Solved

Cannot Receive Mail without SMTP Anonymous Authentication but want to Secure SMTP EXG 2003

Posted on 2004-09-05
12
4,741 Views
Last Modified: 2012-08-13
Here's the dilemma--every time I take off anonymous access for the one SMTP virtual server I have in order to try and get some security, my organisation cannot receive mail from the outside world (sending appears fine). The goal is to require SMTP authentication and SSL but, obviously, still receive mail from the outside world. Any idea how this might be done? A second SMTP virtual server perhaps?
0
Comment
Question by:jbreg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 2
12 Comments
 
LVL 7

Assisted Solution

by:alshahnaz
alshahnaz earned 100 total points
ID: 11987159
without SMTP annonomus checked u wont be able to recive mail from out side world.what this anonomus means is that it allows any external server to mutally authenticate with ur server.if u remove this then the external server will not be able to mutually authenticate.so they cant send mail.trust clarifies

Shahnaz
0
 

Author Comment

by:jbreg
ID: 11987321
Yes, but how do I protect myself from unauthorised use of my SMTP server? Specfically, what I want to do is to be able to set up clients using POP3, etc that REQUIRE SMTP authentication using the same credentials as required for POP3...?

Jay
0
 
LVL 20

Assisted Solution

by:ikm7176
ikm7176 earned 400 total points
ID: 11987458
In Authentication,
Anonymous access: Usually, you would use this check box for servers that are directly connected to the Internet. If you select this check box, other servers on the Internet will not authenticate to this server prior to sending mail. For increased security, disable anonymous access on your internal SMTP virtual servers that do not accept incoming Internet mail. For similar security purposes, you can also disable anonymous access on dedicated SMTP virtual servers used for remote IMAP and POP users. However, you must allow anonymous access on your Internet gateway servers.
Note: If the Anonymous access check box is not selected on your Internet gateway servers, you may not receive incoming mail from the Internet. However, for internal SMTP virtual servers or SMTP virtual servers used exclusively by IMAP and POP users, you can clear this check box because they must authenticate.

Basic authentication: Use this check box for mail clients (such as Microsoft Outlook) that use Post Office Protocol version 3 (POP3) or Internet Message Access Protocol version 4rev1 (IMAP4) to connect to the server. To send e-mail, these clients authenticate to the server.
Important: If you select the Basic authentication check box, user names and passwords are sent across the network in clear text. This information can be easily intercepted on the Internet. If you use basic authentication, consider implementing Transport Layer Security (TLS) for more security.

Requires TLS encryption: Use this check box if you have a digital certificate, typically in a high-security environment. If you select this check box, in the corresponding Default domain box, you must type the Windows 2000 domain name that the user should authenticate against if he or she does not specify a domain. For more information about TLS encryption, see the Exchange online documentation.

Integrated Windows Authentication: This check box is used only by Windows user accounts. Using the NTLM protocol, user names and passwords are encrypted and are then passed to the SMTP virtual server for authentication purposes. Note: By default, the Anonymous access, Basic authentication, and Integrated Windows Authentication check boxes are selected. If you are using a single default virtual server, it is recommended that you use the default settings; this allows users to authenticate using the most common methods


FOR PREVENTING RELAY:

By default, the default SMTP virtual server allows only authenticated users to relay e-mail. This is the preferred setting because it prevents unauthorized users from using your Exchange server to send e-mail to external domains. The most secure relay configuration requires authentication for anyone connecting from the Internet and attempting to relay.

bridgehead servers that are connected to the Internet and that accept Internet mail must generally accept anonymous connections; however, by default, these bridgehead servers do not allow anonymous relaying. Enabling anonymous relaying is strongly discouraged. If you allow anonymous relaying, other users can use your server to send unsolicited commercial e-mail. Subsequently, this would cause other Internet servers to blacklist your server.

To verify relay restrictions on an SMTP virtual server
1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. Expand Servers, expand <Server Name>, expand Protocols, and then expand SMTP.
3. Right-click Default SMTP Virtual Server, and then click Properties.
4.In Default SMTP Virtual Server Properties, click the Access tab
5.Under Relay restrictions, click Relay to verify relay restrictions. The Relay Restrictions dialog box displays
6.In Relay Restrictions, verify the following settings:

i) Verify that the Only the list below button is selected. To list only those hosts you want to allow to relay mail, click Add, and then follow the instructions. If you click All except the list below, your server may appear to be a server that is a source of unsolicited e-mail on the Internet.

ii) Verify that the Allow all computers which successfully authenticate to relay, regardless of list above check box is selected. This setting allows you to deny access to all users who do not authenticate. Any remote POP and IMAP users accessing this server will authenticate to send mail. If you do not have users who access this server through POP or IMAP, you can clear this check box to prevent relaying entirely, thereby increasing security.

