Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 672
  • Last Modified:

Exchange 5.5 Server not seen by Outlook Internet Mail clients

I just set up a new server (replacing an old one) with Windows 2000 Server and Exchange 5.5.  Previously, the original server was set up to allow client relaying.  We had a spam issue (open relay) and had to close the relay and set up a message firewall (CMS Praetor, I recommend it) and installed it on the same machine as Exchange.  Since Praetor doesn't allow relaying of any kind, we bought a new server (since the first one was old anyway) to use as the new mail server while the old one became the stand-alone message firewall.  All SMTP traffic flows into the message firewall machine, then to the new Exchange server.  Outgoing messages go the other way, obviously.  Here's the fun part...

I'm setting up remote clients to connect right to the NEW server via pop3.  The new server has it's own public IP (it's hidden) and the router is configured to allow POP3 requests through.  Clients can get their mail.  Everything's great with that part.  Problem is, and you probably saw this coming, clients can't see the smtp server (Outlook times out and says "The SMTP server your provided is not available, please enter the proper mail server address" message.

The IP addresses in Outlook for both incoming and outgoing are set to the public IP of the NEW server.  Since the router is only set to allow pop3 packets through to the new server, I'm assuming that's why it wasn't responding.  Here's what I'm fuzzy on.  My company's DNS record still points to the old server, which is correct in order to use the message firewall.  If I open up the router to allow SMTP packets through to the NEW server, I'm afraid that after some time I'll have the same spam problem we once had since essencially the new server would now be open to SMTP packets from anyone with the public IP.  If I set the router to allow SMTP packets through to the new server, will that let Outlook clients on the internet see the server and relay?  AND, will that be a problem in the future like it once was?

Sorry for the novel, but there's a lot of history with this situatuation and I wanted to explain it as best I could.
0
MelvinSE
Asked:
MelvinSE
  • 4
  • 4
  • 2
1 Solution
 
dstoker509Commented:
Have you considered using OWA for Exchange 5.5 instead of POP3? See http://support.microsoft.com/default.aspx?scid=kb;en-us;259240

0
 
OneHumpCommented:
These are POP clients coming in from the Internet, right?  I'm also assuming that Praetor has port 25 exposed to the Internet.  You could just point to Praetor, but then it's going to tell you that you cannot relay.  I don't know Praetor, but it might support authenticated SMTP.  Exchange does, but I havent run 5.5 in about a year so I can't be %100 percent sure that it supports it, but I'm pretty sure it does.  If Praetor does not, then you'll want to expose port 25 to your Exchange server and only relay for authenticated users.  I would never expose any port on an internal, non-perimeter, server to the Internet.  

I would not, however recommend that.  I would recommend that users who POP in use their ISPs SMTP server.  That's the correct way to do this.

OneHump
0
 
MelvinSEAuthor Commented:
I have considered OWA, but from what I've heard and read, it's features are very limited.  The employees who require access from the Internet would like to use Outlook so they have all the features they normally have in the office.  Can't say I blame them.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
MelvinSEAuthor Commented:
OneHump,

That's my fear.  Preator is getting all the SMTP traffic on port 25 right now.  The POP3 port to that server is disabled.  The new server is only getting POP3 packets right now.  Here's what I don't understand...

The way the system is setup, Exchange is now sending all OUTBOUND SMTP messages to the Praetor server, which checks them and sends them on their way.  If a client on the Internet is authenticated on the Exchange server (i.e. "logged in"), don't they now use Exchange just as someone would who was connected in the office?  By that I mean that when a user SENDS a message, Exchange should treat it as an internal SMTP message (since the client is authenticated and connected to Exchange and the company domain) and send it to the Praetor machine as usual, which forwards it out.  That's what I don't get.  I'm not sure what I'm trying to do is really "relaying",  I just want internet users to connect to the server via the internet.
0
 
dstoker509Commented:
Outlook is also limited when you use POP3.  Have you looked at IMAP4 instead?
0
 
OneHumpCommented:
IMAP is indeed better but also limited.  All you really get with IMAP that you don't get with POP, in terms of content, is folders.  No calendars or tasks or meeting requests.  OWA 5.5 is really difficult to use.  OWA doesnt start getting good until E2K.

"If a client on the Internet is authenticated on the Exchange server (i.e. "logged in"), don't they now use Exchange just as someone would who was connected in the office?  "

In your case, the answer to this is no.  When you are using a standards based protocol like POP, you are not considered "logged on" to the server in an Exchange sense.  You use the POP protocol to get to connect and download your email and then disconnect.  When email is being sent, a different protocol, SMTP, is used to connect. If you want to authenticate for delivery, you need to use SMTP authentication; something Outlook express supports.  You also need to configure the relay settings on your IMC to relay for authenticated clients.

What you are thinking is when MAPI Outlook clients connect.  They use RPC to both send and recieve email and are considered authenticated.  When you use POP, it's a different ballgame.  In reality, you Exchange server is really no different than a Sendmail server when using POP.

OneHump

0
 
MelvinSEAuthor Commented:
Thanks for the explaination.  This is very helpful.

So, my question now is...
a) I'm sure that I've configured the clients for SMTP authentication (On the Servers page of the connection properties, it has a checkbox for requiring authentication on the outbound server) and Outlook still asks for a "proper SMTP server address" because it "can't find" the one I set it for (which it DID find using POP3).  Is there something I'm missing to get SMTP authentication to work under full versions of Outlook (97, 2000, XP, etc.)?

Or...
b) Can I set up an RPC connection through the firewall for Internet clients?  I've been reading up on a situation like that (opening up ports 135 and staticly mapping the higher ports - 5001, 5002, etc.) and was wondering if that may be the answer.  I think OWA is out of the question.

As an aside, would a VPN solve all this?  Or is an RPC connection considered a VPN?  This is the one area of Exchange I've never worked in before, so thanks for all your patience.
0
 
OneHumpCommented:
a)  "Full verions" of Outlook run differently.  I wouldnt use Outlook 97/98 so let's talk about versions starting with 2000.  There are two modes; Enterprise and Internet Email Only (IMO).  IMO functions a lot like Outlook Express.  It supports standards based protocols like POP, IMAP, SMTP and LDAP.  It does not support MAPI.  The Enterprise install supportst MAPI by default and can support some standards based protcols by setting up an extra service.  It's not a very clean way to do things, but people do it and it does bring flexibilty to the application.

What you need to do is configure your client to use any SMTP server, preferably the user's ISP's SMTP server, to delivery email.  They need access to port 25 on that server.  I suggest Outlook Express as a better alternative to Outlook for standard protocols.  It does not, however, have Calander, Tasks, etc.

b)  I wouldnt do that.  It's a security problem.  I do agree that OWA is not a great solution with 5.5.

VPN would absolutely solve this.  With VPN, you could allow MAPI and be done with POP/IMAP/SMTP.  RPC is not VPN.  To put it simply, RPC makes the client computer think it's getting information from the local machine.  It's a protocol that can run within a VPN and can run over a TCP/IP connection as well.  If you did run it over a VPN, the VPN would run over a TCP connection as would RPC, but the RPC communication would be tunneled inside the VPN.

Keep asking questions if you have them.

OneHump
0
 
MelvinSEAuthor Commented:
I guess it's time to look into setting up a VPN.  I'm sure I'll have questions along the way, but as far as this question, you've helped a lot.  Thanks.

0
 
OneHumpCommented:
Just let us know.  

OneHump
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

  • 4
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now