Overview
MailEssentials can be installed in two ways; either directly on the Microsoft® Exchange server, or on an Email gateway (relay/perimeter) server.
When MailEssentials is installed on the email gateway, spam and email malware are filtered before reaching the mail server which can be Exchange on-premise or hosted email environment such as Office 365 (O365). Refer to this linked article for more details on the advantages/disadvantages of this deployment scenario.
This article describes the procedure to correctly install GFI MailEssentials on a gateway server for filtering emails before they are processed by the mail server which can be on-premise or a hosted email service such as O365.
Prerequisites
Before installing GFI MailEssentials on an email gateway, ensure that there is reliable connectivity between the gateway server and your email server whether it is hosted internally within the same local network, or on a cloud service.
You will also need to update the MX record for the domain to point to the IP address of the gateway server. If the DNS server is managed by your ISP, ask your ISP to update the MX record to ensure that incoming emails are relayed through the gateway server.
Solution
Deploying MailEssentials on the email gateway enables you to reduce unnecessary email traffic by using your Active Directory resources at the gateway server level to drop connections for non-existent email recipients in incoming email. This helps counter spamming techniques such as Directory Harvesting attacks thereby stopping spam and malware from arriving at your email server, whether it is an on-premise Exchange server or a hosted email environment such as Office 365.
- Important: When installing GFI MailEssentials on a DMZ, the recommendation is to use LDAP lookups to get the list of email users (required for user-based configuration/rules) from your SMTP server. This is because Active Directory on the DMZ will usually NOT include all the email recipients.
The high-level steps to install MailEssentials on an email gateway are:
These steps are detailed below:
Pre-install Actions
When MailEssentials is installed on the gateway server, it makes use of the IIS SMTP service as its SMTP Server therefore the IIS SMTP service must be configured to act as a mail relay server following these steps:
Step 1: Enable IIS SMTP Service
Step 2: Create SMTP domain(s) for email relaying
Step 3: Enable email relaying to your mail server
Step 4: Secure your SMTP email-relay server
Step 5: Enable your mail server to route emails via GFI MailEssentials
Step 6: Update your domain MX record to point to mail relay server
Step 7: Test your new mail relay server
Step 1: Enable IIS SMTP Service
- Launch Windows Server Manager.
- Navigate to the Features node and select Add Features.
- From the Add Features Wizard select SMTP Server.
- Note: The SMTP Server feature might require the installation of additional role services and features. Click Add Required Role Services to proceed with the installation.
- In the following screens click Next to configure any required role services and features, and click Install to start the installation.
- Click Close to finalize the configuration.
Step 2: Create SMTP domain(s) for email relaying
- Go to Start > Control Panel > Administrative Tools > Internet Information Services (IIS) Manager.
- In the left pane, expand the respective server node. Right-click Default SMTP Virtual Server and select Properties.
- Select the IP address currently assigned to your SMTP server and click OK
- Expand Default SMTP Virtual Server node.
- Right-click Domains and select New > Domain.
- Select Remote and click Next.
- Specify the organization domain name (for example, test.gfi.com) and click Finish.
Step 3: Enable email relaying to a Smart Host
A Smart Host can be any on-premise SMTP email server (e.g. Microsoft Exchange), or a hosted SMTP service such as Office 365.
- Right-click on the new domain (e.g. test.gfi.com) and select Properties.
- Select Allow the Incoming mail to be relayed to this domain.
- Select Forward all mail to smart host and specify the IP address of the on-premise server managing emails for this domain. The IP address must be enclosed in square brackets, for example,
[123.123.123.123]
, to exclude it from all DNS lookup attempts.- Note: If instead the Emails are being relayed to a hosted SMTP service, select the Use DNS to route to this domain option as shown below:
- Click OK to finalize your configuration.
Step 4: Secure the SMTP email-relay server
If unsecured, the mail relay server can be exploited and used as an open relay for spam. To avoid this, it is recommended to specifically define which mail servers can route emails through this mail relay server (i.e. allow only specific servers to use this email relaying setup) by following these steps:
- Go to Start > Control Panel > Administrative Tools
- Click on Internet Information Services (IIS) Manager
- In the left pane, expand the respective server node. Right-click on Default SMTP Virtual Server and select Properties
- Click on the Access tab and select Relay
- Select the Only the list below option and click Add
- Specify IP(s) of the mail server(s) that are allowed to route emails through this mail relay server
- Single computer - i.e. Authorize one specific machine to relay email through this server. Use the DNS Lookup button to lookup an IP address for a specific host.
- Group of computers - i.e. Authorize specific computer(s) to relay emails through this server.
- Domain - Allow all computers in a specific domain to relay emails through this server.
- Note: The Domain option adds a processing overhead that can degrade SMTP service performance. This is due to the reverse DNS lookup processes triggered on all IP addresses (within that domain) that try to route emails through this relay server.
Step 5: Enable your mail server to route emails via GFI MailEssentials
Configure your mail server to route all inbound and outbound email through MailEssentials. In the configuration program of your mail server, use the option to relay all outbound emails via another mail server (this option is usually called something similar to Forward all messages to host. Enter the computer name or IP of the gateway machine running MailEssentials.
