MelvinSE
asked on
Exchange 5.5 Server not seen by Outlook Internet Mail clients
I just set up a new server (replacing an old one) with Windows 2000 Server and Exchange 5.5. Previously, the original server was set up to allow client relaying. We had a spam issue (open relay) and had to close the relay and set up a message firewall (CMS Praetor, I recommend it) and installed it on the same machine as Exchange. Since Praetor doesn't allow relaying of any kind, we bought a new server (since the first one was old anyway) to use as the new mail server while the old one became the stand-alone message firewall. All SMTP traffic flows into the message firewall machine, then to the new Exchange server. Outgoing messages go the other way, obviously. Here's the fun part...
I'm setting up remote clients to connect right to the NEW server via pop3. The new server has it's own public IP (it's hidden) and the router is configured to allow POP3 requests through. Clients can get their mail. Everything's great with that part. Problem is, and you probably saw this coming, clients can't see the smtp server (Outlook times out and says "The SMTP server your provided is not available, please enter the proper mail server address" message.
The IP addresses in Outlook for both incoming and outgoing are set to the public IP of the NEW server. Since the router is only set to allow pop3 packets through to the new server, I'm assuming that's why it wasn't responding. Here's what I'm fuzzy on. My company's DNS record still points to the old server, which is correct in order to use the message firewall. If I open up the router to allow SMTP packets through to the NEW server, I'm afraid that after some time I'll have the same spam problem we once had since essencially the new server would now be open to SMTP packets from anyone with the public IP. If I set the router to allow SMTP packets through to the new server, will that let Outlook clients on the internet see the server and relay? AND, will that be a problem in the future like it once was?
Sorry for the novel, but there's a lot of history with this situatuation and I wanted to explain it as best I could.
I'm setting up remote clients to connect right to the NEW server via pop3. The new server has it's own public IP (it's hidden) and the router is configured to allow POP3 requests through. Clients can get their mail. Everything's great with that part. Problem is, and you probably saw this coming, clients can't see the smtp server (Outlook times out and says "The SMTP server your provided is not available, please enter the proper mail server address" message.
The IP addresses in Outlook for both incoming and outgoing are set to the public IP of the NEW server. Since the router is only set to allow pop3 packets through to the new server, I'm assuming that's why it wasn't responding. Here's what I'm fuzzy on. My company's DNS record still points to the old server, which is correct in order to use the message firewall. If I open up the router to allow SMTP packets through to the NEW server, I'm afraid that after some time I'll have the same spam problem we once had since essencially the new server would now be open to SMTP packets from anyone with the public IP. If I set the router to allow SMTP packets through to the new server, will that let Outlook clients on the internet see the server and relay? AND, will that be a problem in the future like it once was?
Sorry for the novel, but there's a lot of history with this situatuation and I wanted to explain it as best I could.
Have you considered using OWA for Exchange 5.5 instead of POP3? See http://support.microsoft.com/default.aspx?scid=kb;en-us;259240
These are POP clients coming in from the Internet, right? I'm also assuming that Praetor has port 25 exposed to the Internet. You could just point to Praetor, but then it's going to tell you that you cannot relay. I don't know Praetor, but it might support authenticated SMTP. Exchange does, but I havent run 5.5 in about a year so I can't be %100 percent sure that it supports it, but I'm pretty sure it does. If Praetor does not, then you'll want to expose port 25 to your Exchange server and only relay for authenticated users. I would never expose any port on an internal, non-perimeter, server to the Internet.
I would not, however recommend that. I would recommend that users who POP in use their ISPs SMTP server. That's the correct way to do this.
OneHump
I would not, however recommend that. I would recommend that users who POP in use their ISPs SMTP server. That's the correct way to do this.
OneHump
ASKER
I have considered OWA, but from what I've heard and read, it's features are very limited. The employees who require access from the Internet would like to use Outlook so they have all the features they normally have in the office. Can't say I blame them.
ASKER
OneHump,
That's my fear. Preator is getting all the SMTP traffic on port 25 right now. The POP3 port to that server is disabled. The new server is only getting POP3 packets right now. Here's what I don't understand...
The way the system is setup, Exchange is now sending all OUTBOUND SMTP messages to the Praetor server, which checks them and sends them on their way. If a client on the Internet is authenticated on the Exchange server (i.e. "logged in"), don't they now use Exchange just as someone would who was connected in the office? By that I mean that when a user SENDS a message, Exchange should treat it as an internal SMTP message (since the client is authenticated and connected to Exchange and the company domain) and send it to the Praetor machine as usual, which forwards it out. That's what I don't get. I'm not sure what I'm trying to do is really "relaying", I just want internet users to connect to the server via the internet.