Hope this is clears for you.
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:jbreg
ID: 11987488
"For increased security, disable anonymous access on your internal SMTP virtual servers that do not accept incoming Internet mail. For similar security purposes, you can also disable anonymous access on dedicated SMTP virtual servers used for remote IMAP and POP users. However, you must allow anonymous access on your Internet gateway servers."

This *seems* to suggest that I ought to have more than one SMTP virtual server. At the moment I do not--just one. Here is what I want to do with my exchange org:

1) Send and receive email from internal clients using exchange (and remote exchange users)
2) Allow clients to connect via POP3 over SSL and SMTP over SSL (Remote users). It is this class of users I am particularly concerned about requiring SMTP authentication for outgoing mail. I have the SSL part sorted, but currently the server does not seem to require authentication on SMTP, which is a problem.

Jay
0
 
LVL 7

Assisted Solution

by:alshahnaz
alshahnaz earned 100 total points
ID: 11987519
if u just have one server then u  have to enable annonomus acces in server,because that is ur gateway to internet.

Shahnaz
0
 
LVL 20

Expert Comment

by:ikm7176
ID: 11987831
you need to have another dedicated SMTP server for your POP3 and SMTP clients. Removing Anonymous access on the Internet Gateway server will stop all your e-mails.

Basic authentication: Use this check box for mail clients (such as Microsoft Outlook) that use Post Office Protocol version 3 (POP3) or Internet Message Access Protocol version 4rev1 (IMAP4) to connect to the server. To send e-mail, these clients authenticate to the server.
Important: If you select the Basic authentication check box, user names and passwords are sent across the network in clear text. This information can be easily intercepted on the Internet. If you use basic authentication, consider implementing Transport Layer Security (TLS) for more security.
0
 

Author Comment

by:jbreg
ID: 11989399
OK, so I have to create another SMTP virtual server? Do I have to bind a second IP to the server for this purpose?

Jay
0
 
LVL 20

Accepted Solution

by:
ikm7176 earned 400 total points
ID: 11989561
yes, you should bind second IP address to your SMTP virtual server
The second virtual SMTP server cannot listen on the same IP address as the first virtual SMTP server. If you choose to run both an authenticating and non-authenticating SMTP relay on the same computer, you must bind at least two IP addresses to the external interface of the server. If you choose to create only an authenticating SMTP relay, you do not need to create the second virtual SMTP server, which is not a solution for gateway servers.

The following links may  give you a good idea

http://www.tacteam.net/isaserverorg/exchangekit/2003securepop3/2003securepop3.htm
http://www.tacteam.net/isaserverorg/exchangekit/2003secureauthsmtprelay/2003secureauthsmtprelay.htm

How about installing another windows 2003 machine and configure secure SMTP for the clients. Just a thuoght though !

Cheers!
0
 

Author Comment

by:jbreg
ID: 12007718
Ok, this may sound like a stupid question, but how do i ensure that the first SMTP (default) connector, which is used by external people to send mail to us, cannot be used to relay mail to others except people in my domain(s). I believe I have all the settings correct (have checked other ee, etc articles) and yet running a check on http://www.abuse.net/relay.html shows the final relay test to permit open relay, and it does indeed send an email that I receive on an external acct. Is it appropriate to have a * in relay to these domains in Internet Mail Connector?

Jay
0
 
LVL 20

Expert Comment

by:ikm7176
ID: 12008545
follow the link below and replace though it applies to SBS2003 it equally applies to exchange 2003

http://support.microsoft.com/default.aspx?scid=kb;en-us;324958
0
 
LVL 20

Expert Comment

by:ikm7176
ID: 12008576
0
 

Author Comment

by:jbreg
ID: 12011088
Thanks! Actually what had happened is that I only assumed the open relay test was able to relay--in fact the message got sent to my internal address, not an external address, thus it was not really relayed at all (as confirmed by telneting in).
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Exchange Server 2007 to 2013 Migration 13 61
Raising Forest Functional Level 2 45
Move a Database to a different server 4 61
active directory, exhange 12 62
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question