Answer

Installing on an email gateway or relay/perimeter server

GFI MailEssentials can be installed:

• On a perimeter server (e.g. in a DMZ) 
• As a mail relay server between the perimeter (gateway) SMTP server and the recipients’ inboxes.

Both setups enable you to reduce unnecessary email traffic by using your Active Directory resources (at a perimeter/gateway server level) to drop connections for non-existent email recipients in incoming email. This helps counter spamming techniques such as Directory Harvest Attacks (a brute force type of attack used by spammers to find valid/existent e-mail addresses at a domain). This structure stops the majority of Spam from arriving at your Microsoft Exchange server.

Upgrades from earlier version

If you are currently using a previous version of GFI MailEssentials (versions 9, 10, 11, 12 and 14), you can upgrade your current installation while at the same time retain all your existing configuration settings.

Important notes

• Upgrades cannot be undone i.e. you cannot downgrade to an earlier version once you have installed the latest version.
• On upgrading an existing installation, licensing reverts to trial version and a new fully purchased license key for the GFI MailEssentials 2010 is required. For more information on new license keys, refer to: http://customers.gfi.com.
• You cannot change the installation path during GFI MailEssentials upgrades.
• When upgrading from GFI MailEssentials 9, the current Bayesian weights file will be upgraded to the new format used in GFI MailEssentials 10 or later. The new format is more compact and uses less memory. NO DATA WILL BE LOST. 

Upgrade procedure

1. Launch GFI MailEssentials installation on the server where your earlier version of GFI MailEssentials is installed.
2. Click Yes to start the upgrade process and follow on-screen instructions. For assistance refer to New installations sction below.

New installations

Important notes

1. During installation, GFI MailEssentials restarts Microsoft Exchange Server services. This is required to allow GFI MailEssentials components to be registered and started.
2. Before starting installation, close any running Windows applications.When installing GFI MailEssentials on a DMZ, we recommend you use LDAP lookups to get the list of email users (required
3. for user-based configuration/rules e.g. disclaimers) from your SMTP server. The AD of a DMZ usually will NOT include all the network users (email recipients).

Pre-install actions
GFI MailEssentials uses the IIS SMTP service as its SMTP Server and therefore the IIS SMTP service must be configured to act as a mail relay server. This is achieved as follows:

Step 1: Enable IIS SMTP Service

Windows Server 2003

1. Go to Start > Control Panel > Add or Remove Programs > Add/Remove Windows Components
2. Select Internet Information Services (IIS) and click Details
3. Select the SMTP Service option and click OK
4. Click Next to finalize your configuration

Windows Server 2008

1. Launch the Windows Server Manager
2. Navigate to the Features node and select Add Features
3. From the Add Features Wizard select the SMTP Server checkbox
   • NOTE: The SMTP Server feature might require the installation of additional role services and features. Click Add Required Role Services to proceed with installation.
4. In the following screens click Next to configure any required role services and features, and click Install to start the installation
5. Click Close to finalize the configuration

Step 2: Create SMTP domain(s) for email relaying

1. Go to Start > Control Panel > Administrative Tools
2. Click on Internet Information Services (IIS) Manager
3. In the left pane, expand the respective server node. Right click on Default SMTP Virtual Server and select Properties
4. Select the IP address currently assigned to your SMTP server and click OK
5. Expand the Default SMTP Virtual Server node
6. Right click Domains and select New > Domain
7. Select the Remote option and click Next
8. Specify domain name (e.g. test.gfi.com) and click Finish

Step 3: Enable email relaying to the Microsoft Exchange server:

1.  Right click on the new domain (e.g. test.gfi.com) and select Properties
2. Select the Allow the Incoming Mail to be Relayed to this Domain checkbox
3. Select the Forward all mail to smart host option and specify the IP address of the server managing emails in this domain. The IP address must be enclosed in square brackets e.g. [123.123.123.123] so to exclude them from all DNS lookup attempts
4. Click OK to finalize the configuration

Step 4: Secure the SMTP email-relay server

If unsecured, the mail relay server can be exploited and used as an open relay for spam. To avoid this from happening, it is recommended to specifically define which mail servers can route emails through this mail relay server (i.e. allow only specific servers to use this email relaying setup). To achieve this:

1. Go to Start > Control Panel > Administrative Tools
2. Click on Internet Information Services (IIS) Manager
3. In the left pane, expand the respective server node. Right click on Default SMTP Virtual Server and select Properties
4. Click on the Access tab and select Relay
5. Select the Only the list below option and click Add
6. Specify IP(s) of the mail server(s) that are allowed to route emails through this mail relay server

• Single computer - i.e. Authorize one specific machine to relay email through this server. Use the DNS Lookup button to lookup an IP address for a specific host.
• Group of computers - i.e. Authorize specific computer(s) to relay emails through this server.
• Domain - Allow all computers in a specific domain to relay emails through this server.

NOTE: The Domain option adds a processing overhead that can degrade SMTP service performance. This is due to the reverse DNS lookup processes triggered on all IP addresses (within that domain) that try to route emails through this relay server.
 

