Solved

Cannot Receive Mail without SMTP Anonymous Authentication but want to Secure SMTP EXG 2003

Posted on 2004-09-05
12
4,734 Views
Last Modified: 2012-08-13
Here's the dilemma--every time I take off anonymous access for the one SMTP virtual server I have in order to try and get some security, my organisation cannot receive mail from the outside world (sending appears fine). The goal is to require SMTP authentication and SSL but, obviously, still receive mail from the outside world. Any idea how this might be done? A second SMTP virtual server perhaps?
0
Comment
Question by:jbreg
  • 5
  • 5
  • 2
12 Comments
 
LVL 7

Assisted Solution

by:alshahnaz
alshahnaz earned 100 total points
ID: 11987159
without SMTP annonomus checked u wont be able to recive mail from out side world.what this anonomus means is that it allows any external server to mutally authenticate with ur server.if u remove this then the external server will not be able to mutually authenticate.so they cant send mail.trust clarifies

Shahnaz
0
 

Author Comment

by:jbreg
ID: 11987321
Yes, but how do I protect myself from unauthorised use of my SMTP server? Specfically, what I want to do is to be able to set up clients using POP3, etc that REQUIRE SMTP authentication using the same credentials as required for POP3...?

Jay
0
 
LVL 20

Assisted Solution

by:ikm7176
ikm7176 earned 400 total points
ID: 11987458
In Authentication,
Anonymous access: Usually, you would use this check box for servers that are directly connected to the Internet. If you select this check box, other servers on the Internet will not authenticate to this server prior to sending mail. For increased security, disable anonymous access on your internal SMTP virtual servers that do not accept incoming Internet mail. For similar security purposes, you can also disable anonymous access on dedicated SMTP virtual servers used for remote IMAP and POP users. However, you must allow anonymous access on your Internet gateway servers.
Note: If the Anonymous access check box is not selected on your Internet gateway servers, you may not receive incoming mail from the Internet. However, for internal SMTP virtual servers or SMTP virtual servers used exclusively by IMAP and POP users, you can clear this check box because they must authenticate.

Basic authentication: Use this check box for mail clients (such as Microsoft Outlook) that use Post Office Protocol version 3 (POP3) or Internet Message Access Protocol version 4rev1 (IMAP4) to connect to the server. To send e-mail, these clients authenticate to the server.
Important: If you select the Basic authentication check box, user names and passwords are sent across the network in clear text. This information can be easily intercepted on the Internet. If you use basic authentication, consider implementing Transport Layer Security (TLS) for more security.

Requires TLS encryption: Use this check box if you have a digital certificate, typically in a high-security environment. If you select this check box, in the corresponding Default domain box, you must type the Windows 2000 domain name that the user should authenticate against if he or she does not specify a domain. For more information about TLS encryption, see the Exchange online documentation.

Integrated Windows Authentication: This check box is used only by Windows user accounts. Using the NTLM protocol, user names and passwords are encrypted and are then passed to the SMTP virtual server for authentication purposes. Note: By default, the Anonymous access, Basic authentication, and Integrated Windows Authentication check boxes are selected. If you are using a single default virtual server, it is recommended that you use the default settings; this allows users to authenticate using the most common methods


FOR PREVENTING RELAY:

By default, the default SMTP virtual server allows only authenticated users to relay e-mail. This is the preferred setting because it prevents unauthorized users from using your Exchange server to send e-mail to external domains. The most secure relay configuration requires authentication for anyone connecting from the Internet and attempting to relay.

bridgehead servers that are connected to the Internet and that accept Internet mail must generally accept anonymous connections; however, by default, these bridgehead servers do not allow anonymous relaying. Enabling anonymous relaying is strongly discouraged. If you allow anonymous relaying, other users can use your server to send unsolicited commercial e-mail. Subsequently, this would cause other Internet servers to blacklist your server.

To verify relay restrictions on an SMTP virtual server
1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. Expand Servers, expand <Server Name>, expand Protocols, and then expand SMTP.
3. Right-click Default SMTP Virtual Server, and then click Properties.
4.In Default SMTP Virtual Server Properties, click the Access tab
5.Under Relay restrictions, click Relay to verify relay restrictions. The Relay Restrictions dialog box displays
6.In Relay Restrictions, verify the following settings:

i) Verify that the Only the list below button is selected. To list only those hosts you want to allow to relay mail, click Add, and then follow the instructions. If you click All except the list below, your server may appear to be a server that is a source of unsolicited e-mail on the Internet.

ii) Verify that the Allow all computers which successfully authenticate to relay, regardless of list above check box is selected. This setting allows you to deny access to all users who do not authenticate. Any remote POP and IMAP users accessing this server will authenticate to send mail. If you do not have users who access this server through POP or IMAP, you can clear this check box to prevent relaying entirely, thereby increasing security.

