Setup and Configure SMTP Server on Windows Server 2012

The steps to setup and configure an SMTP Server or mail relay on Windows Server 2012 are very similar to those for Windows Server 2008 except for a few differences. Confusion has arisen due to GUI changes in Server 2012, which has led me to create this post to help anyone that requires explicit step-by-step instructions.

Note: The exact steps for installing SMTP Server on Windows Server 2008 can be found in this previous post of mine.

Installing the SMTP feature

1. Click on the Server Manager icon in the bottom left-hand corner to load the Server Manager Dashboard:

20141101005404

Alternatively, click on the Powershell icon to its right and enter servermanager.exe at the prompt to load the Server Manager Dashboard:

PS C:\Users\Admin> servermanager.exe

2. When the Server Manager Dashboard loads, click on Add roles and features in the center pane as highlighted below:

20141101010748

The Add Roles and Features Wizard will load, click Next to go past the initial Before You Begin Page:

20140924014048

3. In the Installation Type section, select Role-based or feature-based installation and click Next:

20140924014128

4. In the Server Selection section, select your server, in my example below, my server is called 2012, then click Next to proceed:

20140924014215

5. In the Server Roles section select Web Server (IIS) as highlighted below and click Next:

20140924014306

Doing so will initiate a prompt to install the required IIS Management Console. Ensure you check the Include management tools (if applicable) box per the below and click Add Features to proceed:

20140924014441

6. In the Features section, select the SMTP Server feature then click Install to proceed:

20140924014555

You will prompted to install services and features required by the SMTP Server. Ensure you check the Include management tools (if applicable) box per the below and click Add Features to proceed:

20140924014632

7. You will now be presented with the Web Server Role (IIS) section. Click Next to proceed:

20140924014741

In the Role Services section, scroll down and under Management Tools select the services to match those checked in screenshot below then click Next to proceed:

20140924015141

8. The Confirmation section will show all the role and feature configuration options you previously selected:

20140924015230

Click Install to start the installation:

20140924015320

The installation should complete shortly. You nay need to reboot your server to fully complete the installation.

Configuring the SMTP Server

The next step is to configure SMTP. To do so we will need to open Internet Information Services (IIS) Manager 6. 10. Click on the Server Manager icon per step 1 to load the Server Manager Dashboard. Then click Tools and then click on Internet Information Services (IIS) 6.0 Manager to load IIS Manager 6:

20140924022404

9. In IIS 6 Manager, expand the server name, in my example below it is 2012, then right-click on SMTP Server and select Properties:

20140924022612

10. In the General tab, unless you want the SMTP Server to use a specific IP address,  leave the settings as they are so that the IP address is set to (All Unassigned):

20140924023027

11. To proceed, click on the Access tab:

20140924023125

12. Click on the Authentication button and ensure Anonymous access is checked and then click OK:

20140924023219

13. Once back in the Access tab, click on the Connection button. Select Only the list below and then click Add. Enter 127.0.0.1 as the IP address and then click OK:

20140924023339

The Connection setting controls which computers can connect to the SMTP server and send mail. By granting only localhost (127.0.0.1) access, limits only the server itself the ability to connect to the SMTP server. This is a requirement for security. Click OK to return to the Access tab and then click on the Relay button. Enter 127.0.0.1 as the IP address and then click OK:

20140924023442

The Relay section determines which computers can relay mail through this SMTP server. By only allowing the localhost IP address (127.0.0.1) relay permissions it means that only the server itself can relay mail. Conversely, it prevents the SMTP server from being an open relay and being used to send unsolicited spam email by other computers on the internet, which could lead to the SMTP server being blacklisted.

