How to athenticate a pop3-smtp internet user.?

mxalex
mxalex used Ask the Experts™
on
I have an closed relay at my Exchange 2K server, "Inside" my office everything is OK, but when I try to connect from "Outside" office (internet dialup) I'm only able to receive my email and send email to @my-domain.com, but I'm not able to send to @others-domain.com.

I'm using Outlook 2000, and I already had activated the "LOG ON USING SPA" setting and the SMTP username and password in my Outgoing server settings.

What can I do?

This same question is asked at: http://www.exchangeadmin.com/Articles/Index.cfm?ArticleID=25131
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2014

Commented:
A good possibility if you can send using outlook express SMTP via your server when internal but not when external is that the ISP you are using when you dialup is blocking SMTP to any but their own servers in an attempt to stop spam. You can verify this by telnetting to the public IP address of your mailserver from the dialup on port 25, type ehlo and see if you get a list which includes the AUTH verb. Or it could be your firewall blocking authentication.

Easy way to get around the problem is to set Outlook's SMTP server to be the ISP's SMTP relay rather than your own relay. If you give us your domain name we can telnet to your mail server and check for you.
What exactly did you do to close the relay? E2K is a closed relay out of the box. If you go into the Properties of your virtual SMTP server, go to the Access tab and click the Relay button. Is the box beside "Allow all computer which successfully authenticate to relay..." checked?

Author

Commented:
Using the telnet with ehlo command:

220 SMTP/cmap ready_____________________________________________________________
__________________________________________
ehlo
500 5.3.3 Unrecognized command
EHLO
500 5.3.3 Unrecognized command

what's wrong?

I'm using an univertity LAN access (T1), and an Dial-Up internet access at home, in both the same error appear.


Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
The box beside "Allow all computer which successfully authenticate to relay..." is checked.
Top Expert 2014

Commented:
There is a stateful or proxy firewall in between the client and Exchange that is blocking the EHLO command so HELO is used by the client instead. without EHLO the client can't send AUTH so you have to change settings on the firewall, not Exchange.

Author

Commented:
The firewall in my side (EXCHANGE server) is disable, I mean is in a DMZ zone, so all the TCP and UDP ports are open... I know that it's very dangerus, however this is only for testing and solve this problem.

Author

Commented:
The firewall in my side (EXCHANGE server) is disable, I mean is in a DMZ zone, so all the TCP and UDP ports are open... I know that it's very dangerus, however this is only for testing and solve this problem.
Top Expert 2014
Commented:
It's not down to which ports are open or you'd be complaining you are not recieving or sending normally so those are OK, it is only port25 tcp. Assuming that when you substitute HELO for EHLO you get a reply then the firewall is processing port 25 data and stripping EHLO out since there could conceivably be a vunerability to a very old mailserver behind it by allowing this verb through.

What firewall is it? or what domain so I can check.

Author

Commented:
www.atieng.com [209.194.168.213]

Author

Commented:
Using telnet in my server local mode:

220 home.aticdj.atieng.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329
ready at  Fri, 22 Nov 2002 12:49:39 -0700
ehlo
250-home.aticdj.atieng.com Hello [10.0.0.1]
250-TURN
250-ATRN
250-SIZE
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-X-EXPS GSSAPI NTLM
250-AUTH GSSAPI NTLM
250-X-LINK2STATE
250-XEXCH50
250 OK

appears to be rigth... why using telnet over the internet the header shows:

220 SMTP/cmap ready_____________________________________________________________
__________________________________________

????
Top Expert 2014

Commented:
It is PIX ver4.? with mailguard turned on. http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b2ecb.shtml#part1

You have to turn mailguard off by listing the config and noting either the "mailhost x.x.x.x" or "fixup protocol smtp 25" in the config, entering config mode and typing the same thing preceeded with NO. It will then behave in transparrent mode and EHLO will work.

Author

Commented:
Using telnet in my server local mode:

220 home.aticdj.atieng.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329
ready at  Fri, 22 Nov 2002 12:49:39 -0700
ehlo
250-home.aticdj.atieng.com Hello [10.0.0.1]
250-TURN
250-ATRN
250-SIZE
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-X-EXPS GSSAPI NTLM
250-AUTH GSSAPI NTLM
250-X-LINK2STATE
250-XEXCH50
250 OK

appears to be rigth... why using telnet over the internet the header shows:

220 SMTP/cmap ready_____________________________________________________________
__________________________________________

????

Author

Commented:
Using telnet in my server local mode:

220 home.aticdj.atieng.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329
ready at  Fri, 22 Nov 2002 12:49:39 -0700
ehlo
250-home.aticdj.atieng.com Hello [10.0.0.1]
250-TURN
250-ATRN
250-SIZE
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-X-EXPS GSSAPI NTLM
250-AUTH GSSAPI NTLM
250-X-LINK2STATE
250-XEXCH50
250 OK

appears to be rigth... why using telnet over the internet the header shows:

220 SMTP/cmap ready_____________________________________________________________
__________________________________________

????
Top Expert 2014

Commented:
Also you have to stop using that refresh button on your browser, there is a link on the page that says "reload this question" thaty stops duplicate comments.

Author

Commented:
Ok, I have no access to the firewall settings, it must be in my ISP site, however I change my SMTP TCP port 25 to 26?, now the header shows:

220 home.aticdj.atieng.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329
ready at  Fri, 22 Nov 2002 13:30:11 -0700

and using the ehlo command:

ehlo
250-home.aticdj.atieng.com Hello [200.34.111.77]
250-TURN
250-ATRN
250-SIZE
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-X-EXPS GSSAPI NTLM
250-AUTH GSSAPI NTLM
250-X-LINK2STATE
250-XEXCH50
250 OK


Now I see the AUTH command, I already change in my Outlook the SMTP port 25 to the new 26, but the problem remains.

Author

Commented:
Could it be a problem changing the default smtp tcp port to 26, or adding  it?

Author

Commented:
I change my SMTP TCP/IP port from 25 to 26, with the Cisco Firewall I get an "220 SMTP/cmap" ready message in place of "220 home.aticdj.atieng.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329
ready"  header. After changing this the header shows and accept the EHLO command to Authenticate my users.

Thank you!
Top Expert 2014

Commented:
Cool workaround, I haven't tested running both on a different port. And of course with e2k you can still get public email in on the normal port 25 by having 2 virtual servers.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial