• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 790
  • Last Modified:

Mail not Relaying for registered users

Prior Question
http://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=exchangesvr&qid=20132374

Our environment
Mail Server
OS     NT 4.0
SP     SP 5
Mail     Exchange Server 5.5
SP     SP 3


Firewall
OS      NT 4.0
FW     Checkpoint Firewall-1

Exchange Server sit on the inside lan and as NAT address which is a legal IP on the internet side

The Problem

On the exchange server we have stopped mail spamming long back and have stopped email relay for all
except those belonging to our ISP- omantel.net.om , our internal two domains - mbpetroleum.co.om and
petrogas.com.om  and mail for our .com site - mbpetroleum.com

When a user @mbpetroleum.co.om connects to the SMTP service of the exchange server, if the user needs
to send mail to any other person other than those mention above
the user gets a mail relay not possible error 551


My thoughts
When a user is connected from the internet and authenticated [simply POP password] , the user should
be able to send mail to any one on the internet what happens is the mail is simply rejected and dropped


The issue needs to be resolved as our staff is getting very mobile and this has become a pain for them
as well as me
0
John P John
Asked:
John P John
  • 13
  • 10
1 Solution
 
Handy HolderSaggar makers bottom knockerCommented:
The POP3 authentication is totally seperate from authentication needed for SMTP relaying (under the relaying options of the internet mail service)

Telnet to your server and type EHLO, you will notice

250-mailserver.myfirm.co.uk Hello
250-XEXCH50
250-HELP
250-ETRN
250-DSN
250-SIZE 0
250-AUTH LOGIN
250 AUTH=LOGIN        

Now telnet from outside the firewall and see if you get the AUTH LOGIN and AUTH=LOGIN as options. If not the SMTP client has no way to authenticate to the (E)SMTP server. The firewall knows to pass POP3 authentication through to the server but does not understand ESMTP auth. One option is to disable the SMTP service on the firewall and enable a generic/transparent proxy on port25 instead. Not sure if firewall 1 allows this.

Another option is to set the client's SMTP server to be the ISP's server rather than your own, I've had to do that a few times in the past. (POP3 server stays as your Exchange box).

The final option is to buy the firewall1 VPN software so the clients tunnel into the LAN from the Internet and then they can use any protocol they want so even Outlook/MAPI and netbios shares.

I see your MX record has changed and is now your ISP's server, will they be prepared to relay for your clients?
0
 
John P JohnAdvisor ICTAuthor Commented:
andy could you telnet from your end @ 212.72.7.150 and just check.

What we have done at our end is as follows

1. Disable the firewall security rule for the SMTP the only rule in regards to SMTP mail is for the CVP scanner
2. At the IMS have put forward the authenticate at the connections page
3. Routing page added the authenicate by user option

0
 
John P JohnAdvisor ICTAuthor Commented:
I just checked my MX records it still points to my servers
our isp add is 206.49.101.6
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Handy HolderSaggar makers bottom knockerCommented:
I looked up MX of mbpetroleum.com rather than .co.om. Will telnet from home in about 4 hours as firewall at work won't let me out on port 25.
0
 
John P JohnAdvisor ICTAuthor Commented:
andy, i had tried sending mails from hotmail to the server and it has still nbt arrived nor is there an ndr

Reckon you could send me mail from work @ john@mbpetroleum.co.om

0
 
Handy HolderSaggar makers bottom knockerCommented:
220 Unauthorized Access Prohibited
EHLO
500 Unknown command
helo
250 Hello
mail from:<editedout@hotmail.com>
250 <editedout@hotmail.c... Sender ok
rcpt to:<andya@edited.co.uk>
554 Mailbox unavailable.

Problem is still the firewall processing the mail with a service rather than as a transparent proxy. Exchange is not giving the 554 error, it's firewall1 translating Exchange's "not logged in" message and you can't log in as it does not understane EHLO. It seems to accept incoming mail OK for your domain though.

I think you are going to have to get your ISP's mailserver to act as outbound relay for the POP3 clients, generally they are happy to do this as they normally have their RADIUS logs to tell them if the client should be relayed for or not.
                       
0
 
John P JohnAdvisor ICTAuthor Commented:
andy, our ISP will not relay and again there service for the same is not reliable. We tried hosting our website outside in USA but the same issue those guys just decided that today we are stopping authenticated mail relay

Andy got your mail now send at  28 Aug 2001 15:32:14 +0100

so my SMTP is back to what it was earlier.