14. Next, go to the Messages tab. Here you can enter an email address where copies of non-delivery reports are sent to. You can also configure the location of the Badmail director, however, the default setting should suffice:

20140924023556

15. Next, go to the Delivery tab:

20140924023648

16. Click on the Outbound Security button and ensure Anonymous access is selected. As the only server that can connect and relay mail through the SMTP server is localhost this security settings is fine:

20140924023728

17. Click OK to return to the Delivery tab and then click on Outbound Connections. Leave the defaults as they are:

20140924023810

18. Click OK to return to the Delivery tab and then click on Outbound Connections, then click on the Advanced button:

20140924023903

Here you will need to enter the fully-qualified domain name of the SMTP server. This will be the host name or A record that has been created in your DNS zone file. This is straight-forward to do but you will have to confirm how you do this with the party that manages DNS for your domain. I have entered mail.vsysad.com as this is fully-qualified. If you click on the Check DNS button you can confirm whether your chosen name resolves successfully. In my case it does as I see the following:

20140924023952

19. Click OK and then OK again to exit the SMTP Virtual Server Properties. You can also perform this test by running nslookup to confirm the existence of the host name as well as confirming the IP address it resolves to – which should the IP address of your server:

20141105035933

You can also load the nslookup command from PowerShell also:

20141105040434

Please note that DNS is crucial to successful email delivery. If your SMTP server cannot resolve the domains it is trying to send messages to then it will fail. Ensure that the DNS servers you have configured are able to resolve DNS queries successfully. From the above screenshot you can see that the DNS server I have configured, cachens2.dfw1.rackspace.com, was able to successfully resolve my SMTP server’s hostname, mail.vsysad.com. This is one of Rackspace’s many DNS servers and I am 100% confident it works fine.

The reason I am highlighting this is because if your SMTP Server sits within a corporate network it will likely use an internal DNS server. Often these are only configured to resolve internal namespaces therefore resolving external hostnames may fail. Also, firewall rules may block your SMTP Server from querying any DNS servers so please check and ensure DNS queries are resolved successfully and if not make sure it get fixed before going onto the testing phase below.

Another very important point about DNS is that you must ensure that you have a PTR record for reverse DNS lookups configured. The PTR record allows your SMTP Server’s public IP address to be resolved back to your hostname. Some of the major email providers perform revers DNS lookups of  mail servers connecting to them as a security measure to check their credibility or reputation. Your web host should have a control panel that allows you to configure reverse DNS if you have a dedicated public IP address. Not having a PTR record will not guarantee email delivery failure but it will very likely delay email delivery and at worst may result in your messages being blocked and your host being blacklisted. I highly recommend you you configure a PTR record for your server.

Follow the instructions in this post which shows you how to verify correct DNS configuration using the SMTPDIAG tool.

20. The last configuration step will be to set the SMTP Service to Automatic so that it automatically starts when the server boots up. Open up the Powershell console and run the command below to enable this setting:

PS C:\Users\Admin> set-service smtpsvc -StartupType Automatic

Then run the command below to confirm that the service is actually running:

PS C:\Users\Admin> get-service smtpsvc

Status   Name               DisplayName
------   ----               -----------
Running  smtpsvc            Simple Mail Transfer Protocol (SMTP)

If the SMTP Service is not running the command will return a status of Stopped. If that is the case then run the command below to start it:

PS C:\Users\Admin> start-service smtpsvc

We are now ready to test the configuration.

 Testing the SMTP Server

The next step is to verify that the SMTP server is able to send email successfully. To do this follow the steps below:

21. Create a text file on your desktop called email.txt and paste the following into it, remembering to change the email address information to reflect your own details:

From: blog@yourdomain.com
To: email@yourdomain.com
Subject: Email test

This is the test body of the email

.

22. Save the changes to email.txt and then copy the file to C:\inetpub\mailroot\Pickup. The SMTP server monitors this folder and when it detects the email.txt file, it will read the contents and send the email to the address in the To: section. This should happen almost immediately.

23. Check the email address the email was sent to and it should arrive shortly – the email was sent to my Gmail account:

20130429184511

A much easier, alternative way of doing this is to use PowerShell. To do so, launch the console and simply run the command below, ensuring that you complete the sending and receiving email addresses plus the subject and body text:

PS C:\Users\admin> Send-MailMessage -SMTPServer localhost -To xxxxx@gmail.com -From blog@vsysad.com -Subject "This is a test email" -Body "Hi Japinator, this is a test email sent via PowerShell"

The above command sent an email to my Gmail account, a screenshot of the email generated is below:

20131031223718

You can save the above command in a file with a .ps1 (PowerShell) file extension and run it whenever you need to test sending/routing of mail.

