Solved

Cannot Receive Mail without SMTP Anonymous Authentication but want to Secure SMTP EXG 2003

Posted on 2004-09-05
12
4,740 Views
Last Modified: 2012-08-13
Here's the dilemma--every time I take off anonymous access for the one SMTP virtual server I have in order to try and get some security, my organisation cannot receive mail from the outside world (sending appears fine). The goal is to require SMTP authentication and SSL but, obviously, still receive mail from the outside world. Any idea how this might be done? A second SMTP virtual server perhaps?
0
Comment
Question by:jbreg
  • 5
  • 5
  • 2
12 Comments
 
LVL 7

Assisted Solution

by:alshahnaz
alshahnaz earned 100 total points
ID: 11987159
without SMTP annonomus checked u wont be able to recive mail from out side world.what this anonomus means is that it allows any external server to mutally authenticate with ur server.if u remove this then the external server will not be able to mutually authenticate.so they cant send mail.trust clarifies

Shahnaz
0
 

Author Comment

by:jbreg
ID: 11987321
Yes, but how do I protect myself from unauthorised use of my SMTP server? Specfically, what I want to do is to be able to set up clients using POP3, etc that REQUIRE SMTP authentication using the same credentials as required for POP3...?

Jay
0
 
LVL 20

Assisted Solution

by:ikm7176
ikm7176 earned 400 total points
ID: 11987458
In Authentication,
Anonymous access: Usually, you would use this check box for servers that are directly connected to the Internet. If you select this check box, other servers on the Internet will not authenticate to this server prior to sending mail. For increased security, disable anonymous access on your internal SMTP virtual servers that do not accept incoming Internet mail. For similar security purposes, you can also disable anonymous access on dedicated SMTP virtual servers used for remote IMAP and POP users. However, you must allow anonymous access on your Internet gateway servers.
Note: If the Anonymous access check box is not selected on your Internet gateway servers, you may not receive incoming mail from the Internet. However, for internal SMTP virtual servers or SMTP virtual servers used exclusively by IMAP and POP users, you can clear this check box because they must authenticate.

Basic authentication: Use this check box for mail clients (such as Microsoft Outlook) that use Post Office Protocol version 3 (POP3) or Internet Message Access Protocol version 4rev1 (IMAP4) to connect to the server. To send e-mail, these clients authenticate to the server.
Important: If you select the Basic authentication check box, user names and passwords are sent across the network in clear text. This information can be easily intercepted on the Internet. If you use basic authentication, consider implementing Transport Layer Security (TLS) for more security.

Requires TLS encryption: Use this check box if you have a digital certificate, typically in a high-security environment. If you select this check box, in the corresponding Default domain box, you must type the Windows 2000 domain name that the user should authenticate against if he or she does not specify a domain. For more information about TLS encryption, see the Exchange online documentation.

Integrated Windows Authentication: This check box is used only by Windows user accounts. Using the NTLM protocol, user names and passwords are encrypted and are then passed to the SMTP virtual server for authentication purposes. Note: By default, the Anonymous access, Basic authentication, and Integrated Windows Authentication check boxes are selected. If you are using a single default virtual server, it is recommended that you use the default settings; this allows users to authenticate using the most common methods


FOR PREVENTING RELAY:

By default, the default SMTP virtual server allows only authenticated users to relay e-mail. This is the preferred setting because it prevents unauthorized users from using your Exchange server to send e-mail to external domains. The most secure relay configuration requires authentication for anyone connecting from the Internet and attempting to relay.

bridgehead servers that are connected to the Internet and that accept Internet mail must generally accept anonymous connections; however, by default, these bridgehead servers do not allow anonymous relaying. Enabling anonymous relaying is strongly discouraged. If you allow anonymous relaying, other users can use your server to send unsolicited commercial e-mail. Subsequently, this would cause other Internet servers to blacklist your server.

To verify relay restrictions on an SMTP virtual server
1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. Expand Servers, expand <Server Name>, expand Protocols, and then expand SMTP.
3. Right-click Default SMTP Virtual Server, and then click Properties.
4.In Default SMTP Virtual Server Properties, click the Access tab
5.Under Relay restrictions, click Relay to verify relay restrictions. The Relay Restrictions dialog box displays
6.In Relay Restrictions, verify the following settings:

i) Verify that the Only the list below button is selected. To list only those hosts you want to allow to relay mail, click Add, and then follow the instructions. If you click All except the list below, your server may appear to be a server that is a source of unsolicited e-mail on the Internet.

ii) Verify that the Allow all computers which successfully authenticate to relay, regardless of list above check box is selected. This setting allows you to deny access to all users who do not authenticate. Any remote POP and IMAP users accessing this server will authenticate to send mail. If you do not have users who access this server through POP or IMAP, you can clear this check box to prevent relaying entirely, thereby increasing security.

