Configure Exchange Server to talk to the Internet

The Internet is so pervasive that you might have trouble remembering what life was like before everyone had email, Web browsers, and instant messaging. By using SMTP to send and accept mail across the Internet, Microsoft Exchange Server can help you hop on the bandwagon. To provide client access, you can use the POP3 and IMAP4 protocols, which are Internet standards, or Microsoft Outlook or Outlook Web Access (OWA). But first, you need to set up Exchange Server's Internet Mail Service (IMS).

The IMS and DNS Resource Records
To get the IMS up and running, the first item on the agenda is to get mail flowing between your servers and other servers on the Internet. SMTP is the common language of Internet mail; Exchange Server 5.5 implements SMTP in the IMS, whereas Exchange 2000 Server uses (and extends) the Microsoft IIS 5.0 SMTP protocol stack that is part of Windows 2000. In either case, you need to complete some basic requirements before you can start swapping mail.

To begin, you need to understand how your servers discern where mail needs to go. When you send mail to me at, your mail client delivers the message to your mail server, which must then figure out how to get the mail to me. The mail server can easily use DNS to turn a domain name such as into an IP address, but knowing the IP address associated with the domain isn't particularly useful in a mail-exchange situation. Your mail server needs to know the address of a specific machine that accepts incoming mail for the domain. The answer lies in DNS resource records.

DNS MX records. Each DNS MX record is associated with a particular DNS domain, such as or Each record contains the IP address of a mail server that accepts mail for the domain; if multiple servers handle mail for one domain, each server will have a DNS MX record. When you send me mail, your mail server performs a DNS query to get the DNS MX record for; that record indicates that mail for needs to go to Your mail server then contacts my mail server and delivers the message, which eventually lands in my inbox.

Each DNS MX record also contains a preference field. This preference lets you specify multiple destinations for incoming mail. When a mail server queries DNS for an MX record, the DNS server always returns the DNS MX record with the lowest preference value first. If delivery to that record's specified server fails, the sending server then tries the server specified in the record with the next-lowest preference, and so on. You can also use preferences for load balancing. If you have several DNS MX records that specify different mail servers for your domain and that have equal preferences, your DNS server will randomly select one record each time a client asks for your mail server. Microsoft provides a good example: If you use Nslookup to query DNS for the DNS MX record associated with, you'll see that n records exist, each with an equal preference. Therefore, if you make multiple queries, each query will return a different DNS MX record. To set a preference value, use any DNS management tool to edit the DNS MX record's preference field.

If you want the outside world to be able to send mail to your Exchange Server system, you need a DNS MX record pointing to that server. This rule applies whether you maintain your DNS server or whether another provider maintains it. If you don't have a DNS MX record, the outside world's servers won't know how to get mail to your server.

A and PTR records. Your Exchange Server machine also needs A and PTR records in the public DNS. The A record lets outside servers locate your server's domain name and retrieve the server's IP address, which those servers need to get your server's DNS MX records. The PTR record ties an IP address back to a DNS name, so that if you have an IP address (e.g.,, you can turn it into a name (e.g., .com). You want to have PTR records for your Exchange Server machines because many SMTP servers use reverse name resolution; in other words, when an incoming message arrives, the server looks for a PTR record that corresponds to the sender's IP address. Many organizations use reverse name resolution to confirm a sender's identity and might reject your mail if you don't use PTR records. (For more information about DNS resource records, see Richard Reich, "DNS Strategies," October 1995.)

One final IMS prerequisite involves DNS. You must configure your intended IMS server as a DNS client, so that the IMS server can make DNS queries and get answers to those queries.

Choosing the IMS Server
The second item on the agenda is to decide whether to install the IMS on an existing Exchange Server machine or on a separate machine. (If you decide to build a brand-new IMS server, you'll need to install Exchange Server 5.5 and join the existing organization and the site you want to host the IMS in before you can proceed with the IMS installation.) Although both choices have advantages, I prefer to put the IMS on a separate server; doing so

  • Shifts CPU, network, and I/O load away from the servers that hold your mailboxes.
  • Means that you can fix a downed IMS server at your leisure, without affecting mailboxes. (If the IMS crashes and it's on your Exchange Server machine, it might take the Information Store—IS—with it.)
  • Helps you avoid a noticeable effect on your users if mail bombs, mail loops, or unsolicited commercial email (UCE) floods inundate the IMS machine.
  • Prevents effect on mail access when you move, reconfigure, or restart the IMS.

