Scenario
- An older custom SMTP service only accepts unencrypted SMTP connections and does not support TLS.
- A solution is required to receive emails over TLS using IIS SMTP Service and relay them to the custom SMTP service without encryption.
- The goal must be achieved on a single virtual machine.
Environment Setup
Install two network interfaces on a single Windows Server with the following IP addresses:
- Network Interface 1:
10.11.11.11(physical NIC) - Network Interface 2:
10.22.22.22(Description: Microsoft KM-TEST Loopback Adapter)
Task Plan
- Configure an SMTP service bound to
10.11.11.11with a certificate to accept incoming emails over TLS. - After receiving emails, relay them unencrypted to the custom SMTP service bound to
10.22.22.22, which only accepts non-TLS SMTP connections.
Issues
- IIS SMTP Service by default binds to
0.0.0.0:25. Even if an IP address is specified in the Virtual Server settings, it still binds to0.0.0.0:25, preventing the custom SMTP service from binding to TCP port 25. - The custom SMTP service by default binds to
0.0.0.0:25and does not provide any configuration option to bind to a specific IP.
Explanation
Although IIS SMTP is configured to use IP 10.11.11.11, inetinfo.exe still shows it listening on 0.0.0.0:25. This is typically caused by the Socket Pooling mechanism in IIS 6 SMTP.
Even if a specific IP is selected in the SMTP Virtual Server interface, if Socket Pooling is not disabled, inetinfo.exe will bind to all interfaces using the wildcard address.
Solution
- Disable Socket Pooling in IIS SMTP so that it only binds to the specified IP.
- Ensure the SMTP Virtual Server IP is set to
10.11.11.11. - Open IIS 6.0 Manager → SMTP Virtual Server #1 (if multiple virtual servers exist, note its metabase ID, usually
1):- Right-click Properties → General → IP address, select
10.11.11.11.
- Right-click Properties → General → IP address, select
- Disable Socket Pooling using
adsutil.vbs(important step):- Open Command Prompt as Administrator:
- Here,
1is the metabase ID. - If multiple SMTP virtual servers exist, set
DisableSocketPooling=truefor each and ensure their IP addresses do not overlap.
- Here,
- Verify the setting:
- Open Command Prompt as Administrator:
- Service startup order: Start the custom SMTP service first, then start IIS SMTP Service (set to Automatic - Delayed Start).
情境:
- 某舊版 Custom SMTP Service 僅接受不加密的 SMTP 連入,無法提供 TLS SMTP 連入
- 需要一個能接受 TLS 連入的 IIS SMTP Serice 轉發郵件給 Custom SMTP Service
- 在一台 VM 中達成目標
環境設定:
在一台 Windows Server 上安裝兩張網卡,IP 分別為
- Network Interfasce 1 : 10.11.11.11 (真實網卡)
- Network Interfasce 2 : 10.22.22.22 (Description: Microsoft KM-TEST Loopback Adapter)
任務規劃:
- 在 10.11.11.11 上起一個 SMTP Service with Certificate 提供外部以 TLS 加密方式傳入郵件
- 上述 SMTP Service 收到信後以不加密方式傳給 10.22.22.22 上只能接受不加密 SMTP 連線的 Custom SMTP Service
問題:
- IIS SMTP Service 預設會 Bind 0.0.0.0:25,即使在 Virtual Server 上指定 IP Address 但仍會 Bind 0.0.0.0:25,造成 Custom SMTP Service 無法 Bind TCP Port 25
- Custom SMTP Service 預設只會 Bind 0.0.0.0:25,且沒有任何設定方式可以改 Bind 特定 IP
說明:
- IIS SMTP 已指定 IP 為 10.11.11.11,但 inetinfo.exe 仍顯示 Listen 0.0.0.0:25 通常是因為 IIS 6 SMTP 的「Socket Pooling」機制
- 即使在「SMTP 虛擬伺服器」介面上選了特定 IP,若未停用 Socket Pooling,inetinfo.exe 仍會用萬用位址綁定所有介面。
解法:
- 停用 IIS SMTP 的 Socket Pooling,讓它只綁定指定 IP
- 確認 SMTP 虛擬伺服器的 IP 設為 10.11.11.11
- 開啟 IIS 6.0 Manager → SMTP Virtual Server #1 (若有多個 SMTP 虛擬伺服器,記住它的 metabase ID,通常是 1)
→ 右鍵 Properties → General → IP address 選 10.11.11.11。 - 用 adsutil.vbs 停用 Socket Pooling (重點)
→ 以系統管理員開啟命令提示字元:cscript %SystemDrive%\Inetpub\AdminScripts\adsutil.vbs set /SmtpSvc/1/DisableSocketPooling true
→ 此處的 1 為 metabase ID
→ 有多個 SMTP 虛擬伺服器時,每一個都要設定 DisableSocketPooling=true,並確保各自的 IP 不重疊。
→ 檢查設定值cscript %SystemDrive%\Inetpub\AdminScripts\adsutil.vbs get /SmtpSvc/1/DisableSocketPooling
- 程式啟動順序: 先啟動 Custom SMTP Service、再啟動 IIS SMTP Service (Automatic - Delayed Start)
沒有留言:
張貼留言