Configure incoming e-mail settings (Windows SharePoint Services)
Applies To: Windows SharePoint Services 3.0
Topic Last Modified: 2009-06-24
In this article:
Install and configure the SMTP service
Configure Active Directory
Configure permissions to the e-mail drop folder
Configure DNS Manager
Configure attachments from Outlook 2003
Configure incoming e-mail settings
Configure incoming e-mail on SharePoint sites
Are attachments missing from e-mail messages that are sent to a SharePoint document library?
Use this procedure to configure the incoming e-mail settings for Windows SharePoint Services 3.0. The features of Windows SharePoint Services 3.0 that use incoming e-mail are not available until these settings are configured.
Before you configure incoming e-mail settings in Windows SharePoint Services 3.0, confirm that:
- You have read the topic Plan incoming e-mail (Windows SharePoint Services).
One or more servers in your server farm are running the Internet Information Services (IIS) Simple Mail Transfer Protocol (SMTP) service, or you know the name of another server that is running the SMTP service. This server must be configured to accept relayed e-mail from the mail server for the domain.
One or more servers in your server farm are running the Microsoft SharePoint Directory Management Service, or you know the name of another server that is running the SharePoint Directory Management Web Service.
The application pool account for the SharePoint Central Administration Web site has the Create, delete, and manage user accounts right to the container in the Active Directory directory service.
The application pool account for Central Administration, the logon account for the Windows SharePoint Services Timer service, and the application pool accounts for your Web applications have the correct permissions to the e-mail drop folder.
The domain controller running Active Directory has a Mail Exchanger (MX) entry in DNS Manager for the mail server that you plan to use for incoming e-mail.
Note
All of these configuration steps are described in detail in the following sections.
Install and configure the SMTP service
Incoming e-mail for Windows SharePoint Services 3.0 uses the SMTP service. The SMTP service can be either installed on one or more servers in the farm, or administrators can provide an e-mail drop folder for e-mail forwarded from the service on another server. The drop folder option is not recommended because administrators of the other server can affect the availability of incoming e-mail by changing the configuration of SMTP, and because this requires the additional step of configuring permissions to the e-mail drop folder.
If a drop folder is not used, the SMTP service must be installed on each server that is used to receive and process incoming e-mail. Typically, this includes every front-end Web server in the farm.
Start the Windows SharePoint Services Web Application service
Each server that is running the SMTP service must also be running the Windows SharePoint Services Web Application service. These servers are called front-end Web servers. In many cases, this service will have already been configured.
Important
Membership in the Administrators group of the Central Administration site is required to complete this procedure.
Start the Windows SharePoint Services Web Application service
On the top navigation bar, click Operations.
On the Operations page, in the Topology and Services section, click Services on server.
On the Services on Server page, find Windows SharePoint Services Web Application in the list of services, and click Start.
Install the SMTP service
The SMTP service is a component of IIS. It must be installed on every front-end Web server in the farm that you want to configure for incoming e-mail.
Important
Membership in the Administrators group on the local computer is required to complete this procedure.
Install the SMTP service
In Control Panel, click Add or Remove Programs.
In Add or Remove Programs, click Add/Remove Windows Components.
In the Windows Components Wizard, in the Components box, click Application Server, and then click the Details button.
In the Application Server dialog box, in the Subcomponents of Application Server box, click Internet Information Services (IIS), and then click the Details button.
In the Internet Information Services (IIS) dialog box, select the SMTP Service check box.
Click OK to return to the Application Server dialog box.
Click OK to return to the main page of the Windows Components Wizard.
Click Next.
When Windows has finished installing the SMTP service, on the Completing the Windows Components Wizard page, click Finish.
Configure the SMTP service
After installing the SMTP service, you must configure the service to accept relayed e-mail from the mail server for the domain.
You can decide to accept relayed e-mail from all servers except those you specifically exclude. Alternatively, you can block e-mail from all servers except those you specifically include. You can include servers individually, or in groups by subnet or domain.
Important
Membership in the Administrators group on the local computer is required to complete this procedure.
Configure the SMTP service
Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
In IIS Manager, expand the server name that contains the SMTP server that you want to configure.
Right-click the SMTP virtual server that you want to configure, and then click Properties.
On the Access tab, under Access control, click Authentication.