Installing the IMS
After you set your DNS MX, A, and PTR records and decide on a server, installing the IMS is straightforward. Open Microsoft Exchange Administrator, and select File, New, Other, Internet Mail Service to start the Internet Mail Wizard. The wizard prompts you to enter the most crucial IMS configuration settings. The first several pages simply remind you to make the DNS changes (i.e., add resource records) that I described above.

Pick a server, any server. Now the wizard gets down to the nitty-gritty: You select a server on which to install the IMS. That server can reside anywhere in your site—a useful feature because you don't need to be at a server's console to install the IMS on that server. Choose the appropriate server, and select whether you want to permit the use of DUN to establish a connection.

Instant relay. Next, the wizard prompts you to select whether to enable relaying. Normal delivery occurs when a server accepts a message addressed to a recipient on that server. Relaying occurs when a server accepts a message addressed to a recipient address that isn't in that server's address space. When you enable relaying, clients can connect to your server to send mail to recipients on other servers, which is necessary if you want to support POP3 or IMAP4 clients, but which can leave your server open to UCE attacks. (For information about resisting such attacks, see Douglas Toombs, "Junk Email," August 1998.)

Where's the mail? Next, the wizard prompts you to select how the IMS will deliver outbound mail. You have two choices. Route all mail through a single host tells the IMS to send all outgoing mail through one server (sometimes called a smarthost). Use DNS to send mail tells the IMS to look up the DNS MX record for each recipient's domain and connect directly to the recipient's SMTP server. Most sites that use dial-up Internet connections, as well as many sites that use permanent Internet connections, use smarthosts at their ISPs. Doing so lets you hand the mail off to the smarthost and saves you the CPU overhead and bandwidth you need if your server processes and delivers the mail. However, if your ISP doesn't offer a smarthost—or if your IMS server is the smarthost for other IMS servers—you'll need to choose Use DNS to send mail.

Then, the wizard asks you to designate the address space and to control site addressing. The address spaces that you designate control which DNS domains the IMS will accept mail for; the wildcard default lets the IMS accept email addressed to any domain.

Site addressing governs the format the IMS uses for the email addresses it adds to each mail-enabled object. The IMS will use the address format you specify to generate the right portion of SMTP addresses; the default is @site, in which site is the name of your Exchange site and org is the name of your Exchange organization. If your domain name changes later, you can go to the Site Addressing tab on the Site Addressing Properties page to edit the address format. You can access this page from the site configuration container in Exchange Administrator. When you change a site address in this manner, Exchange Administrator offers to update all existing mailboxes with the new address.

Housekeeping. The remaining wizard screens ask for housekeeping details. First, you must tell the IMS which mailbox to use for the Internet-standard postmaster account; Exchange Server lets you designate any mailbox as a postmaster. The standards that define how SMTP mail works strongly recommend that you name this mailbox postmaster so that other administrators know whom to contact.

By default, the IMS will send nondelivery reports (NDRs) to the Administrator account. The wizard offers an option to change that default.

You must also give the wizard the password for the site services account. The wizard will find the service account name in the Exchange Server directory, but you must supply the correct password or the IMS won't start.

Finally, the wizard shows you a summary of your changes. After you click Finish, the wizard installs and starts the IMS; at that point, the wizard reminds you to run the Exchange Performance Optimizer—always a good idea after you make any change to a system's hardware or software configuration.

Beyond the Basics
Following these instructions will give you a basic, functional IMS installation. However, you can do quite a bit more tuning. For a definitive resource about how to tame the IMS, see Simpler-Webb's Exchange and SMTP FAQ (http://www, Microsoft's Web site ( .com/exchange/techinfo/insideims.htm), or the Windows 2000 Magazine network ( exchange/).