want to define smart hosts like your Office 365 endpoint if funneling email through them. Finish by restarting the SMTP service for changes to take effect.

Enabling Relaying from Allowed IPs

By default, the Windows SMTP server won’t allow arbitrary hosts to relay mail through it. You need to explicitly configure IP-based relay permissions.

Navigate back to the Access tab under SMTP Virtual Server Properties. Click the Relay button and choose Add to specify IP addresses that may relay outbound mail through this server.

For example, you may want to allow the IP ranges or subnets for your internal company network. Just be sure not to leave it completely open to the public internet!

Securing Connections with TLS Encryption

To encrypt the connection between your SMTP server and sending/receiving mail servers using TLS, first request and install a valid SSL certificate on the host. You can use an internal PKI or public CA like Digicert.

Import the certificate .PFX file into the local computer’s Personal certificate store. Then in IIS Manager, go to the SMTP Virtual Server Properties > Delivery tab. Click Outbound Security and choose TLS Encryption.

This ensures all message contents and client credentials are protected in transit over the network. Verify the Access tab shows the proper certificate expiration date for additional confirmation.

With that, your core Windows Server 2022 SMTP server setup is complete! Proper configuration helps ensure your email communications remain secure and reliable. Let’s move on to configuring an SMTP relay next if needed.

In some scenarios, configuring a dedicated SMTP relay server can provide advantages over routing email directly from your internal mail server to external domains. Let’s explore reasons to use a relay, options for implementation on Windows Server 2022, and steps to set it up.
When to Use an SMTP Relay

Adding an intermediary SMTP relay server provides benefits:

Centralized outgoing email delivery and security policies
Reduced risk of blacklisting if spam originates on internal hosts
Support for diverse internal email environments and domains
Scalability to handle large volumes of outbound mail
Redundancy and uptime through failover capabilities

You may want to utilize an on-premise SMTP relay if you have:

Compliance or security requirements to control internet mail flow
Numerous internal mail systems needing internet delivery
Problems with blacklisting of dynamic internal IP ranges
Need for high scalability and redundancy behind a static IP

Using your primary SMTP server directly for external delivery can cause issues. A dedicated relay system offers flexibility.

Options for SMTP Relay Setup

You have two primary options for deploying an SMTP relay on Windows Server:

1. IIS SMTP Relay

Internet Information Services (IIS) has built-in relay functionality through SMTP virtual servers. This lets you quickly enable Windows as an SMTP relay.

2. Third-Party SMTP Relay Software

Alternatively, dedicated relay software like hMailServer offers an on-premise solution. This provides a standalone application purely for relay duties.

Factors like existing infrastructure, cost, complexity, and feature requirements dictate the best choice. Let’s walk through both in more detail.

Configuring an IIS SMTP Relay

If leveraging Windows IIS, first ensure you’ve installed the SMTP Server role and dependent features like Web Server (IIS).

Open IIS Manager and right-click to create a new SMTP Virtual Server. Give it an internal domain name and specify TCP port 25 for insecure or 587 for TLS-encrypted connections.

Next, define your smart host in the virtual server properties under Delivery > Advanced. Enter the hostname like smtp.office365.com with port 25 or 587.

You’ll also need to import a valid public SSL certificate or internal PKI certificate to enable TLS encryption.

Finally, allow the IP range of internal hosts that will relay outbound through this server under the Access tab. Test connectivity from a client to confirm proper relaying functionality.

Using Third-Party SMTP Relay Software

If opting for dedicated relay software, hMailServer is a popular Windows platform option. After installing, you need to:

Add your internal domains to relay permissions
Set destination smart hosts like your email provider
Choose inbound listening ports
Configure authentication and TLS encryption
Test relay functionality

This keeps SMTP duties separate from your Exchange or other mail systems.

Comparing Solutions

Factors like cost, complexity, features, and resource usage help determine the best SMTP relay approach:

IIS is built-in with Windows Server, reducing extra software costs
Third-party software may provide more granular control and role separation
IIS relies on Windows server resources while apps have lower overhead
Third-party options include antispam, antivirus, and metrics capabilities

Evaluate your needs and environment to decide which strategy is the right fit.