Now I will set shutdown the firewall rule and put the IMC connections to those who authenticate and routing page also to the same
0
 
John P JohnAdvisor ICTAuthor Commented:
I have removed my firewall rule completely
What has also been stopped is CVP scanning - Firewall Virus scan with it for the timebeing

rules set are as follows Connections tab - Users who authenictate similar in the Routing Restrictions tab under the Routing Tab set it to those who authenicate
0
 
Handy HolderSaggar makers bottom knockerCommented:
telnet on port 25 now fails completely, since you disabled SMTP on firewall have you created a generic proxy for that port which forwards to Exchange? Set up a port forwarding rule for SMTP as if it was a special protocol that firewall1 does not understand.
0
 
John P JohnAdvisor ICTAuthor Commented:
ok creating now so I know what was the issue
0
 
John P JohnAdvisor ICTAuthor Commented:
why the mail was getting delayed in delivery to our server here it was because of the generic rule.
0
 
Handy HolderSaggar makers bottom knockerCommented:
The firewall is now correct but exchange is wrong:

220 mbsv02.mbpetroleum.co.om ESMTP Server (Microsoft Exchange Internet Mail Serv
ice 5.5.2650.10) ready
helo
250 OK
mail from:<xxxxxxxx@hotmail.com>
505 Authentication required

It's setup to require authentication for all incoming mail under delivery restrictions rather than require authentication for relay.

I need to see 505 authentication required after I do RCPT TO:<user@notyourdomain.com> rather than before.
0
 
John P JohnAdvisor ICTAuthor Commented:

I think this would be the rule setup in the routing restrictions tab under the routing tab. Let me uncheck it and lets give it a try
0
 
Handy HolderSaggar makers bottom knockerCommented:
Nope, same result, presume you stopped and started IMS. Would delete the IMS and create another one, think the firewall is still playing a part as would expect more from helo. I had not read http://support.microsoft.com/support/kb/articles/Q255/6/95.ASP until now let me check tomorrow.
0
 
John P JohnAdvisor ICTAuthor Commented:
andy i changed the setting to as follows
removed the connections part of authentication and now i get error 550 relaying is prohibited
0
 
Handy HolderSaggar makers bottom knockerCommented:
Looking good:

220 mbsv02.mbpetroleum.co.om ESMTP Server (Microsoft Exchange Internet Mail Serv
ice 5.5.2650.10) ready
ehlo
250-mbsv02.mbpetroleum.co.om Hello [m365-mp1-cvx1b.rdg.ntl.com]
250-XEXCH50
250-HELP
250-ETRN
250-DSN
250-SIZE 0
250-AUTH LOGIN
250 AUTH=LOGIN
auth login
334 VXNlcm5hbWU6


Now it's up to Outlook express to respond to the password challenge, doubt I can do it in my head.

mail from:<me@hotmail.com>
501 garbled Base64 data
mail from:me@hotmail.com>
553 malformed address: me@hotmail.com>

** wish I coold spell proper...**


mail from:<andy@hotmail.com>
250 OK - mail from <andy@hotmail.com>
rcpt to:<john@mbpetroleum.com>
550 Relaying is prohibited
rcpt to:<john@mbpetroleum.co.om>
250 OK - Recipient <john@mbpetroleum.co.om>
DATA
354 Send data.  End with CRLF.CRLF
                   
Yeah, no relay without auth and inbound is OK for main domain name. But you need to add your other domains as inbound.
0
 
John P JohnAdvisor ICTAuthor Commented:
andy i have added to domains as inbound that is petrogas.com.om and mbpetroleum.co.om but the .com is hosted elsewhere it this people who i want relay for
0
 
Handy HolderSaggar makers bottom knockerCommented:
You will have to set petrogas.com on exchange as another inbound domain and create users so that you can relay for it like all your other domains. But the public MX record for petrogas.com would point to another server so you would not get their incbound mail from their customers, they override with hoats file or whatever. The only problem would be between users in your office and petrogas.com for which you would have to set up a special delivery method.
0
 
Handy HolderSaggar makers bottom knockerCommented:
Ignore my last comment was confused to what you wanted to do.

If their POP3 mailboxes are homed on another server then do not create local mailboxes for them. Also make sure petrogas.com is *not* listed as inbound under the routing tab. Create NT user accounts/passwords for them (they could all use the same account if you want). Then on their Outlook Express, etc. client set the POP3 server/username/password to what the other server wants and set their SMTP server/username/password to your server.
0
 
John P JohnAdvisor ICTAuthor Commented:
andy will sum up today evening and credit you for the help
0
 
John P JohnAdvisor ICTAuthor Commented:
Andy just for you info

created the following rule on the firewall Chkpoint

Opened one generic port for SMTP then added another SMTP with forwarding to cVP SCANNER

Rest as per your instructions completed


0
 
Handy HolderSaggar makers bottom knockerCommented:
Yeah, waiting 6 months so far for a course on firewall-1, sticking to sidewinder for now. At least s/w  can replace the ' in an email address with something that Exchange 2000 can cope with but still not easy to relay for web-based pop3 clients.

Thanks for the points but I think EE will be "tits up" before the end of the month. Serious stuff about this in Experts input, CS and Lounge today.
0
 
John P JohnAdvisor ICTAuthor Commented:
please explain
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 13
  • 10
Tackle projects and never again get stuck behind a technical roadblock.
Join Now