5 Pre-install actions : 5.2 Installing on an IIS mail relay server 5.

2Installing on an IIS mail relay server In order to install GFI MailSecurity on a mail relay/gateway machine, it must be running the IIS SMTP service and World Wide Web service. You must also configure the machine as an SMTP relay to your mail server. This means that the MX record of your domain must be pointing to the gateway machine. This section describes how to configure your mail relay to install GFI MailSecurity. 5.2.1Step 1: Install the IIS SMTP service If the IIS SMTP service is not installed, ensure to install it on the mail relay server, as described in the following sub-sections. Windows Server 2003 1. Navigate to Start Control Panel Add or Remove Programs Add/Remove Windows Components. 2. Select Internet Information Services (IIS) and click Details. 3. Select the SMTP Service option and click OK. 4. Click Next to finalize your configuration. Windows Server 2008 Enabling IIS SMTP service 1. Launch the Windows Server Manager. 2. Navigate to the Features node and select Add Features. 3. From the Add Features Wizard select SMTP Server checkbox. NOTE: The SMTP Server feature might require the installation of additional role services and features. Click Add Required Role Services to proceed with installation. 4. In the following screens click Next to configure any required role services and features, and click Install to start the installation. 5. Click Close to finalize the configuration. 5.2.2Step 2: Specify mail relay server name and IP address 1. From Control Panel, open Administrative Tools and launch Internet Information Services. 2. Expand the server name node, right-click the Default SMTP Virtual Server node and click Properties.

Screenshot 3 - Assign an IP address to the mail relay server 3. Key in the IP address of the SMTP relay server in the IP address list and click OK. 5.2.3Step 3: Configure the SMTP service to relay mail to your mail server Now you must configure the SMTP service to relay inbound messages to your mail server. Start by creating a local domain in IIS to route mail: 1. From Control Panel open Administrative Tools and launch Internet Information Services. 2. Expand the server name node and navigate to Default SMTP Virtual Server Domains. By default, you should have a Local (Default) domain with the fully qualified domain name of the server. 3. Configure the domain for inbound message relaying as follows: a) Right-click the Domains node and click New Domain.

Screenshot 4 - SMTP Domain Wizard - Selecting domain type b) Select Remote and then click Next. c) Type the domain name in the Name box and then click Finish. NOTE: Upon installation, GFI MailSecurity will import Local Domains from the IIS SMTP service. If you add additional Local Domains in IIS SMTP service, you must also add these domains to GFI MailSecurity because this does not detect newly added Local Domains automatically. You can add more Local Domains using the GFI MailSecurity configuration. For more information, refer to the Adding Local Domains section in the GFI MailSecurity Administration & Configuration manual. 5.2.4Step 4: Configure the domain to relay email to your mail server 1. Right-click the domain you just created and then click Properties. Select the Allow the Incoming Mail to be relayed to this domain check box.

Screenshot 5 - Configure the new domain 2. In the Route domain dialog box, click Forward all email to smart host and type the IP address (in square brackets) of the server which will handle the emails addressed to this new domain. For example, [123.123.123.123] NOTE: The square brackets are used to differentiate an IP address from a hostname (which does not require square brackets). 3. Click OK. 5.2.5Step 5: Secure your mail relay server In this step, you will set up your SMTP virtual servers mail Relay Restrictions. This means that you must specify which machines may relay email through this virtual server (effectively limiting the servers that can send email via this server). 1. Right-click the Default SMTP Virtual Server node and then click Properties. 2. In the properties dialog box, click the Access tab and then click Relay to open the Relay Restrictions dialog box.

Screenshot 6 - Relay Restrictions dialog 3. Click Only the list below and then click Add to specify the list of permitted computers.

Screenshot 7 - Specify machines which may relay email via virtual server 4. In the Computer dialog box, specify the IP of the mail server that will be forwarding the email to this virtual server. You can specify the IP of a single computer, group of computers or a

domain: Single computer: Select this option to specify one particular host that will relay email via this server. If you want to look up the IP address of a specific host, click DNS Lookup. Group of computers: Select this option to specify the base IP address for the computers that you want to relay. Domain: Select this option to include all the computers of a specified domain. This means that the domain controller will openly relay emails via this server. Note that this option adds processing overhead and may reduce SMTP service performance because it includes reverse DNS Lookups to verify the domain name of all IP addresses that try to relay. Click OK to add entry to the list. 5.2.6Step 6: Configure your mail server to relay email via the Gateway server After you have configured the IIS SMTP service to send and receive email, you must configure your mail server to relay all email to the mail relay server: Microsoft Exchange Server 4/5/5.5 1. Start the Microsoft Exchange Administrator and double-click on Internet Mail Service to open the properties configuration dialog box.

Screenshot 8 - The Microsoft Internet mail connector 2. Click the Connections tab and in the Message Delivery area click Forward all messages to host. Type the computer name or IP of the machine running GFI MailSecurity.

3. Click OK and restart the Microsoft Exchange Server from the services applet. Microsoft Exchange Server 2000/2003 You will need to set up an SMTP connection that forwards all email to GFI MailSecurity: 1. Start the Exchange System Manager. 2. Right-click the Connectors Node, click New SMTP Connector and then specify the connector name. 3. Click Forward all mail through this connector to the following smart host, type in the IP of the GFI MailSecurity server (the mail relay/Gateway server) and then click OK. NOTE: Always enclose the IP address within square brackets [ ]. For example, [100.130.130.10]. 4. Select the SMTP Server that must be associated to this SMTP Connector. Click the Address Space tab, and then click Add. Click SMTP and then click OK to accept the changes. 5. Click OK. All emails will now be forwarded to the GFI MailSecurity machine. Lotus Notes 1. Double-click the Address Book in Lotus Notes. 2. Click on Server item to expand its sub-items. 3. Click Domains and then click Add Domains. 4. In the Basics section, click Foreign SMTP Domain from the Domain Type field and in the Messages Addressed to area, type * in the Internet Domain box. 5. Under the Should be routed to area, specify the IP of the machine running GFI MailSecurity in the Internet Host box. 6. Save the settings and restart the Lotus Notes server. SMTP/POP3 mail server 1. Start the configuration program of your mail server. 2. Search for the option to relay all outbound email via another mail server. This option will be called something similar to Forward all messages to host. Enter the computer name or IP of the machine running GFI MailSecurity. 3. Save the new settings and restart your mail server. 5.2.7Step 7: Modify the MX record of your domain to point to the mail relay server NOTE: If your ISP manages the DNS server, ask provider to update it for you. Since the new mail relay server must receive all inbound email first, you must update the MX record of your domain to point to the IP of the new mail relay/Gateway server. Otherwise, email will continue to go to your mail server and by-pass GFI MailSecurity. Verify the MX record of your DNS server as follows:

1. Open the command prompt, type nslookup and hit Enter. 2. Type set type=mx and press Enter. 3. Type your mail domain and press Enter. 4. The MX record should return a single IP that must correspond to the IP of the machine running GFI MailSecurity.

Screenshot 9 - Checking the MX record of your domain 5.2.8Step 8: Test your new mail relay server Before you proceed to install GFI MailSecurity, verify that your new mail relay server is working correctly. 1. Test the IIS SMTP inbound connection of your mail relay server by sending an email from an external account to an internal user. Verify that the email client receives the email. 2. Test the IIS SMTP outbound connection of your mail relay server by sending an email to an external account from an internal email client. Verify that the external user receives the email. NOTE: Instead of using an email client, you can send email manually through Telnet. This will give you more troubleshooting information. For more information, refer to:

http://support.microsoft.com/support/kb/articles/Q153/1/19.asp