msha094
asked on
SMTP Restrictions in SBS 2003
I have an SBS 2003 Standard edition server. We have a scenario where office users will be using exchange to send and recieve email (via outlook 2003). By default, the SBS SMTP connector is the only connecter used at present to send mail. Also, we have 10 shops that pop3 into the server for mail. What i want to do is for the shops give them the address of the server to use as their smtp server, but lock it down so they can only send to the business domain ie. mydomain.com. I still want all office users to be able to send to who ever they want to. How do i do this the most effective way?
I would agree... providing POP3 service can cause both resource and security issues. The only reason that they wouldn't be able to use RPC over HTTP is if they don't have Outlook 2003. But they could use Outlook Web Access instead.
The CAL issue is something to consider though... Essentially if you are only providing an Exchange Mailbox for someone and they access mail via POP3 or RPC over HTTP they are authenticating against Active Directory and require a CAL. However, if you create that same mailbox and FORWARD the messages out to a 3rd party mail server, then you don't need a CAL...
So... that would suggest my OTHER solution to this situation... use GMail.
You can actually forward through GMail to your users who can use POP3 to retreive the messages from GMail. You can also create ANY "From" name and "Reply to" setting with Gmail, so you can essentially have Gmail be transparent (it'll show in the headers only). If messages are left on the GMail server, then this also handles the archiving issue.
Jeff
TechSoEasy
The CAL issue is something to consider though... Essentially if you are only providing an Exchange Mailbox for someone and they access mail via POP3 or RPC over HTTP they are authenticating against Active Directory and require a CAL. However, if you create that same mailbox and FORWARD the messages out to a 3rd party mail server, then you don't need a CAL...
So... that would suggest my OTHER solution to this situation... use GMail.
You can actually forward through GMail to your users who can use POP3 to retreive the messages from GMail. You can also create ANY "From" name and "Reply to" setting with Gmail, so you can essentially have Gmail be transparent (it'll show in the headers only). If messages are left on the GMail server, then this also handles the archiving issue.
Jeff
TechSoEasy
In rereading your question... do you want to ONLY allow users to send messages from the remote locations to your main office? If so, then definitely use Outlook Web Access... it's much easier to deploy/use. To restrict the users from sending mail outside the network, you would have to create separate routing groups and then create a second SMTP Connector which can get pretty complicated... so I would think you could also handle it by creating an Exchange Rule in Outlook that would delete any messages sent outside your domain, and then removing access to the Rules interface from the particular user via group policy.
Jeff
TechSoEasy
Jeff
TechSoEasy
ASKER
Yep, we just want shops to be able to send email to the head office.
There is no reason why i cant use RPC over HTTP, ive set it up before and it works well. The only thing is the purchasing of an extra 12 CAL's which can be pricey. So if i was to use RCP over HTTP, i would need to get extra CAL's, or use OWA and not need to buy any more CAL's?
Can someone run me through creating the routing groups and second SMTP connector, as this would be the first time i would have needed to do this.
Thanks!
There is no reason why i cant use RPC over HTTP, ive set it up before and it works well. The only thing is the purchasing of an extra 12 CAL's which can be pricey. So if i was to use RCP over HTTP, i would need to get extra CAL's, or use OWA and not need to buy any more CAL's?
Can someone run me through creating the routing groups and second SMTP connector, as this would be the first time i would have needed to do this.
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you're going to go the route of creating an additional SMTP connector, here's a good how-to for that: http://www.amset.info/exchange/smtp-connector.asp
Your restricted connector needs to have a "lower cost" than the Default connector, so that it doesn't interfere.
I think my GMail idea is pretty nifty though... even though it really doesn't fit here. Although if this is just for internal messaging, you MAY want to consider using www.officelive.com's mail service (which is essentially a remake of hotmail) or even www.groove.net's messaging service. Both of these fully integrate with SBS and Office.
OfficeLive will even give you a domain name that can be used for your external users.
Jeff
TechSoEasy
Your restricted connector needs to have a "lower cost" than the Default connector, so that it doesn't interfere.
I think my GMail idea is pretty nifty though... even though it really doesn't fit here. Although if this is just for internal messaging, you MAY want to consider using www.officelive.com's mail service (which is essentially a remake of hotmail) or even www.groove.net's messaging service. Both of these fully integrate with SBS and Office.
OfficeLive will even give you a domain name that can be used for your external users.
Jeff
TechSoEasy
ASKER
Those sites you gave me tell me how to create a connector which i already know how to do, but how do i assign a connector to one group only with another connector for the rest? Also to restrict a group of users recieving outside mail i.e no internet mail only internal mail, do i just create a mail enabled group and tick recieve from authenticated users only? For some reason the groups that i create dont work, but it works for single users.
Creating a separate routing group is a very complicated process. (http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3TransnRouting/b7c25326-3fd2-4049-bf3d-dc0e4976a373.mspx)
I would highly suggest that you take a look at Microsoft Office Groove which will provide you exactly what you are looking for with regards to messaging and other interfacing with your network resources. You can download the betas and see how it works for you: http://www.microsoft.com/office/preview/programs/groove/highlights.mspx
Jeff
TechSoEasy
I would highly suggest that you take a look at Microsoft Office Groove which will provide you exactly what you are looking for with regards to messaging and other interfacing with your network resources. You can download the betas and see how it works for you: http://www.microsoft.com/office/preview/programs/groove/highlights.mspx
Jeff
TechSoEasy
Did you add the registry key at the beginning of the document?
Did you work through the adsi edit part?
David
Did you work through the adsi edit part?
David
ASKER
Yeah i added the reg key but haven't restarted yet - does this matter?
When it comes to the registry, most of the time a restart kick starts it no matter what the documents say, so if you can do restart it.
David
David
Relaying can be setup, but would be less secure then using Outlook 2003.
Just to note, you have a license to use Outlook 2003 for every CAL that you have, so either every machine that authenticates to the server or user that authenticate is entitled to use Outlook 2003.
Is there a particular reason not to use RPC over Http? I just want to eliminate this before telling you how to open up your server to possible open relay problems if the server ever got compromised.
David