How to limit port 25 access to an exchange server 2003 except for Outlook Express and designated servers.

We have an exchange 2003 server that 99% of the employees connect using outlook and rpc/http but one owner refuses to give up his outlook express.  We have switched to having our mail routed inbound thru a symantec mail appliance and are very satisfied with its perfomance.  Our problem lies in that we at this point are forced to have port 25 in our firewall open to the exchange server, which allows for spammers to still hit the exchange and flood our system with trash.  One alternative is to change the public port number that routes to the exchange server to say port 2525 and route that to 25 internally and change the OE client to send on port 2525.  Is there a way to force the exchange server to only accept connections from either specific ip addresses and authenticated users.  THis would allow our other mail servers and the mail filter  to continue communications as well as this Outlook express user.
Who is Participating?
SembeeConnect With a Mentor Commented:
When it comes to restricting the SMTP server to IP addresses, it is an all except, or nothing but type scenario. Therefore if you have a user running around with Outlook Express then you cannot use any kind of connection restriction.

What I would suggest is that you create a new SMTP virtual server which is exposed to the internet. Disable anonymous access on that virtual server so that anyone who uses it must authentication. Restrict authenticated access down to the accounts that need it - ie you want to remove the administrator account from being used.

The original SMTP virtual server is left alone to allow its use internally, it is simply not exposed to the internet.

You will probably have to add a second internal IP address to the server so that both SMTP virtual servers can be left on port 25.

David Johnson, CD, MVPOwnerCommented:
The way I see it is as follows:
Symantec Mail Appliance is in the DMZ and the exchange server is behind the firewall.. only allow the firewall to allow the mac address of the appliance to connect from the wan or IP address of the appliance to connect via the wan. Everyone else inside the lan can authenticate with the exchange server via the lan.  Your routers and firewalls should handle the blocking while those inside the lan can access with port 25/110 without a problem. Another thing is to disallow port 25 outbound from the lan to the WAN  This is a common scenario
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.