Using Windows Server's “hidden" SMTP server to email anonymously … and safely
In “Automating PowerShell Reports, Part 1," I introduced one of my favorite PowerShell cmdlets,
send-mailmessage. It's a flexible tool that's essentially a command-line SMTP client, allowing you to send Internet email from the command line. I introduced it because I'll soon be showing you how to use Active Directory’s (AD's) cmdlets to create AD reports, schedule your servers to run those reports in the middle of the night, and automatically email you those reports. But you won't be able do all that unless you enlist the aid of a great power tool, Windows Server's SMTP Server module.
Suppose you have a routine that runs every night at 3 a.m., generating a report called C:\reports\today.html, and you want that report automatically emailed to you at the email account admin@bigfirm.com. As I demonstrated last month, that command might look like
Try running that from a PowerShell command prompt, and it'll probably fail because well-run email servers don't send mail except from authenticated users, which means (in practice) that every time you run send-mailmessage, PowerShell is going to ask you for credentials.
Unfortunately, you won't be around to provide those credentials, because the routine is running in the background at 3 a.m. on some server. What to do? My suggestion is that you don't Google this question; many pages direct you to download and install a random free SMTP server that might or might not be securable. The Internet definitely doesn't need another "open relay," an email server just waiting for some spammer to use it to blight several million mailboxes with junk, and who would want to live with that kind of karma anyway?
Instead, install the SMTP Server service that has shipped with Windows Server for ages, and then configure it so that it doesn't need authentication—but also isn't an open relay. The SMTP Server service used to be a marquee feature of IIS through IIS 6.0, and it has always been a favorite of mine because it's flexible, easy to configure, and programmable. You can actually build things such as spam filters quite easily with VBScript! With Windows Server 2008 and IIS 7.0, however, Microsoft quietly and inexplicably removed it. (Was the reason to boost Exchange Server sales? That's a scary thought!) The company did, however, include the old IIS 6.0 (Windows Server 2003) SMTP module, although installing it from the IIS 7.0 administrative GUI has always eluded me.
That's a different import-module than the one you normally use, but it loads a few cmdlets that let you turn server roles and features on and off. (Get-windowsfeature lets you see what's available and what's currently enabled, and remove-windowsfeature lets you disable roles, role services, and features.)
Now that you have the SMTP server installed, you can secure it from the old Server 2003 IIS Manager. Click Start, All Programs, Administrative Tools, Internet Information Services (IIS) 6.0 Manager to bring that up.
In the resulting IIS Manager window, you'll see an icon of a server with your server's name and (local computer) next to it, with a plus sign alongside it. Click that plus sign, and you'll see an icon that looks like a brownish envelope with speed lines emanating from it. The icon is labeled [SMTP Virtual Server #1].
Right-click that, and choose Properties to access the multi-tabbed [SMTP Virtual Server #1] Properties page. Click the Access tab.
On that tab's page, click Relay to reveal the Relay Restrictions dialog box.
In the Relay Restrictions dialog box, clear the check box labeled Allow all computers which successfully authenticate to relay, regardless of the list above. In that same dialog box, ensure that the Only the list below radio button is clicked (it's the default, so it should already be), and then tell the server to accept requests only from local processes by clicking Add to raise a dialog labeled Computer.
Under Add one of the following to the list, click the Single computer radio button. In the IP address field, fill in 127.0.0.1.
Click OK to close the dialog box, close the Relay Restrictions dialog box, and close the [SMTP Virtual Server #1] Properties dialog box.
I'm hoping that, if I haven't yet demonstrated why I like the command line for administration, this bit of configuration makes the point! Now you can safely run a
send-mailmessage command on that server, being sure to specify -
smtpserver localhost, and you won't be asked to authenticate. Now we're ready to get that report rolling, and we'll do that next month.