That's my fear. Preator is getting all the SMTP traffic on port 25 right now. The POP3 port to that server is disabled. The new server is only getting POP3 packets right now. Here's what I don't understand...
The way the system is setup, Exchange is now sending all OUTBOUND SMTP messages to the Praetor server, which checks them and sends them on their way. If a client on the Internet is authenticated on the Exchange server (i.e. "logged in"), don't they now use Exchange just as someone would who was connected in the office? By that I mean that when a user SENDS a message, Exchange should treat it as an internal SMTP message (since the client is authenticated and connected to Exchange and the company domain) and send it to the Praetor machine as usual, which forwards it out. That's what I don't get. I'm not sure what I'm trying to do is really "relaying", I just want internet users to connect to the server via the internet.
Outlook is also limited when you use POP3. Have you looked at IMAP4 instead?
IMAP is indeed better but also limited. All you really get with IMAP that you don't get with POP, in terms of content, is folders. No calendars or tasks or meeting requests. OWA 5.5 is really difficult to use. OWA doesnt start getting good until E2K.
"If a client on the Internet is authenticated on the Exchange server (i.e. "logged in"), don't they now use Exchange just as someone would who was connected in the office? "
In your case, the answer to this is no. When you are using a standards based protocol like POP, you are not considered "logged on" to the server in an Exchange sense. You use the POP protocol to get to connect and download your email and then disconnect. When email is being sent, a different protocol, SMTP, is used to connect. If you want to authenticate for delivery, you need to use SMTP authentication; something Outlook express supports. You also need to configure the relay settings on your IMC to relay for authenticated clients.
What you are thinking is when MAPI Outlook clients connect. They use RPC to both send and recieve email and are considered authenticated. When you use POP, it's a different ballgame. In reality, you Exchange server is really no different than a Sendmail server when using POP.
OneHump
"If a client on the Internet is authenticated on the Exchange server (i.e. "logged in"), don't they now use Exchange just as someone would who was connected in the office? "
In your case, the answer to this is no. When you are using a standards based protocol like POP, you are not considered "logged on" to the server in an Exchange sense. You use the POP protocol to get to connect and download your email and then disconnect. When email is being sent, a different protocol, SMTP, is used to connect. If you want to authenticate for delivery, you need to use SMTP authentication; something Outlook express supports. You also need to configure the relay settings on your IMC to relay for authenticated clients.
What you are thinking is when MAPI Outlook clients connect. They use RPC to both send and recieve email and are considered authenticated. When you use POP, it's a different ballgame. In reality, you Exchange server is really no different than a Sendmail server when using POP.
OneHump
ASKER
Thanks for the explaination. This is very helpful.
So, my question now is...
a) I'm sure that I've configured the clients for SMTP authentication (On the Servers page of the connection properties, it has a checkbox for requiring authentication on the outbound server) and Outlook still asks for a "proper SMTP server address" because it "can't find" the one I set it for (which it DID find using POP3). Is there something I'm missing to get SMTP authentication to work under full versions of Outlook (97, 2000, XP, etc.)?
Or...
b) Can I set up an RPC connection through the firewall for Internet clients? I've been reading up on a situation like that (opening up ports 135 and staticly mapping the higher ports - 5001, 5002, etc.) and was wondering if that may be the answer. I think OWA is out of the question.
As an aside, would a VPN solve all this? Or is an RPC connection considered a VPN? This is the one area of Exchange I've never worked in before, so thanks for all your patience.
So, my question now is...
a) I'm sure that I've configured the clients for SMTP authentication (On the Servers page of the connection properties, it has a checkbox for requiring authentication on the outbound server) and Outlook still asks for a "proper SMTP server address" because it "can't find" the one I set it for (which it DID find using POP3). Is there something I'm missing to get SMTP authentication to work under full versions of Outlook (97, 2000, XP, etc.)?
Or...
b) Can I set up an RPC connection through the firewall for Internet clients? I've been reading up on a situation like that (opening up ports 135 and staticly mapping the higher ports - 5001, 5002, etc.) and was wondering if that may be the answer. I think OWA is out of the question.
As an aside, would a VPN solve all this? Or is an RPC connection considered a VPN? This is the one area of Exchange I've never worked in before, so thanks for all your patience.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I guess it's time to look into setting up a VPN. I'm sure I'll have questions along the way, but as far as this question, you've helped a lot. Thanks.
Just let us know.
OneHump
OneHump