[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1244
  • Last Modified:

Enable SMTP Authentication on Exchange 2003

I want to enable SMTP authentication on my exchange server so that POP clients have to authenticate before sending mail, thus helping eliminate an open relay.

I've tried going in to Protocols>SMTP>Default SMTP Virtual Server>Access tab>Authentication button and unchecking 'Anonymous Access', which seems to work.  Upon testing I found that no matter where I'm at, I have to authenticate to send mail from my Outlook client whether it's to an internal domain address or external.  Which is what I wanted.  However, through more testing, I noticed that with those settings in place, I can no longer receive mail from external sources.

I can trace the external mail coming in to our gateway, but log messages indicate that 'Client does not have permission to submit'.  How can I accept incoming messages from my gateway server to my exchange server AND still require authentication for incoming messages from my SMTP clients?
0
AmericanBridge
Asked:
AmericanBridge
  • 5
  • 3
1 Solution
 
jar3817Commented:
On the access tab in the ESM smtp server properties, click on Relay rather than Authentication, there is a checkbox that says "All all computer which successfully auth....". Check that.
0
 
haas1427Commented:
AmericanBridge,  as you can already tell, that setup will not alow external servers to connect to your server without proper authentication.  You have to have anonymous access allowed to accept world wide web email.  If prohibiting relaying is your objective make sure that you have under Protocols>SMTP>Default SMTP Virtual Server>Access tab>Relay Restrictions>Relay Button> Make sure you have selected >Select only the list below and leave the computers blank, unless of course you are relaying, such as a scan to e-mail server, then input that ip address.
0
 
AmericanBridgeAuthor Commented:
Thanks jar3817 and haas1427.  However each of your recommendations were already in place.

Does this mean I have it setup correctly to prohibit relaying?  If so, What else do I need to do to force authentication? Currently it seems that it requires authentication to send to external domains, but not internally.
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
jar3817Commented:
Wait, you want this for local recipients? This won't help with open relaying. Your server should always accept unauthenticated mail for local users (the users whose mailbox is on that server (or exchange environment)). This way internet users can send email to your users. An open relay is when internet users try to send to other internet users through your server.

If you've done with haas11427 and I have suggested, you're not an open relay. Pop clients will have to either authenticate or have their IP in the that relay exemption box in order to send to internet users, but not to local users. The behavior is normal and safe.
0
 
AmericanBridgeAuthor Commented:
thanks jar3817.

I see your point.  But I have one more question: If POP clients do not have to authenticate to send internally, what stops anyone from setting up a POP account with my server, spoofing one of my addresses, and blasting internal users?

Thanks again!
0
 
jar3817Commented:
POP is just one protocol for retrieving mail from the server to read it. To send mail they will still use SMTP just like other servers sending mail to your internal users.

"what stops anyone from setting up a POP account with my server, spoofing one of my addresses, and blasting internal users?"

The same thing that stops other external users from blasting your internal users, nothing. That is why spam is such a problem.
0
 
AmericanBridgeAuthor Commented:
Sorry to be under-educated on this...but I'm wondering if you are missing my point...Or maybe I haven't made it clear enough...

Lets assume 'mail.email.com' is my mail server and boss@email.com is my boss' email address.  If I set up the following account in outlook whether I'm remote OR on my local network, I can successfully send mail to anybody with a valid address at 'email.com':

Outgoing (SMTP) server: mail.email.com
Email: boss@email.com
Outgoing Authentication is NOT required

In other words, with these settings, I can send an email to anyone in the company as my boss.  Is that normal?  I can't assume that it is.

Thanks again, any more help is greatly appreciated!
0
 
jar3817Commented:
Actually it is. It's called sender spoofing. They basically forge the "From" and/or "Return-Path" headers on the email to trick a user into opening a spam/virus message. It happens all the time, but most spam filtering software catches it from outside attackers.

You're talking about someone on your lan forging a email from the boss to other employees? That is what message tracking is for, it'll show you source IP address an all the info you need to hunt down and kill the offender. There really isn't a way of preventing that without causing problems to legit mail flow.

You have to understand all these email protocols were written like 30 years ago when the ideas of forging headers and spam never existed, so there aren't definite ways of preventing them.
0
 
jar3817Commented:
Actually, you can sort of control it if you have outlook setup as a MAPI client to exchange (not POP3/SMTP). In that case users have to be given special permission (send-as) to send email as other users. It's probably not going to stop someone who is really determined, but that in combination with some good spam filtering software and you won't have too many problems.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now