Hope this is clears for you.
0
 

Author Comment

by:jbreg
ID: 11987488
"For increased security, disable anonymous access on your internal SMTP virtual servers that do not accept incoming Internet mail. For similar security purposes, you can also disable anonymous access on dedicated SMTP virtual servers used for remote IMAP and POP users. However, you must allow anonymous access on your Internet gateway servers."

This *seems* to suggest that I ought to have more than one SMTP virtual server. At the moment I do not--just one. Here is what I want to do with my exchange org:

1) Send and receive email from internal clients using exchange (and remote exchange users)
2) Allow clients to connect via POP3 over SSL and SMTP over SSL (Remote users). It is this class of users I am particularly concerned about requiring SMTP authentication for outgoing mail. I have the SSL part sorted, but currently the server does not seem to require authentication on SMTP, which is a problem.

Jay
0
 
LVL 7

Assisted Solution

by:alshahnaz
alshahnaz earned 100 total points
ID: 11987519
if u just have one server then u  have to enable annonomus acces in server,because that is ur gateway to internet.

Shahnaz
0
 
LVL 20

Expert Comment

by:ikm7176
ID: 11987831
you need to have another dedicated SMTP server for your POP3 and SMTP clients. Removing Anonymous access on the Internet Gateway server will stop all your e-mails.

Basic authentication: Use this check box for mail clients (such as Microsoft Outlook) that use Post Office Protocol version 3 (POP3) or Internet Message Access Protocol version 4rev1 (IMAP4) to connect to the server. To send e-mail, these clients authenticate to the server.
Important: If you select the Basic authentication check box, user names and passwords are sent across the network in clear text. This information can be easily intercepted on the Internet. If you use basic authentication, consider implementing Transport Layer Security (TLS) for more security.
0
Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

 

Author Comment

by:jbreg
ID: 11989399
OK, so I have to create another SMTP virtual server? Do I have to bind a second IP to the server for this purpose?

Jay
0
 
LVL 20

Accepted Solution

by:
ikm7176 earned 400 total points
ID: 11989561
yes, you should bind second IP address to your SMTP virtual server
The second virtual SMTP server cannot listen on the same IP address as the first virtual SMTP server. If you choose to run both an authenticating and non-authenticating SMTP relay on the same computer, you must bind at least two IP addresses to the external interface of the server. If you choose to create only an authenticating SMTP relay, you do not need to create the second virtual SMTP server, which is not a solution for gateway servers.

The following links may  give you a good idea

http://www.tacteam.net/isaserverorg/exchangekit/2003securepop3/2003securepop3.htm
http://www.tacteam.net/isaserverorg/exchangekit/2003secureauthsmtprelay/2003secureauthsmtprelay.htm

How about installing another windows 2003 machine and configure secure SMTP for the clients. Just a thuoght though !

Cheers!
0
 

Author Comment

by:jbreg
ID: 12007718
Ok, this may sound like a stupid question, but how do i ensure that the first SMTP (default) connector, which is used by external people to send mail to us, cannot be used to relay mail to others except people in my domain(s). I believe I have all the settings correct (have checked other ee, etc articles) and yet running a check on http://www.abuse.net/relay.html shows the final relay test to permit open relay, and it does indeed send an email that I receive on an external acct. Is it appropriate to have a * in relay to these domains in Internet Mail Connector?

Jay
0
 
LVL 20

Expert Comment

by:ikm7176
ID: 12008545
follow the link below and replace though it applies to SBS2003 it equally applies to exchange 2003

http://support.microsoft.com/default.aspx?scid=kb;en-us;324958
0
 
LVL 20

Expert Comment

by:ikm7176
ID: 12008576
0
 

Author Comment

by:jbreg
ID: 12011088
Thanks! Actually what had happened is that I only assumed the open relay test was able to relay--in fact the message got sent to my internal address, not an external address, thus it was not really relayed at all (as confirmed by telneting in).
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
how to add IIS SMTP to handle application/Scanner relays into office 365.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now