In the Authentication dialog box, under Select acceptable authentication methods for this resource, verify that Anonymous access is selected.
Click OK.
On the Access tab, under Relay restrictions, click Relay.
To enable relaying from any server, under Select which computer may relay through this virtual server, select All except the list below.
To accept relaying from one or more specific servers, follow these steps:
Under Select which computer may relay through this virtual server, select Only the list below.
Click Add, and then add servers one at a time by IP address, or in groups by using a subnet or domain.
Click OK to close the Computer dialog box.
Click OK to close the Relay Restrictions dialog box.
Click OK to close the Properties dialog box.
Add an SMTP connector in Exchange Server
In some scenarios, mail from Microsoft Exchange Server computers might not be automatically relayed to the Windows SharePoint Services 3.0 servers that are running the SMTP service. In these scenarios, administrators of Exchange mail servers can add an SMTP connector so that all mail sent to the Windows SharePoint Services 3.0 domain uses the Windows SharePoint Services 3.0 servers that are running the SMTP service.
For more information about SMTP connectors, see the Help documentation for Exchange Server.
Configure Active Directory
Incoming e-mail uses the Microsoft SharePoint Directory Management Service to connect SharePoint sites to the directory services used by your organization. If you enable the Microsoft SharePoint Directory Management Service, users can create and manage distribution groups from SharePoint sites. SharePoint lists that use e-mail can then be found in directory services, such as the Address Book. You must also select which distribution group requests from SharePoint lists require approval. The Microsoft SharePoint Directory Management Service can be installed on a server in the farm, or you can use a remote Microsoft SharePoint Directory Management Service.
To use the Microsoft SharePoint Directory Management Service on a farm or server, you must configure the Central Administration application pool identity account to have the Create, delete, and manage user accounts right to the container that you specify in Active Directory. The preferred way to do this is by delegating the right to the Central Administration application pool identity account. An Active Directory administrator must set up the organizational unit (OU) and delegate the Create, delete, and manage user accounts right to the container. The advantage of using the Microsoft SharePoint Directory Management Service on a remote farm is that you do not have to delegate rights to the organizational unit for multiple farm service accounts.
If the application pool account for Central Administration is different from the application pool account for the Web application of the list or site that is enabled for e-mail, you must use the application pool account for the Web application when completing the following procedures. You must then delegate additional rights to the Central Administration application pool account.
The following procedures are performed on a domain controller that runs Microsoft Windows Server 2003 SP1 (with DNS Manager) and Microsoft Exchange Server 2003 SP1. In some deployments, these applications might run on multiple servers in the same domain.
Important
Membership in the Domain Administrators group or delegated authority for domain administration is required to complete this procedure.
Create an organizational unit in Active Directory
Click Start, point to Control Panel, point to Administrative Tools, and then click Active Directory Users and Computers.
In Active Directory Users and Computers, right-click the folder for the second-level domain that contains your server farm, point to New, and then click Organizational Unit.
Type the name of the organizational unit, and then click OK.
After creating the organization unit, we recommend that you delegate the Create, delete, and manage user accounts right to the container.
Important
Membership in the Domain Administrators group or the Enterprise Administrators group in Active Directory, or delegated authority for administration, is required to complete this procedure.
Delegate right to the application pool account
In Active Directory Users and Computers, find the organizational unit that you just created.
Right-click the organizational unit, and then click Delegate control.
On the Welcome page of the Delegation of Control Wizard, click Next.
On the Users and Groups page, click Add, and then type the name of the application pool identity account that the Web application uses.
In the Select Users, Computers, and Groups dialog box, click OK.
On the Users or Groups page of the Delegation of Control Wizard, click Next.
On the Tasks to Delegate page of the Delegation of Control Wizard, select the Create, delete, and manage user accounts check box, and then click Next.
On the last page of the Delegation of Control Wizard, click Finish to exit the wizard.
If you must add permissions for the application pool identity account directly, complete the following procedure.
Important
Membership in the Account Operators group, Domain Administrators group, or the Enterprise Administrators group in Active Directory, or delegated authority for administration, is required to complete this procedure.
Add permissions for the application pool account
In Active Directory Users and Computers, click the View menu, and then click Advanced Features.
Right-click the organizational unit that you just created, and then click Properties.
In the Properties dialog box, click the Security tab, and then click Advanced.