Apparently there’s more than one way to skin a cat. There’s also another way to test your mail relay server. You can use an email web form application which is similar to a contact us page on a website which allows you to post some feedback, which then uses an SMTP Server to deliver the messages to specific email contacts such as info@yourdomain.com that monitor this information. See this post to learn how to do this using an ASP.NET 4.0 C# email web form application.

That’s all there is to it! Now you have a fully functioning STMP server that can successfully send emails. Many of the companies that I have worked with use this method to send emails generated by their web applications.

If emails are not being successfully delivered you may notice that messages are building up in specific SMTP folders. Visit this post to understand the purpose of each SMTP folder and how to approach issues when messages are queuing up in those folders.

References:
How to test outbound mail flow with a file in the Pickup folder
IIS SMTP Folder Structure and how SMTP service works

Install and configure FTP Over SSL (FTPS) in IIS 7.5

This guide will show you how to install FTP Server in IIS 7.5 and also how to configure FTP Over SSL (FTPS).

FTP Over SSL (FTPS) allows FTP sessions to be encrypted. It is vitally important to secure FTP traffic as usernames and passwords, are by default, sent in plain text across the network when an FTP client is establishing a connection with the server.

Note: In this guide I am assuming that your server environment is Windows Server 2008 R2 and that you have IIS 7.5 already installed but not the FTP Server. I am also assuming that you want to add FTP publishing to an existing site – in the example below this will be the Default Web Site.

Installing the FTP Server

In Server 2008 R2 the FTP Server is a module that can be found under the Web Server role. To install it do the following:

1. Click Start > Run and then enter servermanager.msc in the Open dialogue box then click OK to load Server Manager:

C:\>servermanager.msc

2. Click on Roles in the left pane and the Roles section will appear in the right pane. Locate the Web Server (IIS) section and then then click on Add Role Services:

20130606224147

3. In the Select Role Services  scroll down to the bottom and check FTP Server, FTP Service & FTP Extensibility then click Next and then Install:

20130508215249

4. Once the installation completes click Close. To install FTP Server, FTP Service & FTP Extensibility via the command line run the following:

C:\>CMD /C PKGMGR.EXE /iu:IIS-FTPServer;IIS-FTPSvc;IIS-FTPExtensibility

Configuring the FTP Server

5. Click Start > Run and then enter inetmgr in the dialogue box then click OK to load Internet Information Services (IIS) Manager.

6. Once IIS Manager is open select Default Web Site and then click on Add FTP Publishing under the Actions pane as highlighted below:

20130508215320

7. In the Bindings and SSL Settings section configure the settings per the screenshot below and click Next:

20130508215328

Note: If you want your FTP site to use a specific IP address, select it from the drop-down menu, otherwise leave the default setting which binds all FTP traffic to the site you are creating.

8. In the next section configure per the screenshot below. Under Authentication ensure that only Basic is checked. Under Authorization, ensure that your FTP user account is set under the Specified Users box, then click Finish:

20130508215338

At this point basic FTP publishing has been enabled on the Default Web Site.

9. Next, click on the Server object and then in the right pane double-click on the FTP Firewall Support icon:

20130520233612

10. I am configuring FTP connections to use Passive Transfers and the Data Channel Port Range will be set to 0-0 and the External IP Address of Firewall should be left blank (per below):

20130520221406

Note: The firewall in this environment is the built-in Windows software firewall. As it provides Stateful Packet Inspection (SPI) we do not need to state a port range for passive transfers as the firewall will detect which ports are dynamically required and allow the data transfers to go through..For more information about configuring firewalls for FTP see this link.

