SMTP Relay Issues on Exchange 2003 for POP mail clients
Previously I was working with Windows 2003 SMTP mail service and could not get the relay restrictions from external clients to work. (See https://www.experts-exchange.com/questions/21909393/550-5-7-1-Unable-to-relay-error-on-Windows-2003-Server.html)
I now have Exchange 2003 Server running in my test domain and ran into the same exact problem with external clients unable to authenticate for outgoing mail. With a POP3 client setup outside of the network, I would receive an error 550 5.7.1 unable to relay for user@domain.com unless I was sending to someone within my domain.
I have checked the settings on the Exchange server and ensured that the box is checked for allowing "..all computers which successfully authenticate to relay, regardless of the list above" under the Exchange 2003 MMC snap-in for SERVERS|PROTOCOLS|SMTP|DEF
When I did this, I received a the following warning:
"This option is only visible for SMTP connectors. Use this option to allow incoming messages to be relayed through the SMTP connector to the domains whose address spaces are listed on this tab. The default is to block relays, except from those users and computers that are able to authenticate. If your SMTP virtual server is on the Internet, you should leave relaying disabled in order to prevent your server from being used to propagate unsolicited commercial e-mail."
Why can't the POP mail clients relay with the first option? Why do I have to enable the second option on the SMTP connector? Is this right?
I have limitations on my external clients on accessing the Exchange Server. OWA via https works fine, but they have been used to using the Full Outlook client with our existing e-mail provider via POP Mail. I am trying move us away from the outsourcing of our e-mail with as little client impact as possible which is why I am messing with the POP mail configuration.
I am concerned about opening the server up for unsolicited relay but enabling the option under the SMTP connector. Please advise.
I now have Exchange 2003 Server running in my test domain and ran into the same exact problem with external clients unable to authenticate for outgoing mail. With a POP3 client setup outside of the network, I would receive an error 550 5.7.1 unable to relay for user@domain.com unless I was sending to someone within my domain.
I have checked the settings on the Exchange server and ensured that the box is checked for allowing "..all computers which successfully authenticate to relay, regardless of the list above" under the Exchange 2003 MMC snap-in for SERVERS|PROTOCOLS|SMTP|DEF
When I did this, I received a the following warning:
"This option is only visible for SMTP connectors. Use this option to allow incoming messages to be relayed through the SMTP connector to the domains whose address spaces are listed on this tab. The default is to block relays, except from those users and computers that are able to authenticate. If your SMTP virtual server is on the Internet, you should leave relaying disabled in order to prevent your server from being used to propagate unsolicited commercial e-mail."
Why can't the POP mail clients relay with the first option? Why do I have to enable the second option on the SMTP connector? Is this right?
I have limitations on my external clients on accessing the Exchange Server. OWA via https works fine, but they have been used to using the Full Outlook client with our existing e-mail provider via POP Mail. I am trying move us away from the outsourcing of our e-mail with as little client impact as possible which is why I am messing with the POP mail configuration.
I am concerned about opening the server up for unsolicited relay but enabling the option under the SMTP connector. Please advise.
ASKER
O.K. I have turned that off and I susupected as much but my relay problem goes away.However, with this off the problem is back again. External POP clients recieve the "550 5.7.1 unable to relay for user@domain.com".
I have use the credentials as username@domain.com, domain\username and when I run the Outlook test it works fine. However, when I try to send mail to someone in another domain, I get the error.
I posted my previous thread on this issue because I ran into the same problem trying to setup Windows 2003 Server mail service. The answer I got on this was that it was unsupported or not designed to function that way. I was told that if I went to Exchange, this would no longer be a problem.
I can't user RCP/HTTP because my prodution domain is still on W2K SP4 DC's. I wasted time trying to get this to work until I found that out. We don't have the money to upgrade which is why I am trying to get these other services to work.
What is stopping the clients from successfully authenticating to the Exchange Server with POP mail?
I have use the credentials as username@domain.com, domain\username and when I run the Outlook test it works fine. However, when I try to send mail to someone in another domain, I get the error.
I posted my previous thread on this issue because I ran into the same problem trying to setup Windows 2003 Server mail service. The answer I got on this was that it was unsupported or not designed to function that way. I was told that if I went to Exchange, this would no longer be a problem.
I can't user RCP/HTTP because my prodution domain is still on W2K SP4 DC's. I wasted time trying to get this to work until I found that out. We don't have the money to upgrade which is why I am trying to get these other services to work.
What is stopping the clients from successfully authenticating to the Exchange Server with POP mail?
The relay probably will return if you turn off that option because you are an open relay - no authenticate required. Anyone and their dog can relay off your server. If you worked for me and had set that option you would be looking for another job right now.
The authentication settings don't matter when you are sending to a user on the same domain because you are not relaying. Exchange will accept email for its own domain on an anonymous connection because that is how email is sent around the internet.
I have just read the thread that you posted in the question above. Some of what was posted I agreed with and some I did not. You can bounce email off the Windows SMTP service, you need to create accounts in Windows to use for authentication. I have the SMTP service installed on my web site's dedicated server so that I have a server on the internet that I can bounce email off.
When you are setting up the client you must specify authentication credentials. You cannot simply enable the option to authenticate and use the same credentials as POP3. The credentials are in a different format.
