How to enable Authenticated SMTP relaying

Posted on 2006-05-03
Last Modified: 2010-08-05
Our organization requires from us to configure access to our internal exchange server in such a way that the roaming users should be able to connect to their mailboxes using MS Outlook; for this we have decided about 2 options;

     1-     IMAP/SMTP
     2-     RPC over HTTP

we have enabled IMAP services for the users to connect to their mailboxes using any form of internet connectivity. Now we have 3 domains


each domain is having a backend exchange server & 1 front end exchange server all running Win2k3 & exchange 2k3, only the front end server has a Public IP Address & this server is located inside a DMZ zone. After having done the configurations users can now connect to their mailboxes using a normal dialup, they can receive Internal & External emails, they send emails to internal users but the problem is they cannot send emails to external domains using their IMAP account settings, in the IMAP settings for incoming IMAP server & outgoing SMTP server i am using either the FQDN or the IP address of the Front End Server, i am guessing that this problem is somehow related to SMTP authentication because whenever i send an external email i receive a NDR saying that the exchange server cannot relay for the mentioned user.

Please explain in detail the steps that i need to take to enable this.
Question by:hanisaif
    LVL 2

    Accepted Solution

    Hi , I am pretty sure you need to allow your imap users the right to relay over your server. I you look at link below look under the heading "Relay-Control Tactics"

    Authorizing by user authentication. Restricting relaying by IP address isn't feasible when you support many clients or when those clients connect through an ISP and thus have dynamically assigned addresses. In those situations, you can permit relaying based on user authentication. To do so, open the SMTP virtual server's Relay Restrictions dialog box, select the Allow all computers which successfully authenticate to relay, regardless of the list above check box, then stop and restart the virtual server. This setting requires the sending client to use the Extended SMTP (ESMTP) AUTH command, so your email clients must support that command and you must configure the clients to send logon credentials to the SMTP virtual server. This type of relay security is a bit more time-consuming because you must configure each client, but it's also the most secure way to permit relaying.

    IMAP clients may also need to be configured to authenticate when sending mail outside.

    LVL 104

    Assisted Solution

    There is no guarantee that your users will be able to connect back to your server on port 25. It is becoming quite common for ISPs to block that port and force users to send email through the ISPs Server.

    RPC over HTTPS would be a better choice, as it avoids any of the ISPs blocks.

    Exchange is configured to allow relaying by authenticated users by default. Check that it is enabled on the frontend servers...

    ESM, Servers, <your frontend server>, Protocols, SMTP. Right click on the SMTP VS and choose Properties. Click on the Access tab and then Relay.

    I would strongly suggest that you disable the feature to allow all computers to relay and instead use the option to grant the permissions to users. Setup a group and put all your users that need to relay in to it. The reason I suggest this is because authenticated relay attacks are becoming more common, and the account that is targeted is the administrator account. Therefore ensure that administrator, plus any other accounts that have common names are not members of the relaying group.


    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Set OWA language and time zone in Exchange for individuals, all users or per database.
    Easy CSR creation in Exchange 2007,2010 and 2013
    To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now