The specific steps to achieve this if using MS Exchange are:
- Launch Exchange System Manager
- Right-click the Connectors node and select New > SMTP Connector
- Select the Forward all mail through this connector to the following smart host option, and specify the IP of your mail relay server within square brackets (i.e. the IP of the machine on which GFI MailEssentials is installed) e.g. [123.123.1.123]
- Click Add and select the virtual SMTP Server (i.e. the email relay server on which GFI MailEssentials is running)
- Click on the Address Space tab then click Add
- Select SMTP and click OK
- Click OK to finalize the configuration. All emails will now be forwarded to the GFI MailEssentials server.
Routing emails destined for Office 365 mailboxes via MailEssentials email gateway is achieved by following the steps provided in this external article on Step-by-step configuration instructions for SMTP relay.
Step 6: Update the domain MX record to point to mail relay server
Update the MX record of the domain to point to the IP address of the new mail relay server. If the DNS server is managed by your ISP, ask your ISP to update the MX record for you.
Note: If the MX record is not updated, all emails will be routed directly to your email server thereby bypassing MailEssentials anti-spam and anti-malware filters.
Verify that the MX record has been successfully updated using the following steps:
- Click Start > Run and type: cmd to launch the Windows Command Prompt.
- From the command prompt type in:
nslookup
- Type in:
set type=mx
- Specify your mail domain name
The MX record should return the IP addresses of the mail relay servers.
Step 7: Test the new mail relay server
Before proceeding to install MailEssentials, verify that the new mail relay server is working correctly by performing the following:
Test IIS SMTP inbound connection
- Send an email from an ‘external’ account (e.g. from a Gmail account) to an internal email address.
- Ensure that the intended recipient received the test email in the respective email client.
Test IIS SMTP outbound connection
- Send an email from an ‘internal’ email account to an external account (e.g. to a Gmail account).
- Ensure that the intended recipient/external user received the test email.
Note: Telnet can also be used to manually send the test email and obtain more troubleshooting information.
Back to top
Running the Installation Wizard
- Logon to the Gateway Server machine using administrator credentials
- Double click mailessentials.exe to launch the installation wizard
- Select the preferred install language and click Next
- Select whether to check for newer versions/builds of GFI MailEssentials and click Next
- Read the licensing agreement. To proceed with the installation select I accept the license agreement and click Next
- Click Next to install into the default location or click Browse to change the desired path
- Specify user details and enter the license key. Click Next to continue
- Specify the Administrator email address where notifications are to be sent
- Specify whether MailEssentials will get the list of email users from Active Directory or SMTP server. Click Next to continue.
- If Microsoft Message Queuing Services (MSMQ) is not installed then a dialog prompt will open. Select Yes to install MSMQ. Click Next to continue.
- Click Finish to finalize your installation. On completion, setup will:
- Prompt to restart the SMTP service. Failing to restart the SMTP service will negatively affect anti-spam filtering and email flow.
- Check whether the Microsoft XML engine is installed. This is automatically installed if not found on UK/US English OS. For other OS languages, this has to be manually downloaded and installed. Microsoft XML engine can be downloaded from MSXML 4.0 Service Pack 2 (Microsoft XML Core Services).
- For new installations, setup will automatically launch the Post-Installation Wizard.
Post-Install Actions
For new installations, setup automatically launches the Post-Installation Wizard. For upgrades, the wizard is launched from the command prompt by navigating to the GFI MailEssentials installation folder and run the command: e2k7wiz.exe clean
- Click Next on the welcome page
- In the DNS Server dialog, select:
- Use the same DNS server used by this server - Select this option to use the same DNS server that is used by the operating system where GFI MailEssentials is installed.
- Use an alternate DNS server - Select this option to specify a custom DNS server IP address.
- Click Test DNS Server to test the connection with the specified DNS server. If the test is unsuccessful, specify another DNS server. Click Next to continue.
- In the Internet Connectivity Settings dialog, specify how the server where GFI MailEssentials is installed connects to the internet. If the server connects through a proxy server, click Configure proxy server... and specify proxy settings. Click Next to continue.
- In the Inbound email domains dialog specify all the domains to filter for spam. Any local domains that are not specified in this list will not be filtered for spam. Click Next to continue.
- Note: When adding domains, select Obtain domain’s MX records and include in perimeter servers list to retrieve the domain’s MX records and automatically add them to the perimeter SMTP servers list (configured in the next step).
- In the SMTP Servers dialog, specify how the server receives external emails. If emails are routed through other servers before they are forwarded to the GFI MailEssentials server, add the IP address of the other servers in the list. For more information about perimeter SMTP servers refer to Configuring Perimeter SMTP Servers
- When using hosted email security products GFI MAX MailProtection or GFI MAX MailEdge, enable checkbox Emails are also filtered by….
- Click Next to continue.
- In the Default anti-spam action dialog, select the default action to be taken when emails are detected as spam. Click Next to continue.
- Click Finish to finalize the installation.
The installation is now complete and MailEssentials is set to filter emails for spam and malware before delivery to the email server.