Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cannot Receive Mail without SMTP Anonymous Authentication but want to Secure SMTP EXG 2003

Posted on 2004-09-05
12
Medium Priority
?
4,760 Views
Last Modified: 2012-08-13
Here's the dilemma--every time I take off anonymous access for the one SMTP virtual server I have in order to try and get some security, my organisation cannot receive mail from the outside world (sending appears fine). The goal is to require SMTP authentication and SSL but, obviously, still receive mail from the outside world. Any idea how this might be done? A second SMTP virtual server perhaps?
0
Comment
Question by:jbreg
  • 5
  • 5
  • 2
12 Comments
 
LVL 7

Assisted Solution

by:alshahnaz
alshahnaz earned 400 total points
ID: 11987159
without SMTP annonomus checked u wont be able to recive mail from out side world.what this anonomus means is that it allows any external server to mutally authenticate with ur server.if u remove this then the external server will not be able to mutually authenticate.so they cant send mail.trust clarifies

Shahnaz
0
 

Author Comment

by:jbreg
ID: 11987321
Yes, but how do I protect myself from unauthorised use of my SMTP server? Specfically, what I want to do is to be able to set up clients using POP3, etc that REQUIRE SMTP authentication using the same credentials as required for POP3...?

Jay
0
 
LVL 20

Assisted Solution

by:ikm7176
ikm7176 earned 1600 total points
ID: 11987458
In Authentication,
Anonymous access: Usually, you would use this check box for servers that are directly connected to the Internet. If you select this check box, other servers on the Internet will not authenticate to this server prior to sending mail. For increased security, disable anonymous access on your internal SMTP virtual servers that do not accept incoming Internet mail. For similar security purposes, you can also disable anonymous access on dedicated SMTP virtual servers used for remote IMAP and POP users. However, you must allow anonymous access on your Internet gateway servers.
Note: If the Anonymous access check box is not selected on your Internet gateway servers, you may not receive incoming mail from the Internet. However, for internal SMTP virtual servers or SMTP virtual servers used exclusively by IMAP and POP users, you can clear this check box because they must authenticate.

Basic authentication: Use this check box for mail clients (such as Microsoft Outlook) that use Post Office Protocol version 3 (POP3) or Internet Message Access Protocol version 4rev1 (IMAP4) to connect to the server. To send e-mail, these clients authenticate to the server.
Important: If you select the Basic authentication check box, user names and passwords are sent across the network in clear text. This information can be easily intercepted on the Internet. If you use basic authentication, consider implementing Transport Layer Security (TLS) for more security.

Requires TLS encryption: Use this check box if you have a digital certificate, typically in a high-security environment. If you select this check box, in the corresponding Default domain box, you must type the Windows 2000 domain name that the user should authenticate against if he or she does not specify a domain. For more information about TLS encryption, see the Exchange online documentation.

Integrated Windows Authentication: This check box is used only by Windows user accounts. Using the NTLM protocol, user names and passwords are encrypted and are then passed to the SMTP virtual server for authentication purposes. Note: By default, the Anonymous access, Basic authentication, and Integrated Windows Authentication check boxes are selected. If you are using a single default virtual server, it is recommended that you use the default settings; this allows users to authenticate using the most common methods


FOR PREVENTING RELAY:

By default, the default SMTP virtual server allows only authenticated users to relay e-mail. This is the preferred setting because it prevents unauthorized users from using your Exchange server to send e-mail to external domains. The most secure relay configuration requires authentication for anyone connecting from the Internet and attempting to relay.

bridgehead servers that are connected to the Internet and that accept Internet mail must generally accept anonymous connections; however, by default, these bridgehead servers do not allow anonymous relaying. Enabling anonymous relaying is strongly discouraged. If you allow anonymous relaying, other users can use your server to send unsolicited commercial e-mail. Subsequently, this would cause other Internet servers to blacklist your server.

To verify relay restrictions on an SMTP virtual server
1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. Expand Servers, expand <Server Name>, expand Protocols, and then expand SMTP.
3. Right-click Default SMTP Virtual Server, and then click Properties.
4.In Default SMTP Virtual Server Properties, click the Access tab
5.Under Relay restrictions, click Relay to verify relay restrictions. The Relay Restrictions dialog box displays
6.In Relay Restrictions, verify the following settings:

i) Verify that the Only the list below button is selected. To list only those hosts you want to allow to relay mail, click Add, and then follow the instructions. If you click All except the list below, your server may appear to be a server that is a source of unsolicited e-mail on the Internet.

ii) Verify that the Allow all computers which successfully authenticate to relay, regardless of list above check box is selected. This setting allows you to deny access to all users who do not authenticate. Any remote POP and IMAP users accessing this server will authenticate to send mail. If you do not have users who access this server through POP or IMAP, you can clear this check box to prevent relaying entirely, thereby increasing security.