Click Add, and then type the name of the application pool identity account for the Web application.
Click OK.
In the Permission Entries section, double-click the application pool identity account.
In the Permissions section, under Allow, select the Modify permissions check box.
Click OK to close the Permissions dialog box.
Click OK to close the Properties dialog box.
Click OK to close the Active Directory Users and Computers plug-in.
If you decide instead to use the remote Microsoft SharePoint Directory Management Service, you must know the URL for the Web service. This URL is typically in the following format: http://server:adminport/_vti_bin/SharePointEmailWS.asmx.
Configure Active Directory under atypical circumstances
If you are using the Directory Management Service and the Central Administration application pool uses a different account from the Web application for the list or site on which you want to enable incoming e-mail, you must delegate additional rights to the Central Administration application pool account. If you do not delegate these rights, then you cannot enable incoming e-mail for the list or site.
Note
Before you delegate the following rights to the Central Administration application pool account for the organizational unit, you must delegate rights to the application pool account for the Web application. The procedures for delegating those rights are explained in the previous section.
Administrators must delegate full control of the organizational unit to the Central Administration application pool account. After this delegation is complete, administrators can enable incoming e-mail.
To delegate full control of the organizational unit to the Central Administration application pool account
Important
Membership in the Domain Administrators group or the Enterprise Administrators group in Active Directory, or delegated authority for administration, is required to complete this procedure.
Delegate full control of the organizational unit to the Central Administration application pool account
Right-click the organizational unit, and then click Delegate control.
In the Delegation of Control wizard, click Next.
Click Add, and then type the name of the application pool account for Central Administration.
Click OK.
Click Next.
On the Tasks to Delegate page of the Delegation of Control wizard, select Create a custom task to delegate, and then click Next.
Select This folder, existing objects in this folder, and creation of new objects in this folder, and then click Next.
In the Permissions section, select Create all Child Objects and Delete all Child Objects.
Click Next.
On the last page of the Delegation of Control wizard, click Finish to exit the wizard.
Delegating full control of the organizational unit to the Central Administration application pool account enables administrators to enable e-mail for a list. Administrators cannot disable e-mail for the list or document library after delegating full control because the Central Administration account tries to delete the contact from the entire organizational unit rather than deleting the contact from the list.
To add the Delete Subtree permission for the Central Administration application pool account
To enable administrators to disable incoming e-mail on a list, you must add the Delete Subtree permission for the Central Administration application pool account.
Important
Membership in the Account Operators group, Domain Administrators group, or the Enterprise Administrators group in Active Directory, or delegated authority for administration, is required to complete this procedure.
Add the Delete Subtree permission for the Central Administration application pool account
In Active Directory Users and Computers, click the View menu, and then click Advanced Features.
Right-click the organizational unit and then click Properties.
In the Properties dialog box, click the Security tab, and then click Advanced.
In the Permission Entries section, double-click the Central Administration application pool account.
In the Permissions section, under Allow, select Delete Subtree.
Click OK to close the Permissions dialog box.
Click OK to close the Properties dialog box.
Click OK to close the Active Directory Users and Computers plug-in.
After adding the permission, you must restart Internet Information Services (IIS) for the farm.
For more information about Active Directory, see the Help documentation for Active Directory.
Configure permissions to the e-mail drop folder
When incoming e-mail settings are set to advanced mode, you must ensure that certain accounts have the correct permissions to the e-mail drop folder.
Configure e-mail drop folder permissions for the logon account for the Windows SharePoint Services Timer service
Ensure that the logon account for the Windows SharePoint Services Timer service has the Modify permission on the e-mail drop folder. If the logon account for the service does not have the Modify permission, e-mail enabled document libraries will receive duplicate e-mail messages.
Important
Membership in the Administrators group on the local computer that contains the e-mail drop folder is required to complete this procedure.
Configure e-mail drop folder permissions
In Windows Explorer, right-click the drop folder, click Properties, and then click the Security tab.
On the Security tab, under the Group or user names box, click the Add button.
In the Select Users, Computers, or Groups dialog box, in the Enter objects to select box, type the name of the logon account for the Windows SharePoint Services Timer service, and then click OK.
Note
This account is listed on the Log On tab of the Properties dialog box for the service in the Services console.
In the Permissions for User or Group box, next to Modify, select the Allow check box.