A properly configured SMTP relay enhances the security, scalability, and resiliency of your email architecture on Windows Server 2022.

Testing and Troubleshooting Your SMTP Configuration

Once you finish setting up your Windows Server SMTP environment, testing and troubleshooting are critical next steps. This confirms everything is working and helps resolve common errors if issues arise.
Let’s explore useful techniques for validation and debugging your server’s SMTP functionality.

Confirming Basic SMTP Functionality

Start by performing basic connectivity testing from the server itself or a client. Open a command prompt and use the telnet command like:

telnet smtp.yourdomain.com 25

This checks that you can reach the SMTP port and exchange basics like:

EHLO yourdomain.com
MAIL FROM: [email protected]
RCPT TO: [email protected]  
DATA
From: [email protected]
To: [email protected]
Subject: Test email

This is a test body.
.

Verify you can connect, initiate a test message, enter the content, and terminate properly with a period on its own line. If successful, further testing from clients is recommended.

Sending Test Emails via Telnet

Use the same telnet approach to transmit test messages completely through your SMTP server to external accounts. Leverage a telnet client from a Windows desktop for more robust testing.

Try enveloping the test email content with header/body separators:

HEADER
From: [email protected]
To: [email protected]
Subject: SMTP test

BODY
This is a test email sent via the telnet client.
.

Check whether your external recipient receives the message with the proper content intact. Be sure to authenticate if your SMTP server requires it.

Using the Pickup Directory

Servers running SMTP have a local pickup directory, usually C:\inetpub\mailroot\Pickup. Pasting a .eml file with email content into this folder will automatically submit it for processing and delivery.

Construct a test .eml file and drop it into the pickup folder, then verify successful delivery. The file gets deleted once picked up.

Checking Log Files

Enable logging under SMTP Virtual Server properties in IIS Manager. Then monitor the C:\Windows\System32\LogFiles\SMTP logs.

Look for connection entries from clients and delivery status codes. Error messages here provide insight during troubleshooting.

Common SMTP Issues and Resolutions

If you encounter problems, try these fixes:

TLS/SSL Encryption Errors

Validate the certificate was issued properly and imported correctly.
Double check TLS is enabled on both client and server.
Use TCP port 587 or 465 instead of 25 to force encryption.

Authentication Failures

Confirm allowed IPs or relay permissions are configured correctly.
Ensure client is providing proper domain, username, and password.
Try alternating between basic auth, integrated auth, or no authentication.

Timeouts and Access Denied

Check firewalls for blocked TCP ports between client and server.
Validate client IP has been added to relay access list if required.
Test telnet connectivity on port 25 or 587 to isolate issues.

Network Solutions Specific Troubleshooting

If experiencing problems connecting to Network Solutions for delivery:

Verify SMTP server hostname and ports match their setup requirements.
Try toggling between SSL, TLS, and no encryption based on their capabilities.
Ensure any blacklisted IP ranges are allowed in their filters.
Check that your reverse DNS records match SMTP server names.

Proper testing and debugging helps get your Windows Server SMTP environment humming along smoothly. Don’t hesitate to engage Microsoft support if issues persist.

Best Practices for Optimized Windows Server Email

Properly configuring SMTP and implementing email relay capabilities provide the foundation for sending outbound mail from Windows Server. However, more advanced architectural practices can take your environment to the next level.
Let’s explore key recommendations for enhancing security, deliverability, resilience, and performance of your email solution through industry best practices.

Recommended Architectural Principles

When designing a Windows Server email architecture, keep these principles in mind:

Redundancy – Employ multiple SMTP servers behind a load balancer to remove single points of failure. Distribute services across nodes.

Separation of Concerns – Isolate SMTP duties on dedicated servers instead of mixing with other apps on the same host. Separate internal vs external traffic.

Compartmentalization – Segment SMTP servers into their own secured network zone with tight firewall policies restricting access.

Monitoring – Track SMTP server health metrics, logging, and security events centrally to detect issues proactively.

Diversification – Spread delivery across multiple reputable email service providers to avoid reliance on a single vendor.

