Solved

SMTP Relay Issues on Exchange 2003 for POP mail clients

Posted on 2006-11-29
10
8,554 Views
Last Modified: 2013-01-24
Previously I was working with Windows 2003 SMTP mail service and could not get the relay restrictions from external clients to work. (See http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q_21909393.html)

I now have Exchange 2003 Server running in my test domain and ran into the same exact problem with external clients unable to authenticate for outgoing mail. With a POP3 client setup outside of the network, I would receive an error 550 5.7.1 unable to relay for user@domain.com unless I was sending to someone within my domain.

I have checked the settings on the Exchange server and ensured that the box is checked for allowing "..all computers which successfully authenticate to relay, regardless of the list above" under the Exchange 2003 MMC snap-in for SERVERS|PROTOCOLS|SMTP|DEFAULT SMTP VIRTUAL SERVER|ACCESS. However this did not resolve the issue until I checked the box "Allow messages to be relayed to these domains" under CONNECTORS|INTERNET MAIL SMTP CONNECTOR (Server)|ADDRESS SPACE.

When I did this, I received a the following warning:

"This option is only visible for SMTP connectors. Use this option to allow incoming messages to be relayed through the SMTP connector to the domains whose address spaces are listed on this tab. The default is to block relays, except from those users and computers that are able to authenticate. If your SMTP virtual server is on the Internet, you should leave relaying disabled in order to prevent your server from being used to propagate unsolicited commercial e-mail."

Why can't the POP mail clients relay with the first option? Why do I have to enable the second option on the SMTP connector? Is this right?

I have limitations on my external clients on accessing the Exchange Server. OWA via https works fine, but they have been used to using the Full Outlook client with our existing e-mail provider via POP Mail. I am trying move us away from the outsourcing of our e-mail with as little client impact as possible which is why I am messing with the POP mail configuration.

I am concerned about opening the server up for unsolicited relay but enabling the option under the SMTP connector. Please advise.
0
Comment
Question by:habanagold
10 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 18038940
If you have the option set on the SMTP Connector about allowing relaying to the domains, and the domain in the list is * then you are an open relay. Change the setting NOW. Otherwise you will be blacklisted and have a lot bigger problems to deal with when the server is found. You may also get kicked off the internet connection by your ISP.

POP3 should be the last protocol used for remote Exchange access. The order of preference is

RPC over HTTPS
OWA
IMAP
POP3

When you configure the clients to authenticate when sending email, what format to you use for the username?

username
domain\username
username@domain

something else?

Simon.
0
 
LVL 1

Author Comment

by:habanagold
ID: 18039159
O.K. I have turned that off and I susupected as much but my relay problem goes away.However, with this off the problem is back again. External POP clients recieve the "550 5.7.1 unable to relay for user@domain.com".

I have use the credentials as username@domain.com, domain\username and when I run the Outlook test it works fine. However, when I try to send mail to someone in another domain, I get the error.

I posted my previous thread on this issue because I ran into the same problem trying to setup Windows 2003 Server mail service. The answer I got on this was that it was unsupported or not designed to function that way. I was told that if I went to Exchange, this would no longer be a problem.

I can't user RCP/HTTP because my prodution domain is still on W2K SP4 DC's. I wasted time trying to get this to work until I found that out. We don't have the money to upgrade which is why I am trying to get these other services to work.

What is stopping the clients from successfully authenticating to the Exchange Server with POP mail?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18040656
The relay probably will return if you turn off that option because you are an open relay - no authenticate required. Anyone and their dog can relay off your server. If you worked for me and had set that option you would be looking for another job right now.

The authentication settings don't matter when you are sending to a user on the same domain because you are not relaying. Exchange will accept email for its own domain on an anonymous connection because that is how email is sent around the internet.

I have just read the thread that you posted in the question above. Some of what was posted I agreed with and some I did not. You can bounce email off the Windows SMTP service, you need to create accounts in Windows to use for authentication. I have the SMTP service installed on my web site's dedicated server so that I have a server on the internet that I can bounce email off.

When you are setting up the client you must specify authentication credentials. You cannot simply enable the option to authenticate and use the same credentials as POP3. The credentials are in a different format.

Ensure that on the SMTP virtual server in Exchange that anonymous and basic authentication is set.
Ensure that the option about authenticated relaying is set and you haven't set the server to allow relaying from an IP address.