Click OK.
Configure e-mail drop folder permissions for the application pool account for a Web application
If your deployment uses different application pool accounts for Central Administration and one or more Web applications for front-end Web servers, each application account must have permissions to the e-mail drop folder. If the application pool account for the Web application does not have the required permissions, e-mail will not be delivered to document libraries on that Web application.
In most cases, when you configure incoming e-mail settings and select an e-mail drop folder, permissions are added for two worker process groups:
WSS_Admin_WPG, which includes the application pool account for Central Administration and the logon account for the Windows SharePoint Services Timer service, has Full Control permission.
WSS_WPG, which includes the application pool accounts for Web applications, has Read & Execute, List Folder Contents, and Read permissions.
In some cases, these groups might not be configured automatically for the e-mail drop folder. For example, if Central Administration is running as the Network Service account, the groups or accounts needed for incoming e-mail will not be added when the e-mail drop folder is created. It is a good idea to check whether these groups have been added automatically to the e-mail drop folder. If the groups have not been added automatically, you can add them or add the specific accounts that are required.
Important
Membership in the Administrators group on the local computer that contains the e-mail drop folder is required to complete this procedure.
Configure e-mail drop folder permissions
In Windows Explorer, right-click the drop folder, click Properties, and then click the Security tab.
On the Security tab, under the Group or user names box, click the Add button.
In the Select Users, Computers, or Groups dialog box, in the Enter objects to select box, type the name of the worker process group or application pool account for the Web application, and then click OK.
Note
This account is listed on the Identity tab of the Properties dialog box for the application pool in IIS.
In the Permissions for User or Group box, next to Modify, select the Allow check box.
Click OK.
Configure DNS Manager
Incoming mail requires a Mail Exchanger (MX) resource record to be added in DNS Manager for the host or subdomain running Windows SharePoint Services 3.0. This is distinct from any existing MX records in the domain.
Important
Membership in the Administrators group on the local computer is required to complete this procedure.
Add a Mail Exchanger (MX) resource record for the subdomain
In DNS Manager, select the forward lookup zone for the domain that contains the subdomain for Windows SharePoint Services 3.0.
Right-click the zone and then click New Mail Exchanger.
In the Host or domain text box, type the host or subdomain name for Windows SharePoint Services 3.0.
In the Fully qualified domain name (FQDN) of mail server text box, type the fully qualified domain name for the server that is running Windows SharePoint Services 3.0. This is typically in the format subdomain.domain.com.
Click OK.
Configure attachments from Outlook 2003
Attachments to messages sent from Microsoft Outlook 2003 must be encoded in UUEncode or Binhex format to appear separately in e-mail enabled document libraries. Attachments from Outlook 2003 that use different encoding will not be listed, but e-mail messages that contain attachments will be listed.
Configure incoming e-mail settings
Before you can enable incoming e-mail on the server that is running Windows SharePoint Services 3.0, you must have configured the SMTP service on front-end Web servers in the farm and the Active Directory and DNS Manager on the domain controller, or you must know the name of other servers that are running these services.
This procedure configures the settings that are used for incoming e-mail. You can also configure options for safe e-mail servers and the incoming e-mail display address.
Important
Membership in the Administrators group of the Central Administration site is required to complete this procedure.
Configure incoming e-mail settings
On the top navigation bar, click Operations.
On the Operations page, in the Topology and Services section, click Incoming e-mail settings.
If you want to enable sites on this server to receive e-mail, on the Incoming E-mail Settings page, in the Enable Incoming E-Mail section, click Yes.
Select either the Automatic or the Advanced settings mode.
If you select Advanced, you can specify a drop folder instead of using an SMTP server.
If you want to connect to the Microsoft SharePoint Directory Management Service, in the Directory Management Service section, click Yes.
In the Active Directory container where new distribution groups and contacts will be created box, type the name of the container in the format **OU=ContainerName, DC=domain, DC=**com, where ContainerName is the name of the organizational unit in Active Directory, domain is the second-level domain, and com is the top-level domain.
Note
The Central Administration application pool account must be delegated the Create, delete, and manage user accounts task for the container. Access is configured in the properties for the organizational unit in Active Directory.
In the SMTP mail server for incoming mail box, type the name of the SMTP mail server. The server name must match the fully qualified domain name in the MX entry for the mail server in DNS Manager.