Automation – Script installation and configuration using tools like PowerShell DSC for consistency and efficiency.

Thoughtfully applying these principles enhances reliability, security, and performance.

Leveraging Virtualization

Running SMTP servers on virtual machines rather than physical hardware provides advantages:

Easy Scalability – Spin up additional SMTP VMs quickly to handle increased loads.
High Availability – Use failover clustering across hosts to minimize downtime.
Resilient Delivery – Distribute redundant SMTP VMs across data centers for geographic diversity.
Efficient Infrastructure – Consolidate multiple servers onto powerful virtualized hosts, optimizing resources.

Properly configuring Hyper-V](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [VMware provides a scalable, resilient platform for SMTP services.

Maintaining Email Deliverability

To ensure reliable delivery of outbound messages, focus on:

Warming Up IPs – Gradually increase volumes on new IPs to build reputation over time.
Monitoring Blacklists – Check major DNSBLs regularly and remediate if listed.
Managing Bounces – Detect and handle bounces gracefully, identifying persistent issues.
Controlling Outbound Spam – Implement outbound spam filters to protect sending reputation.
Enforcing Authentication – Require SMTP authentication from clients to reduce anon abuse.
Checking DNS Records – Validate proper PTR, SPF, and DKIM entries are published.

Proactively maintaining your email deliverability helps bolster your domain’s reputation and ensures customers reliably receive your messages.

Following SMTP email best practices on Windows Server sets your infrastructure up for scalability, security, resilience, and deliverability down the road. Your architecture choices and operational processes make a difference!

Key Takeaways for Configuring SMTP Servers and Email Relay on Windows Server 2022

Setting up and optimizing SMTP email capabilities on Windows Server involves several key steps and best practices:

Audit current email settings on Network Solutions to determine correct ports, servers, and encryption protocols needed.
Install the SMTP Server role and IIS dependencies to enable built-in Windows email functionality.
Configure basic SMTP parameters like relay permissions, authentication, and TLS encryption for security.
Evaluate the potential advantages of deploying a dedicated SMTP relay server for flexibility.
Use IIS Manager to set up a relay or leverage a third-party SMTP software solution.
Follow a methodical testing and troubleshooting approach to identify and correct any issues.
Design a redundant, segregated architecture using virtualization for scalability and failover protection.
Maintain email deliverability through warmup techniques, monitoring, and spam controls.

Carefully optimizing your Windows Server environment for stable, secure SMTP operations ensures your organization can exchange emails reliably. Utilizing industry best practices for performance, availability, and deliverability is key.

The steps and recommendations covered provide a blueprint for configuring robust SMTP servers and relays on Windows Server 2022 tailored to your infrastructure needs. With a properly designed email environment, your communications won’t be left out in the cold!

Here are some frequently asked questions related to configuring SMTP servers and email relay on Windows Server 2022:

Frequently Asked Questions

Q: What are the benefits of using Windows Server for SMTP?
A: Windows Server offers robust native SMTP capabilities through IIS without needing third-party software. It provides centralized management using role-based administration and PowerShell automation. Built-in functionality like SMTP relay, TLS encryption, and authentication simplify configuration.

Q: When should I use an SMTP relay server?

A: Consider deploying a dedicated SMTP relay if you need to funnel mail through a single gateway for security, have problems with host blacklisting, utilize multiple internal mail systems, or require high volume capacity and redundancy.

Q: How do I enable SMTP relay in Windows Server?

A: Use the IIS Manager console to configure an SMTP Virtual Server, define a smart host target, and specify client IP addresses allowed to relay under the Access tab. Import any required TLS/SSL certificates.

Q: What are some common SMTP issues?

A: Typical problems include SMTP connection timeouts, protocol mismatches, TLS encryption errors, authentication failures, and access denied messages. Check firewalls, permissions, certificates, and protocols to resolve.

Q: How can I validate my SMTP configuration?

A: Perform basic SMTP port testing with telnet. Transmit test messages with sample headers and body content. Utilize the pickup directory and inspect protocol logs. Check for successful external delivery.

Q: What are some best practices for enterprise SMTP?