Hope this is clears for you.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:jbreg
ID: 11987488
"For increased security, disable anonymous access on your internal SMTP virtual servers that do not accept incoming Internet mail. For similar security purposes, you can also disable anonymous access on dedicated SMTP virtual servers used for remote IMAP and POP users. However, you must allow anonymous access on your Internet gateway servers."

This *seems* to suggest that I ought to have more than one SMTP virtual server. At the moment I do not--just one. Here is what I want to do with my exchange org:

1) Send and receive email from internal clients using exchange (and remote exchange users)
2) Allow clients to connect via POP3 over SSL and SMTP over SSL (Remote users). It is this class of users I am particularly concerned about requiring SMTP authentication for outgoing mail. I have the SSL part sorted, but currently the server does not seem to require authentication on SMTP, which is a problem.

Jay
0
 
LVL 7

Assisted Solution

by:alshahnaz
alshahnaz earned 400 total points
ID: 11987519
if u just have one server then u  have to enable annonomus acces in server,because that is ur gateway to internet.

Shahnaz
0
 
LVL 20

Expert Comment

by:ikm7176
ID: 11987831
you need to have another dedicated SMTP server for your POP3 and SMTP clients. Removing Anonymous access on the Internet Gateway server will stop all your e-mails.

Basic authentication: Use this check box for mail clients (such as Microsoft Outlook) that use Post Office Protocol version 3 (POP3) or Internet Message Access Protocol version 4rev1 (IMAP4) to connect to the server. To send e-mail, these clients authenticate to the server.
Important: If you select the Basic authentication check box, user names and passwords are sent across the network in clear text. This information can be easily intercepted on the Internet. If you use basic authentication, consider implementing Transport Layer Security (TLS) for more security.
0
 

Author Comment

by:jbreg
ID: 11989399
OK, so I have to create another SMTP virtual server? Do I have to bind a second IP to the server for this purpose?

Jay
0
 
LVL 20

Accepted Solution

by:
ikm7176 earned 1600 total points
ID: 11989561
yes, you should bind second IP address to your SMTP virtual server
The second virtual SMTP server cannot listen on the same IP address as the first virtual SMTP server. If you choose to run both an authenticating and non-authenticating SMTP relay on the same computer, you must bind at least two IP addresses to the external interface of the server. If you choose to create only an authenticating SMTP relay, you do not need to create the second virtual SMTP server, which is not a solution for gateway servers.

The following links may  give you a good idea

http://www.tacteam.net/isaserverorg/exchangekit/2003securepop3/2003securepop3.htm
http://www.tacteam.net/isaserverorg/exchangekit/2003secureauthsmtprelay/2003secureauthsmtprelay.htm

How about installing another windows 2003 machine and configure secure SMTP for the clients. Just a thuoght though !

Cheers!
0
 

Author Comment

by:jbreg
ID: 12007718
Ok, this may sound like a stupid question, but how do i ensure that the first SMTP (default) connector, which is used by external people to send mail to us, cannot be used to relay mail to others except people in my domain(s). I believe I have all the settings correct (have checked other ee, etc articles) and yet running a check on http://www.abuse.net/relay.html shows the final relay test to permit open relay, and it does indeed send an email that I receive on an external acct. Is it appropriate to have a * in relay to these domains in Internet Mail Connector?

Jay
0
 
LVL 20

Expert Comment

by:ikm7176
ID: 12008545
follow the link below and replace though it applies to SBS2003 it equally applies to exchange 2003

http://support.microsoft.com/default.aspx?scid=kb;en-us;324958
0
 
LVL 20

Expert Comment

by:ikm7176
ID: 12008576
0
 

Author Comment

by:jbreg
ID: 12011088
Thanks! Actually what had happened is that I only assumed the open relay test was able to relay--in fact the message got sent to my internal address, not an external address, thus it was not really relayed at all (as confirmed by telneting in).
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question