To accept only messages from authenticated users, click Yes for Accept messages from authenticated users only. Otherwise, click No.
To allow creation of distribution groups from SharePoint sites, click Yes for Allow creation of distribution groups from SharePoint sites. Otherwise, click No.
Under Distribution group request approval settings, select the actions that will require approval. Actions include the following:
Create new distribution group
Change distribution group e-mail address
Change distribution group title and description
Delete distribution group
If you want to use a remote SharePoint Directory Management Web Service, select Use remote.
In the Directory Management Service URL box, type the URL of the Microsoft SharePoint Directory Management Service that you want to use.
In the SMTP mail server for incoming mail box, type the name of the SMTP mail server. The server name must match the fully qualified domain name in the MX entry for the mail server in DNS Manager on the domain server.
To accept messages from authenticated users only, click Yes for Accept messages from authenticated users only. Otherwise, click No.
To allow creation of distribution groups from SharePoint sites, click Yes for Allow creation of distribution groups from SharePoint sites. Otherwise, click No.
If you do not want to use the Microsoft SharePoint Directory Management Service, click No.
In the Incoming E-Mail Server Display Address section, type a display name for the e-mail server (for example, mail.fabrikam.com) in the E-mail server display address box.
Tip
You can specify the e-mail server address that is displayed when users create an incoming e-mail address for a list or group. Use this setting together with the Microsoft SharePoint Directory Management Service to provide an e-mail server address that is more user-friendly.
In the Safe E-Mail Servers section, select one of the following options:
Accept mail from all e-mail servers
Accept mail from these safe e-mail servers. If you select this option, type the IP addresses (one per line) of the e-mail servers that you want to specify as safe in the corresponding box.
In the E-mail Drop Folder section, in the E-mail drop folder box, type the name of the folder in which Microsoft Windows SharePoint Services polls for incoming e-mail from the SMTP service.
This option is available only if you selected advanced mode.
Click OK.
Configuring incoming e-mail on SharePoint sites
After configuring incoming e-mail settings, site administrators can configure e-mail enabled lists and document libraries. For more information about e-mail enabled document libraries, see Enable and configure e-mail support for a list or library(https://go.microsoft.com/fwlink/?LinkId=120164&clcid=0x409).
Contact addresses created for these document libraries appear automatically in Active Directory Users and Computers under the organizational unit for Windows SharePoint Services 3.0, and must be managed by the administrator of Active Directory. The Active Directory administrator can add more e-mail addresses for each contact. For more information about how to manage contacts in Active Directory, see the Help documentation for Active Directory.
Alternatively, the Exchange Server can be configured by adding a new Exchange Server Global recipient policy to automatically add external addresses that use the second-level domain name and not the subdomain or host for Windows SharePoint Services 3.0. For more information about how to manage Exchange Server, see the Help documentation for Exchange Server.
Are attachments missing from e-mail messages that are sent to a SharePoint document library?
If attachments are missing from e-mail messages that are sent to a Windows SharePoint Services 3.0 document library, it might be because you have associated the document library with an e-mail address. When you do this, Directory Management Service may not add the following two attributes:
internet Encoding = 1310720
mAPIRecipient = false
You must use Active Directory Service Interfaces (ADSI) to manually add these two missing attributes.
Note
On the Windows Server 2003 product CD, ADSI Edit is included in Windows Support Tools. To install Support Tools for Windows Server 2003, use the Suptools.msi program that is located in the Support\Tools folder. To install Support Tools for Microsoft Windows 2000 Server, use the Setup.exe program that is located in the Support\Tools folder.
Add attributes by using the ADSI tool
Click Start, and then click Run.
In the Run dialog box, type Adsiedit.msc, and then click OK.
In the ADSI Edit window, expand ADSI Edit, expand Domain [DomainName], expand DC=DomainName, DC=com, and then expand CN=Users.
Right-click the user name to which you want to add the missing attributes, and then click Properties.
In the Properties dialog box, double-click internet Encoding on the Attribute Editor tab.
In the Integer Attribute Editor dialog box, type 1310720 in the Value box, and then click OK.
In the Properties dialog box, double-click mAPIRecipient on the Attribute Editor tab.
In the Boolean Attribute Editor dialog box, click False, and then click OK twice.