Hope this is clears for you.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:jbreg
ID: 11987488
"For increased security, disable anonymous access on your internal SMTP virtual servers that do not accept incoming Internet mail. For similar security purposes, you can also disable anonymous access on dedicated SMTP virtual servers used for remote IMAP and POP users. However, you must allow anonymous access on your Internet gateway servers."

This *seems* to suggest that I ought to have more than one SMTP virtual server. At the moment I do not--just one. Here is what I want to do with my exchange org:

1) Send and receive email from internal clients using exchange (and remote exchange users)
2) Allow clients to connect via POP3 over SSL and SMTP over SSL (Remote users). It is this class of users I am particularly concerned about requiring SMTP authentication for outgoing mail. I have the SSL part sorted, but currently the server does not seem to require authentication on SMTP, which is a problem.

Jay
0
 
LVL 7

Assisted Solution

by:alshahnaz
alshahnaz earned 100 total points
ID: 11987519
if u just have one server then u  have to enable annonomus acces in server,because that is ur gateway to internet.

Shahnaz
0
 
LVL 20

Expert Comment

by:ikm7176
ID: 11987831
you need to have another dedicated SMTP server for your POP3 and SMTP clients. Removing Anonymous access on the Internet Gateway server will stop all your e-mails.

Basic authentication: Use this check box for mail clients (such as Microsoft Outlook) that use Post Office Protocol version 3 (POP3) or Internet Message Access Protocol version 4rev1 (IMAP4) to connect to the server. To send e-mail, these clients authenticate to the server.
Important: If you select the Basic authentication check box, user names and passwords are sent across the network in clear text. This information can be easily intercepted on the Internet. If you use basic authentication, consider implementing Transport Layer Security (TLS) for more security.
0
 

Author Comment

by:jbreg
ID: 11989399
OK, so I have to create another SMTP virtual server? Do I have to bind a second IP to the server for this purpose?

Jay
0
 
LVL 20

Accepted Solution

by:
ikm7176 earned 400 total points
ID: 11989561
yes, you should bind second IP address to your SMTP virtual server
The second virtual SMTP server cannot listen on the same IP address as the first virtual SMTP server. If you choose to run both an authenticating and non-authenticating SMTP relay on the same computer, you must bind at least two IP addresses to the external interface of the server. If you choose to create only an authenticating SMTP relay, you do not need to create the second virtual SMTP server, which is not a solution for gateway servers.

The following links may  give you a good idea

http://www.tacteam.net/isaserverorg/exchangekit/2003securepop3/2003securepop3.htm
http://www.tacteam.net/isaserverorg/exchangekit/2003secureauthsmtprelay/2003secureauthsmtprelay.htm

How about installing another windows 2003 machine and configure secure SMTP for the clients. Just a thuoght though !

Cheers!
0
 

Author Comment

by:jbreg
ID: 12007718
Ok, this may sound like a stupid question, but how do i ensure that the first SMTP (default) connector, which is used by external people to send mail to us, cannot be used to relay mail to others except people in my domain(s). I believe I have all the settings correct (have checked other ee, etc articles) and yet running a check on http://www.abuse.net/relay.html shows the final relay test to permit open relay, and it does indeed send an email that I receive on an external acct. Is it appropriate to have a * in relay to these domains in Internet Mail Connector?

Jay
0
 
LVL 20

Expert Comment

by:ikm7176
ID: 12008545
follow the link below and replace though it applies to SBS2003 it equally applies to exchange 2003

http://support.microsoft.com/default.aspx?scid=kb;en-us;324958
0
 
LVL 20

Expert Comment

by:ikm7176
ID: 12008576
0
 

Author Comment

by:jbreg
ID: 12011088
Thanks! Actually what had happened is that I only assumed the open relay test was able to relay--in fact the message got sent to my internal address, not an external address, thus it was not really relayed at all (as confirmed by telneting in).
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Email forward and auto reply 4 39
Exchange 2013 Admin Center Issue 3 22
Shared Mailboxes in Exchange 2010 2 28
Create DAG on Exchange Server 2016 4 24
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
This video discusses moving either the default database or any database to a new volume.

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question