Solved

Mail not Relaying for registered users

Posted on 2001-08-26
23
752 Views
Last Modified: 2008-03-10
Prior Question
http://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=exchangesvr&qid=20132374

Our environment
Mail Server
OS     NT 4.0
SP     SP 5
Mail     Exchange Server 5.5
SP     SP 3


Firewall
OS      NT 4.0
FW     Checkpoint Firewall-1

Exchange Server sit on the inside lan and as NAT address which is a legal IP on the internet side

The Problem

On the exchange server we have stopped mail spamming long back and have stopped email relay for all
except those belonging to our ISP- omantel.net.om , our internal two domains - mbpetroleum.co.om and
petrogas.com.om  and mail for our .com site - mbpetroleum.com

When a user @mbpetroleum.co.om connects to the SMTP service of the exchange server, if the user needs
to send mail to any other person other than those mention above
the user gets a mail relay not possible error 551


My thoughts
When a user is connected from the internet and authenticated [simply POP password] , the user should
be able to send mail to any one on the internet what happens is the mail is simply rejected and dropped


The issue needs to be resolved as our staff is getting very mobile and this has become a pain for them
as well as me
0
Comment
Question by:johnpjohn
  • 13
  • 10
23 Comments
 
LVL 55

Expert Comment

by:andyalder
ID: 6432096
The POP3 authentication is totally seperate from authentication needed for SMTP relaying (under the relaying options of the internet mail service)

Telnet to your server and type EHLO, you will notice

250-mailserver.myfirm.co.uk Hello
250-XEXCH50
250-HELP
250-ETRN
250-DSN
250-SIZE 0
250-AUTH LOGIN
250 AUTH=LOGIN        

Now telnet from outside the firewall and see if you get the AUTH LOGIN and AUTH=LOGIN as options. If not the SMTP client has no way to authenticate to the (E)SMTP server. The firewall knows to pass POP3 authentication through to the server but does not understand ESMTP auth. One option is to disable the SMTP service on the firewall and enable a generic/transparent proxy on port25 instead. Not sure if firewall 1 allows this.

Another option is to set the client's SMTP server to be the ISP's server rather than your own, I've had to do that a few times in the past. (POP3 server stays as your Exchange box).

The final option is to buy the firewall1 VPN software so the clients tunnel into the LAN from the Internet and then they can use any protocol they want so even Outlook/MAPI and netbios shares.

I see your MX record has changed and is now your ISP's server, will they be prepared to relay for your clients?
0
 
LVL 3

Author Comment

by:johnpjohn
ID: 6432181
andy could you telnet from your end @ 212.72.7.150 and just check.

What we have done at our end is as follows

1. Disable the firewall security rule for the SMTP the only rule in regards to SMTP mail is for the CVP scanner
2. At the IMS have put forward the authenticate at the connections page
3. Routing page added the authenicate by user option

0
 
LVL 3

Author Comment

by:johnpjohn
ID: 6432199
I just checked my MX records it still points to my servers
our isp add is 206.49.101.6
0
 
LVL 55

Expert Comment

by:andyalder
ID: 6432298
I looked up MX of mbpetroleum.com rather than .co.om. Will telnet from home in about 4 hours as firewall at work won't let me out on port 25.
0
 
LVL 3

Author Comment

by:johnpjohn
ID: 6432332
andy, i had tried sending mails from hotmail to the server and it has still nbt arrived nor is there an ndr

Reckon you could send me mail from work @ john@mbpetroleum.co.om

0
 
LVL 55

Expert Comment

by:andyalder
ID: 6433178
220 Unauthorized Access Prohibited
EHLO
500 Unknown command
helo
250 Hello
mail from:<editedout@hotmail.com>
250 <editedout@hotmail.c... Sender ok
rcpt to:<andya@edited.co.uk>
554 Mailbox unavailable.

Problem is still the firewall processing the mail with a service rather than as a transparent proxy. Exchange is not giving the 554 error, it's firewall1 translating Exchange's "not logged in" message and you can't log in as it does not understane EHLO. It seems to accept incoming mail OK for your domain though.

I think you are going to have to get your ISP's mailserver to act as outbound relay for the POP3 clients, generally they are happy to do this as they normally have their RADIUS logs to tell them if the client should be relayed for or not.
                       
0
 
LVL 3

Author Comment

by:johnpjohn
ID: 6433287
andy, our ISP will not relay and again there service for the same is not reliable. We tried hosting our website outside in USA but the same issue those guys just decided that today we are stopping authenticated mail relay

Andy got your mail now send at  28 Aug 2001 15:32:14 +0100

so my SMTP is back to what it was earlier.

Now I will set shutdown the firewall rule and put the IMC connections to those who authenticate and routing page also to the same
0
 
LVL 3

Author Comment

by:johnpjohn
ID: 6433334
I have removed my firewall rule completely
What has also been stopped is CVP scanning - Firewall Virus scan with it for the timebeing

rules set are as follows Connections tab - Users who authenictate similar in the Routing Restrictions tab under the Routing Tab set it to those who authenicate
0
 
LVL 55

Expert Comment

by:andyalder
ID: 6433377
telnet on port 25 now fails completely, since you disabled SMTP on firewall have you created a generic proxy for that port which forwards to Exchange? Set up a port forwarding rule for SMTP as if it was a special protocol that firewall1 does not understand.
0
 
LVL 3

Author Comment

by:johnpjohn
ID: 6433401
ok creating now so I know what was the issue
0
 
LVL 3

Author Comment

by:johnpjohn
ID: 6433407
why the mail was getting delayed in delivery to our server here it was because of the generic rule.
0
Do email signature updates give you a headache?