You can actually test this from a telnet prompt. However it isn't pretty because SMTP authentication uses BASE64.
However this guide shows you what you need to do if you want to test it.
http://www.computerperformance.co.uk/exchange2003/exchange2003_SMTP_Auth_Login.htm

Simon.
0
 
LVL 1

Author Comment

by:habanagold
ID: 18041008
You suggestions are not very clear so I am doing the best that I can to determine what you mean. According to the point ratings, you seem to be very knowledgeable about this are but I must confess you are probably not a people person. The comment regarding me "looking for another job" was way out of line and uncalled for. In fact it insulted me and I do not wish to have anymore help from you unless you preface it with an apology. If you can't do that, I don't want your condescending help.
0
 
LVL 1

Author Comment

by:habanagold
ID: 18041078
I am familar with using telnet to connect and test SMTP. However, in this case, when I type in the verb "auth login" I get the error "504 5.7.4 Unrecognized authentication type". Anyone else care to help?
0
Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

 
LVL 104

Expert Comment

by:Sembee
ID: 18041106
You turned your server in to an open relay. Do you have any idea how serious that is?

Your company could have found itself without any email, no internet access and blacklisted making your email service unusable. Open relays are not acceptable by most ISPs because they are abused by spammers. In case you haven't noticed, the world is in a war against spam. Anyone who has had to deal with a full scale spam onslaught has very little sympathy for anyone who makes changes to their server that causes the spam problems to increase.

If you didn't like my remark, then I apologise. However it was made to make you aware of how serious I consider making a server an open relay.

This is a highly technical topic area. As such as experts we expect the people posting in the topic are to have some degree of technical knowledge.

This is not a how to web site and is unsuitable for that task as we cannot post screenshots. Very often you will be pointed at parts of Exchange or articles elsewhere that provide information on setting up parts of Exchange.

Also be aware that I am not sat in front of your server, have no idea on your technical knowledge or experience. Therefore I do not know what you are doing or what you have done to date. As experts we have to take a guess.
If something isn't clear to you then you have to post exactly what is not clear, otherwise we do not know.

Simon.
0
 
LVL 104

Accepted Solution

by:
Sembee earned 125 total points
ID: 18041154
"504 5.7.4 Unrecognized authentication type" sounds like you don't have authentication enabled at all.

I have just tested it on another Exchange server and got the expected response.

Have you attempted to change the authentication settings in any way?

ESM, Servers, <your server>, Protocols, SMTP. Right click on the SMTP VS and choose Properties. On the access tab choose Authentication. Ensure that all three authentication types are enabled. DO NOT ENABLE Require TLS, as that will cause problems.

Apply/OK out.

Back on the Access tab, click on the relay button.
It should be set to "Only the list below" and the list below should be blank.

The option at the bottom about "All all computers..." can be enabled, however this leaves your server exposed to an authenticated user attack. You should secure it to lock the server down. This means creating a group of your users who will be relaying through the server. The idea being to EXCLUDE the administrator account, which is the account usually attacked in an authenticated user attack.

Apply/OK out.

Then drop in to a command prompt and type

iisreset

and press enter.

The IIS system will reset.

Then try again.
If you continue to get the authentication error then something else could be interfering with the traffic.

Simon.
0
 

Expert Comment

by:Grayhat7
ID: 23444979
SMTP Relay Issues on Exchange 2003 for POP mail clients
0
 

Expert Comment

by:celler_wellbridge
ID: 23711188
Possible correction!

I ran into this problem as well.

The above Accepted Solution almost fixed it!  I changed one element and everything works now.

From above, "...Access tab, click on the relay button. It should be set to "Only the list below" and the list below should be blank."

Access tab, Relay button; the list should be blank, but the radio button that worked for us was "All except the list below", rather than "Only the list below".

If Relay is set for "Only the list below", and the list is left blank--NO email gets through as the list has nothing.
0
 

Expert Comment

by:csnz
ID: 38816795
Congratulations, you've just made yourself an open relay again.
0

Featured Post

Do email signature updates give you a headache?

Do you feel like all of your time is spent managing email signatures? Too busy to visit every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

Easy CSR creation in Exchange 2007,2010 and 2013
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now