A: Recommended practices include redundancy, separation of concerns, compartmentalization, virtualization for HA and DR, automation, blacklisting prevention, bounce management, outbound spam filtering, and authentication.

Q: What should I check on Network Solutions when troubleshooting?

A: Audit SMTP server hostname, ports, encryption settings, and any blacklisting of your IP addresses on Network Solutions. Confirm TLS and authentication align between servers.

Q: What benefits does virtualizing SMTP provide?

A: Virtualization enables easy scalability, redundancy and uptime through failover clustering, resource optimization, and flexible network architecture.

Let us know if you have any other common SMTP questions we should add to help IT administrators!

Источник

The Why

There’s several reasons you might need to create a mail relay on your Windows server. The most common is that you might have network devices that wish to send emails that do not support the encryption and authentication protocols required by your email provider. Google Apps, for example, require that any device sending through the smtp.gmail.com server supports either SSL or TLS. Some older devices don’t, and it seems a little excessive to replace a multi-thousand-pound device for something so trivial. For sending to internal users on Google Mail it’s possible to simply use the aspmx.l.google.com MX server but this isn’t a terribly scalable solution and won’t work in a lot of cases.

The What

The simple solution, as the title hints, is to set up a mail relay server. This will be configured to accept email from inside your network, either anonymously or with basic authentication, over an unencrypted connection and to then send the email onwards via your mail provider’s server, connecting using whichever protocols they require.

The H0w

The first step is to install the SMTP server service. IIS 7 improves over IIS 6 in many ways, however it does not include any form of SMTP service (FTP was also not offered at release but was shipped with 7.5 and as an out-of-band update for 7.0). This means we need to use the IIS 6 SMTP service. This can be installed from Server Manager’s Add Roles and Features; it’s listed as “SMTP Server” in the “Features” section. Selecting it for install will trigger a popup to prompt for dependency install:

It can also be installed using the PowerShell Add-Windowsfeature cmdlet, deprecated in 2012 and replaced by the almost-identical Install-Windowsfeature cmdled:

Add-Windowsfeature SMTP-Server

Notice one of the dependencies installed is “IIS 6 Management Tools”. This should give a hint as to how we’ll be managing and configuring this. Open up the “Internet Inforamtion Services (IIS) 6.0 Management” administrative tool (%windir%\system32\inetsrv\InetMgr6.exe):

Expand the server and and right-click –> Properties on the “SMTP Virtual Server #1” to open the properties window for the SMTP server – this window will be familiar to anyone who’s worked with SMTP in IIS 6:

I won’t go into too much detail except for the relevant settings; most of this property dialog is described in some detail elsewhere. The sections important to us are:

Access. This tab defines how our devices will be allowed to connect to this server and what restrictions will be applied to protocols and content allowed
Delivery: This tab defines how the server sends messages onwards; this is where we’ll configure Google’s SMTP server and the authentication required for it.

Access

There’s 2 obvious ways to restrict who’s allowed to send email through this server. The first is by IP address – if we only allow access to the SMTP server from the IP address assigned to the scanner then no-one else should be able to use it (unless they specifically configure their device to use the address in question), or by user – we can create a user account for the scanner and configure it to authenticate against the SMTP Relay using basic authentication. I’m going to opt for the latter as it’s a more flexible solution; it will work for additional devices without reconfiguration, it allows me to use dynamic IPs for my scanners and and it’s not vulnerable to clients simply changing their IP address.

First we’ll need to create a user in Active Directory (Or Local Users and Groups if a domain isn’t being used). I’ll leave this as an exercise for the reader. Then we’ll need to go to the “Access” tab on the SMTP Server Properties and click “Authentication”. We’ll disable Anonymous access and enable “Basic Authentication”. Windows will warn that this will result in passwords being sent over the network in plain text – this is unavoidable in this context and to be frank if there’s rogue users running protocol analyzers on your network I’d leave the scanner setup for another day…

While we’re here, click on “Relay” and check that the box labeled “Allow all computers which successfully authenticate to relay…” is ticked.