Do you feel like all of your time is spent managing email signatures? Too busy to visit every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

 
LVL 55

Expert Comment

by:andyalder
ID: 6433449
The firewall is now correct but exchange is wrong:

220 mbsv02.mbpetroleum.co.om ESMTP Server (Microsoft Exchange Internet Mail Serv
ice 5.5.2650.10) ready
helo
250 OK
mail from:<xxxxxxxx@hotmail.com>
505 Authentication required

It's setup to require authentication for all incoming mail under delivery restrictions rather than require authentication for relay.

I need to see 505 authentication required after I do RCPT TO:<user@notyourdomain.com> rather than before.
0
 
LVL 3

Author Comment

by:johnpjohn
ID: 6433469

I think this would be the rule setup in the routing restrictions tab under the routing tab. Let me uncheck it and lets give it a try
0
 
LVL 55

Expert Comment

by:andyalder
ID: 6433522
Nope, same result, presume you stopped and started IMS. Would delete the IMS and create another one, think the firewall is still playing a part as would expect more from helo. I had not read http://support.microsoft.com/support/kb/articles/Q255/6/95.ASP until now let me check tomorrow.
0
 
LVL 3

Author Comment

by:johnpjohn
ID: 6433544
andy i changed the setting to as follows
removed the connections part of authentication and now i get error 550 relaying is prohibited
0
 
LVL 55

Expert Comment

by:andyalder
ID: 6433643
Looking good:

220 mbsv02.mbpetroleum.co.om ESMTP Server (Microsoft Exchange Internet Mail Serv
ice 5.5.2650.10) ready
ehlo
250-mbsv02.mbpetroleum.co.om Hello [m365-mp1-cvx1b.rdg.ntl.com]
250-XEXCH50
250-HELP
250-ETRN
250-DSN
250-SIZE 0
250-AUTH LOGIN
250 AUTH=LOGIN
auth login
334 VXNlcm5hbWU6


Now it's up to Outlook express to respond to the password challenge, doubt I can do it in my head.

mail from:<me@hotmail.com>
501 garbled Base64 data
mail from:me@hotmail.com>
553 malformed address: me@hotmail.com>

** wish I coold spell proper...**


mail from:<andy@hotmail.com>
250 OK - mail from <andy@hotmail.com>
rcpt to:<john@mbpetroleum.com>
550 Relaying is prohibited
rcpt to:<john@mbpetroleum.co.om>
250 OK - Recipient <john@mbpetroleum.co.om>
DATA
354 Send data.  End with CRLF.CRLF
                   
Yeah, no relay without auth and inbound is OK for main domain name. But you need to add your other domains as inbound.
0
 
LVL 3

Author Comment

by:johnpjohn
ID: 6433672
andy i have added to domains as inbound that is petrogas.com.om and mbpetroleum.co.om but the .com is hosted elsewhere it this people who i want relay for
0
 
LVL 55

Expert Comment

by:andyalder
ID: 6433824
You will have to set petrogas.com on exchange as another inbound domain and create users so that you can relay for it like all your other domains. But the public MX record for petrogas.com would point to another server so you would not get their incbound mail from their customers, they override with hoats file or whatever. The only problem would be between users in your office and petrogas.com for which you would have to set up a special delivery method.
0
 
LVL 55

Accepted Solution

by:
andyalder earned 300 total points
ID: 6437575
Ignore my last comment was confused to what you wanted to do.

If their POP3 mailboxes are homed on another server then do not create local mailboxes for them. Also make sure petrogas.com is *not* listed as inbound under the routing tab. Create NT user accounts/passwords for them (they could all use the same account if you want). Then on their Outlook Express, etc. client set the POP3 server/username/password to what the other server wants and set their SMTP server/username/password to your server.
0
 
LVL 3

Author Comment

by:johnpjohn
ID: 6447124
andy will sum up today evening and credit you for the help
0
 
LVL 3

Author Comment

by:johnpjohn
ID: 6459448
Andy just for you info

created the following rule on the firewall Chkpoint

Opened one generic port for SMTP then added another SMTP with forwarding to cVP SCANNER

Rest as per your instructions completed


0
 
LVL 55

Expert Comment

by:andyalder
ID: 6467431
Yeah, waiting 6 months so far for a course on firewall-1, sticking to sidewinder for now. At least s/w  can replace the ' in an email address with something that Exchange 2000 can cope with but still not easy to relay for web-based pop3 clients.

Thanks for the points but I think EE will be "tits up" before the end of the month. Serious stuff about this in Experts input, CS and Lounge today.
0
 
LVL 3

Author Comment

by:johnpjohn
ID: 6470122
please explain
0

Featured Post

Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
how to add IIS SMTP to handle application/Scanner relays into office 365.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now