Ensure that on the SMTP virtual server in Exchange that anonymous and basic authentication is set.
Ensure that the option about authenticated relaying is set and you haven't set the server to allow relaying from an IP address.
You can actually test this from a telnet prompt. However it isn't pretty because SMTP authentication uses BASE64.
However this guide shows you what you need to do if you want to test it.
http://www.computerperformance.co.uk/exchange2003/exchange2003_SMTP_Auth_Login.htm
Simon.
The authentication settings don't matter when you are sending to a user on the same domain because you are not relaying. Exchange will accept email for its own domain on an anonymous connection because that is how email is sent around the internet.
I have just read the thread that you posted in the question above. Some of what was posted I agreed with and some I did not. You can bounce email off the Windows SMTP service, you need to create accounts in Windows to use for authentication. I have the SMTP service installed on my web site's dedicated server so that I have a server on the internet that I can bounce email off.
When you are setting up the client you must specify authentication credentials. You cannot simply enable the option to authenticate and use the same credentials as POP3. The credentials are in a different format.
Ensure that on the SMTP virtual server in Exchange that anonymous and basic authentication is set.
Ensure that the option about authenticated relaying is set and you haven't set the server to allow relaying from an IP address.
You can actually test this from a telnet prompt. However it isn't pretty because SMTP authentication uses BASE64.
However this guide shows you what you need to do if you want to test it.
http://www.computerperformance.co.uk/exchange2003/exchange2003_SMTP_Auth_Login.htm
Simon.
ASKER
You suggestions are not very clear so I am doing the best that I can to determine what you mean. According to the point ratings, you seem to be very knowledgeable about this are but I must confess you are probably not a people person. The comment regarding me "looking for another job" was way out of line and uncalled for. In fact it insulted me and I do not wish to have anymore help from you unless you preface it with an apology. If you can't do that, I don't want your condescending help.
ASKER
I am familar with using telnet to connect and test SMTP. However, in this case, when I type in the verb "auth login" I get the error "504 5.7.4 Unrecognized authentication type". Anyone else care to help?
You turned your server in to an open relay. Do you have any idea how serious that is?
Your company could have found itself without any email, no internet access and blacklisted making your email service unusable. Open relays are not acceptable by most ISPs because they are abused by spammers. In case you haven't noticed, the world is in a war against spam. Anyone who has had to deal with a full scale spam onslaught has very little sympathy for anyone who makes changes to their server that causes the spam problems to increase.
If you didn't like my remark, then I apologise. However it was made to make you aware of how serious I consider making a server an open relay.
This is a highly technical topic area. As such as experts we expect the people posting in the topic are to have some degree of technical knowledge.
This is not a how to web site and is unsuitable for that task as we cannot post screenshots. Very often you will be pointed at parts of Exchange or articles elsewhere that provide information on setting up parts of Exchange.
Also be aware that I am not sat in front of your server, have no idea on your technical knowledge or experience. Therefore I do not know what you are doing or what you have done to date. As experts we have to take a guess.
If something isn't clear to you then you have to post exactly what is not clear, otherwise we do not know.
Simon.
Your company could have found itself without any email, no internet access and blacklisted making your email service unusable. Open relays are not acceptable by most ISPs because they are abused by spammers. In case you haven't noticed, the world is in a war against spam. Anyone who has had to deal with a full scale spam onslaught has very little sympathy for anyone who makes changes to their server that causes the spam problems to increase.
If you didn't like my remark, then I apologise. However it was made to make you aware of how serious I consider making a server an open relay.
This is a highly technical topic area. As such as experts we expect the people posting in the topic are to have some degree of technical knowledge.
This is not a how to web site and is unsuitable for that task as we cannot post screenshots. Very often you will be pointed at parts of Exchange or articles elsewhere that provide information on setting up parts of Exchange.
Also be aware that I am not sat in front of your server, have no idea on your technical knowledge or experience. Therefore I do not know what you are doing or what you have done to date. As experts we have to take a guess.
If something isn't clear to you then you have to post exactly what is not clear, otherwise we do not know.
Simon.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SMTP Relay Issues on Exchange 2003 for POP mail clients
Possible correction!
I ran into this problem as well.
The above Accepted Solution almost fixed it! I changed one element and everything works now.
From above, "...Access tab, click on the relay button. It should be set to "Only the list below" and the list below should be blank."
Access tab, Relay button; the list should be blank, but the radio button that worked for us was "All except the list below", rather than "Only the list below".
If Relay is set for "Only the list below", and the list is left blank--NO email gets through as the list has nothing.
I ran into this problem as well.
The above Accepted Solution almost fixed it! I changed one element and everything works now.
From above, "...Access tab, click on the relay button. It should be set to "Only the list below" and the list below should be blank."
Access tab, Relay button; the list should be blank, but the radio button that worked for us was "All except the list below", rather than "Only the list below".
If Relay is set for "Only the list below", and the list is left blank--NO email gets through as the list has nothing.
Congratulations, you've just made yourself an open relay again.
POP3 should be the last protocol used for remote Exchange access. The order of preference is
RPC over HTTPS
OWA
IMAP
POP3
When you configure the clients to authenticate when sending email, what format to you use for the username?
username
domain\username
username@domain
something else?
Simon.