Step 5: Enable the Microsoft Exchange Server to route emails via mail relay server/GFI MailEssentials

Forwarding email to GFI MailEssentials machine

1. Launch Exchange System Manager
2. Right click the Connectors node and select New >  SMTP Connector
3. Select the Forward all mail through this connector to the following smart host option, and specify the IP of your mail relay server within square brackets (i.e. the IP of the machine on which GFI MailEssentials is installed) e.g. [123.123.1.123]
4. Click Add and select the virtual SMTP Server (i.e. the email relay server on which GFI MailEssentials is running)
5. Click on the Address Space tab then click Add
6. Select SMTP and click OK
7. Click OK to finalize the configuration. All emails will now be forwarded to the GFI MailEssentials server.

Step 6: Update the domain MX record to point to mail relay server

Update the MX record of the domain to point to the IP of the new mail relay server. If the DNS server is managed by your ISP, ask your ISP to update the MX record for you. If MX record is not updated all emails will be routed directly to your email server - hence by-pass GFI MailEssentials anti-spam filters. Verify that the MX record has been successfully updated.

To verify whether the MX record is updated do as follows:

1. Click Start > Run and type: cmd
2. From the command prompt type in: nslookup
3. Type in: set type=mx
4. Specify your mail domain name

The MX record should return the IP addresses of the mail relay servers.

Step 7: Test the new mail relay server

Before proceeding to install GFI MailEssentials, verify that the new mail relay server is working correctly by performing the following:

Test IIS SMTP inbound connection via test email

1. Send an email from an external account (e.g. Gmail) to an internal email address/user
2. Ensure that intended recipient received the test email in the respective email client
3. Test IIS SMTP outbound connection via test email
4. Send an email from an internal email account to an external account (e.g. Gmail)
5. Ensure that the intended recipient/external user received the test email

NOTE: Telnet can also be used to manually send the test email and obtain more troubleshooting information. For more information refer to: http://support.microsoft.com/support/kb/articles/Q153/1/19.asp

Installation procedure

1. Logon to the Microsoft Exchange Server machine using administrator credentials
2. Double click mailessentials2010.exe (32-bit install) or mailessentials2010_x64.exe (64-bit install) accordingly
3. Select the preferred install language and click Next
4. Select whether to check for newer versions/builds of GFI MailEssentials and click Next
5. Read the licensing agreement. To proceed with the installation select I accept the license agreement and click Next
6. Click Next to install into the default location or click Browse to change path
7. Specify user details and enter license key. Click Next to continue
8. Specify the email address where notifications (e.g. failed anti spam filters, spam digests) are to be sent
9. Specify whether GFI MailEssentials will get the list of email users (required for user-based configuration/rules e.g. disclaimers) from Active Directory or SMTP server. Click Next to continue.
10. If Microsoft Message Queuing Services (MSMQ) is not installed then the dialog in the above screenshot will open. Select Yes to install MSMQ. Click Next to continue.
11. Click Finish to finalize your installation. On completion, setup will:

• Prompt to restart the SMTP service.
  • IMPORTANT: Failing to restart the SMTP service will negatively affect anti spam filtering and email flow.
• Check whether Microsoft XML engine is installed. This is automatically installed if not found on UK/US English OS. For other OS languages, this has to be manually downloaded and installed. Microsoft XML engine can be downloaded from: http://www.microsoft.com/downloads/details.aspx?FamilyId=3144B72B-B4F2-46DA-B4B6-C5D7485F2B42&displaylang=en
• For new installations, setup will launch the Post-Installation Wizard.

Post-Installation Wizard 

1. Click Next in the welcome page
2. In the DNS Server dialog, select:

• Use the same DNS server used by this server - Select this option to use the same DNS server that is used by the operating system where GFI MailEssentials is installed.
• Use an alternate DNS server - Select this option to specify a custom DNS server IP address.
• Click Test DNS Server to test connection with the specified DNS server. If test is unsuccessful, specify another DNS server. Click Next to continue.

1. In the Internet Connectivity Settings dialog, specify how the server where GFI MailEssentials is installed connects to the internet. If the server connects through a proxy server, click Configure proxy server... and specify proxy settings. Click Next to continue.
2. In the Inbound email domains dialog specify all the domains to filter for spam. Any local domains that are not specified in this list will not be filtered for spam. Click Next to continue.
   • NOTE: When adding domains, select Obtain domain’s MX records and include in perimeter servers list to retrieve the domain’s MX records and automatically add them to the perimeter SMTP servers list (configured in the next step).
3. In the SMTP Servers dialog, specify how the server receives external emails. If emails are routed through other servers before they are forwarded to the GFI MailEssentials server, add the IP address of the other servers in the list. For more information about perimeter SMTP servers refer to:

1. In the Default anti-spam action dialog, select the default action to be taken when emails are detected as spam. Click Next to continue.
2. Click Finish to finalize the installation.