Link to home
Start Free TrialLog in
Avatar of samprav
samprav

asked on

Enabling Mail server access Behind PIX

Hello All

I have a ADSL line with a Fixed Ip address and we have a domain name XXXX.com.I have hosted a Exchange mail server behind PIX 515E firewall.This mail server is collecting the mails from the domain.

Everything is working fine and i also can able to send and receive mails from my LAN users to internet and Vice Versa..The problem i started facing where in my users when they wants to check the mails when they are on the move outside...They want to check the emails with Outlook express as a mail client with incoming and outgoing server configured as "XXXX.com"..

They can able to ping to the domain from outside which resolves to our Global IP address we have..even i can receive the mails in the outlook (when i am on move) but when i try to send the mail for outside user (if i send mail to the Internal user it works fine that means something i need to check on the PIX..i believe) i get error message which says that the relaying is denied through the SMTP server.

Whts configuration i need to check in PIX for enabling the sending the mails from outside to the external users?

Can somebody help?

Regards

Samir.
ASKER CERTIFIED SOLUTION
Avatar of Marakush
Marakush

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Les Moore
>relaying is denied through the SMTP server
This is the key. There is nothing wrong with your PIX config if you can send/receive email to the world.
This is a function of the Exchange server. It is set up to only accept mail from inside LAN ip's.

You might want to cross-post this question in the Exchange server Topic Area.
Hi samprav,

Firstly, you will need to allow port 25 to be forwarded on to your Exchange server.  From the above, it sounds like you've done that.

By default, Exchange is configured not to allow SMTP relay (and a jolly good thing it is too).  You need to change that, BUT you must make sure that you require authentication from the clients when you do that.

Otherwise your server will become an open relay, and that's a bad thing.

There's an article at : http://www.jsiinc.com/SUBJ/tip4800/rh4881.htm that explains how to PREVENT SMTP relay.
You allow it by following much the same instructions.  To summarise it:

Start Exchange System Manager.

Expand the organization_name object, and then expand the Servers node. Expand the server_name object of the server on which you want to ALLOW mail relay, and then expand the Protocols node.

Expand the SMTP node, right-click the virtual SMTP server on which you want to ALLOW mail relay, and then click Properties .

Click the Access tab, and then click Authentication .

Click to select either the Basic Authentication check box, or the Windows security package check box, or both of these check boxes, and then click to clear the Anonymous access check box. When you select the Basic Authentication check box, you need to provide a default user domain. Click OK .

If you click to select the Anonymous access check box and do not select any other check box on this page, all of the users and computers can gain access to the Exchange 2000 SMTP server. This setting disables inbound authentication. **************  THIS IS IMPORTANT **************

If you click to select either the Basic Authentication check box, or the Windows security package check box, or both of these check boxes, and you click to clear the Anonymous access check box, authentication is required to gain access to the Exchange 2000 SMTP server. If the user or computer does not successfully authenticate, the user or computer cannot send mail to the server.

Click Relay .

In the Relay Restriction dialog box, several options are available. The Only the list below option is enabled by default; the list below this option is empty. The Allow all computers which successfully authenticate to relay, regardless of the list above option is also enabled by default, which allows users and computers that can authenticate with the server to relay through the server. This option allows the Exchange 2000 server to relay mail from your internal network clients. Note that if you allow only anonymous access, the server cannot authenticate users or computers.

Click Add . You can allow a single computer, a group of computers, or an entire domain to relay through the server by making the appropriate selection in the Computer dialog box.

Allowing access by IP address or domain name is helpful for users who do not authenticate with the Exchange server (for example, in an Internet service provider [ISP] implementation).

Click Cancel if you do not want to make any changes.

In the Relay Restrictions dialog box, click OK .

Click Apply , and then click OK in the Default SMTP Virtual Server Properties dialog box.


You will then need to ensure that all of your clients outside the network use SMTP authentication when connecting to the server.
You can find out how to do this at : http://support.microsoft.com/?kbid=310884

Does that help?

If you are running Exchange and using Exchange Mailboxes, Outlook Express is not your answer as it is a POP3 client.  Configuring that would download the mail to their PC and while you can have it remain on the server, any sent mail, etc., will not be updated nor would you be able to utilize the extra functionality that Exchange offers.

Have you tried OWA???  Just enable Port 80 on your firewall and Protocol 47 (GRE) and shoot it to the IP of the Mail server.    Your clients can logon at http:\\xxx.domain\exchange and get their mail from anywhere on the Internet.

The issue you are having now is your Exchange server sees these outside clients as trying to relay mail.  scampgb does a good job of how to configure this area.

Good Luck
Steve
Avatar of sriwi
sriwi

Read this article, it will help you configure your exchange properly:

http://www.msexchange.org/tutorials/MF005.html


When you are on the move and using outlook, if you connecting to your company through VPN and Exchange, you shouldn't have that problem, if you use pop3 service, then what is your SMTP server that you are using, it should be using the ISP SMTP server that you are connecting to. (which looks like the problem that you have at the moment).

and also what is the default sender profile on your laptop ?

cheers

Avatar of samprav

ASKER

Thnaks for the support..

I disabled fixup protocol smtp 25  now its working fine..But how can i have the fearure of mail gaurd also enabled with the SMTP relaying enabled...Bcause Mailgaurd can add more security for my network..

regards

Samir.
samprav,

Sorry... That's the only workaround I know about with Exchange and the PIX. Maybe post this under security with the orgional message, my messsage and your last comment. Someone else might have another workaround for you.

Marakush