11. Next, click on the Default Web Site and then in the right pane double-click on the FTP Firewall Support icon. When this loads up input the FTP site’s public IP address and then click on Apply under the Actions pane on the right-hand side:

20130520224735

11. Within IIS Manager, click on the server object and in the centre pane open Server Certificates:

20130519224741

12. Then click on Create Self-Signed Certificate in the Actions pane in the right hand side:

20130519224830

13. Type a name for the certificate, I used FTP Site Certificate but any descriptive name will suffice, then click on OK:

20130519225034

14. You will now see the created certificate in the list:

20130519225141

15. Click on the server object again and open FTP SSL Settings:

20130522235958

16. Under SSL Certificate select the certificate we created earlier. Under SSL Policy select Custom and then click on the Advanced button:

20130519230643

17. Under Control Channel select Require only for credentials and under Data Channel select Require and then click on OK:

20130519230909

18. Now click on the Default Web Site and then open FTP SSL Settings and ensure you configure the same settings as for the server level as performed in steps 15 – 17. Failing to configure the FTP SSL Settings at BOTH the SERVER and SITE levels with result in FTP connection errors per the below:

Response: 534 Local policy on server does not allow TLS secure connections.
Error: Critical error
Error: Could not connect to server

19. Click on the Default Web Site and then click on Bindings in the Actions pane:

20130604214640

20. In the Site Bindings section click on the Add Button:

20130604215037

21. In the Add Site Binding section select the Type as ftp, leave the IP Address box as All Unassigned and then enter the hostname for the FTP Site and then click on OK:

20130604215232

22. Confirm that you can see the new FTP Site binding and then click Close:

20130604215431

23. While still in the Default Web Site context select Advanced Settings in the Actions pane to view the FTP Site’s home directory – it will be the physical path for the Default Web Site:

20130523222443

24. You will need to configure the ftp_user account to have write permissions to C:\inetpub\wwwroot in order for you to be able to upload files to this directory. NTFS permissions should be configured per below:

20130523223358

25. As mentioned earlier, my environment uses the Windows software firewall. The rules that need to be enabled to allow FTP and FTPs communication are:

Inbound Rules
FTP Server (FTP Traffic-In)
FTP Server Passive (FTP Passive Traffic-In)
FTP Server Secure (FTP SSL Traffic-In)

Outbound Rules
N/A – because the default setting for public traffic is that outbound connections that do not match a rule are allowed.

Connecting to the FTP Site

26. The only thing left to do is test the connection from your FTP client. Using FileZilla, you will need the connection information below, changing only the Host, User and Password fields according to your specific settings:

Host: ftp.vsysad.com
Protocol: FTP – File Transfer Protocol
Encryption: Require explicit FTP over TLS
Logon Type: Normal
User: ftp.vsysad.com|ftp_user
Password: **********

In FileZilla, I added a site called vSysad and then added the relevant connection info above:

20130608200123

Note: The user field must be VirtualHostName|User to allow successful authentication. The virtual host name is a requirement and the FTP Server is expecting that string, if it doesn’t see it then you will see the following error:

Status: Connecting to ftp.vsysad.com…
Status: Connection established, waiting for welcome message…
Response: 220 Microsoft FTP Service
Command: AUTH TLS
Response: 234 AUTH command ok. Expecting TLS Negotiation.
Status: Initializing TLS…
Status: Verifying certificate…
Command: USER ftp_user
Status: TLS/SSL connection established.
Response: 530 Valid hostname is expected.
Error: Could not connect to server

27. Once you have input the relevant connection info for the FTP Site, click Connect and assuming that the connection is successful you will see a pop-up box displaying an unknown certificate which we created earlier:

20130608193639 - Copy

28. Check the box Always trust certificate in future sessions and hit OK. After which you will be connected to the home directory:

20130608200420

And that’s all. Happy FTPing over SSL!

References:
Using FTP Virtual Host Names in IIS 7
Configuring FTP 7.5 with Host Header and SSL
Setup FTPS on IIS 7.5 Using Host Headers Tutorial
Local policy on server does not allow TLS secure connections
Configuring FTP Firewall Settings in IIS 7
Using FTP Over SSL in IIS 7