Link to home
Start Free TrialLog in
Avatar of welshiv
welshiv

asked on

How to require authentication in internal email on Exchange 2003

We have a standalone Exchange 2003 server, with the default SMTP Virtual Server authentication config. However, we've recently noticed that using a mail client, if we do not check the Server requires SMTP authentication" option on the client, we can "spoof" senders on our internal email. I mean I can send an email to anyone else in the company and it shows as coming from whomever or whatever mail address I place in the address field. How can I force the server to require authentication from all users even if sending email internally? It works fine externally - won't allow email without authentication, but does not require it internally, which has led to some issues, Thanks for your help.
Avatar of tigermatt
tigermatt
Flag of United Kingdom of Great Britain and Northern Ireland image

The problem you have here is that the default SMTP virtual server, running on port 25, *needs* Anonymous Authentication switched on. If it was turned off, you would instantly block all mail flow in to your organisation, since other mail servers do not know any credentials with which to authorise with. When you have an SMTP account set up in Outlook, you are sending to this SMTP virtual server, which, since it allows anonymous connections (but will accept users if they connect authenticated, that's not a problem), doesn't require authentication yet it will happily accept and transmit the message internally since it is on the same domain.

The simplest option I can see would be to assign 2 IP addresses to your NIC card. You can edit the default SMTP VS to use one of the IP addresses, and that IP address should also be the one which port 25 is forwarded to in your router's firewall. Then, you would set up another SMTP VS, bound to the other IP on port 25, which you turn off anonymous authentication in. Make sure the IP of this one is what is registered in DNS, so users don't know about the other one. Obviously, since it isn't accessible to the outside world and requires authentication anyway, the internal VS could also have relaying enabled if necessary.

Ideally, this would work best if the server was multihomed (2 NICs), but that's a bad idea with Exchange so don't do it.

-tigermatt
ASKER CERTIFIED SOLUTION
Avatar of Sembee
Sembee
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial