Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 577
  • Last Modified:

How to enable Authenticated SMTP relaying

Hi;
Our organization requires from us to configure access to our internal exchange server in such a way that the roaming users should be able to connect to their mailboxes using MS Outlook; for this we have decided about 2 options;

     1-     IMAP/SMTP
     2-     RPC over HTTP

we have enabled IMAP services for the users to connect to their mailboxes using any form of internet connectivity. Now we have 3 domains

     1-    abc.com
     2-    abccentral.abc.com
     3-    abcwestern.abc.com

each domain is having a backend exchange server & 1 front end exchange server all running Win2k3 & exchange 2k3, only the front end server has a Public IP Address & this server is located inside a DMZ zone. After having done the configurations users can now connect to their mailboxes using a normal dialup, they can receive Internal & External emails, they send emails to internal users but the problem is they cannot send emails to external domains using their IMAP account settings, in the IMAP settings for incoming IMAP server & outgoing SMTP server i am using either the FQDN or the IP address of the Front End Server, i am guessing that this problem is somehow related to SMTP authentication because whenever i send an external email i receive a NDR saying that the exchange server cannot relay for the mentioned user.

Please explain in detail the steps that i need to take to enable this.
0
hanisaif
Asked:
hanisaif
2 Solutions
 
huwaCommented:
Hi , I am pretty sure you need to allow your imap users the right to relay over your server. I you look at link below look under the heading "Relay-Control Tactics"

http://www.microsoft.com/technet/prodtechnol/exchange/2000/deploy/frtfytr2.mspx


Authorizing by user authentication. Restricting relaying by IP address isn't feasible when you support many clients or when those clients connect through an ISP and thus have dynamically assigned addresses. In those situations, you can permit relaying based on user authentication. To do so, open the SMTP virtual server's Relay Restrictions dialog box, select the Allow all computers which successfully authenticate to relay, regardless of the list above check box, then stop and restart the virtual server. This setting requires the sending client to use the Extended SMTP (ESMTP) AUTH command, so your email clients must support that command and you must configure the clients to send logon credentials to the SMTP virtual server. This type of relay security is a bit more time-consuming because you must configure each client, but it's also the most secure way to permit relaying.

IMAP clients may also need to be configured to authenticate when sending mail outside.

0
 
SembeeCommented:
There is no guarantee that your users will be able to connect back to your server on port 25. It is becoming quite common for ISPs to block that port and force users to send email through the ISPs Server.

RPC over HTTPS would be a better choice, as it avoids any of the ISPs blocks.

Exchange is configured to allow relaying by authenticated users by default. Check that it is enabled on the frontend servers...

ESM, Servers, <your frontend server>, Protocols, SMTP. Right click on the SMTP VS and choose Properties. Click on the Access tab and then Relay.

I would strongly suggest that you disable the feature to allow all computers to relay and instead use the option to grant the permissions to users. Setup a group and put all your users that need to relay in to it. The reason I suggest this is because authenticated relay attacks are becoming more common, and the account that is targeted is the administrator account. Therefore ensure that administrator, plus any other accounts that have common names are not members of the relaying group.

Simon.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now