This has configured the server to allow basic authentication for SMTP connections and to relay mail for any authenticated connection but hasn’t actually granted access to our user. This can be done on the Security tab – I imagine to have got this far you’re familiar with that process.

Delivery

On the “Delivery” tab, there’s 3 buttons at the bottom – we’ll need to configure settings in all 3 of these.

I’d start, counter-intuitively, with the “Advanced” button:
Here we’ll need to enter into the “Smart host” box the FQDN of the server we want to send through – in this example Google’s smtp.gmail.com server, but this could equally be and Office 365 or ISP-provided email server. Leave everything else on it’s default settings (although for completeness you may wish to change the “Fully-qualified domain name” to match the reverse DNS entry for the IP address the connections will go out through), and make sure the “Attempt direct delivery….” box isn’t checked.

Next, the Outbound Security window. We’ll need to enter here details of an account that is authorized to send through the server configured on the “Advanced Delivery” page – I’d recommend setting up an account specifically for this purpose with your email provider. You’ll also need to tick the “TLS encryption” checkbox, or we’ll be trying to authenticate in-the-plain against the provider’s server putting us right back to square one!

Almost done. Chances are your mail provider’s server isn’t listening for TLS connections on port 25. In the case of the smtp.gmail.com server we’re using, TLS is expected to use port 587. We can configure IIS to send to this port on the “Outbound Connections” page – simply replace 25 with the port required by your provider:

Conclusion

That should be you ready to go. We’ve created a new SMTP virtual server and configured it to:

Listen for connections on an internal IP address
Accept authentication provided in basic (plain-text) format by the scanner/device
Accept emails once the device is authenticated
Connect to the mail provider’s SMTP servers using TLS encryption
Forward the emails to the mail provider’s server for onward delivery.

If you can’t get this working, please leave a comment below and we’ll see if we can get you working!

Источник

Our requirement is to set up an SMTP relay on a Windows machine that will send notification emails to one or more customers through the Office365 connector. This Windows machine as an Application server will notify any application errors or any job failures. SMTP relay is mostly used for sending outgoing mail.

Pre-requisite:

You have taken the office 365 license
The public domain is setup and ready to use
Mail server records have been added to the DNS hosting server
SMTP servers need public IP or else need internet access via a proxy
Outgoing traffic on port 25 should be opened
email account to test email functionality

High-level steps:

A. Setup connector
B. SMTP server setup in Windows
C. Test outgoing mail via SMTP and Application server

A. Setup Connector

1. First thing I will take static public IP for the SMTP relay server.

2. Login into the domain registrar website where you have added your Mail related records

3. Go to the domain setting of your domain

4. Modify the value of spf record as shown below. I have added the static public IP of the SMTP server. This addition for your outgoing mail does not go into the spam mailbox of customers.

v=spf1 ipv4:1.186.10.10 include:spf.protection.outlook.com -all

Imp Note: You can add the public IP of that server or Proxy or firewall IP in the value of the TXT record through which it is going to the Internet

5. Login into the M365 admin center and expand all options, you will find the exchange admin center over there, click on it. A new window will open.

6. Go to Mail Flow -> connector

7. Create a new connector.

o365 connector

8. Provide metadata

Connector Details

9. Authentication to send mail.

Allowed specific IP to send a mail

10. Review the summary page and create the connector.

B. SMTP server setup in Windows

Spin-up windows machine with server 2016

2. Install SMTP server and Telnet Client. Telnet client will help in SMTP port testing.

Add SMTP features

3. Open Server manager –> tools –> IIS 6.0 manager

4. Right-click on the SMTP server and open properties. Under the general tab, click on advance, and set port 25 if not there. The remaining setting keep as it is

General setting under SMTP

5. Under the Access tab, click on connection, keep the “all except the list below “ option

Connection Tab

6. Next click on the relay on Access tab, keep all except the list below option. You can also limit relay to limited servers as well.

Relay Restriction

7. Keep the message tab as it is

8. Under the Delivery tab, keep anonymous access under outbound security. You can also use basic authentication with user credentials who has sent as right.

Outbound Security

9. Under the Delivery tab, no change in outbound connection, click on Advanced tab, set smart host as MX record value (available with office365 admin)