Enable SMTP Authentication on Exchange 2003

I want to enable SMTP authentication on my exchange server so that POP clients have to authenticate before sending mail, thus helping eliminate an open relay.

I've tried going in to Protocols>SMTP>Default SMTP Virtual Server>Access tab>Authentication button and unchecking 'Anonymous Access', which seems to work.  Upon testing I found that no matter where I'm at, I have to authenticate to send mail from my Outlook client whether it's to an internal domain address or external.  Which is what I wanted.  However, through more testing, I noticed that with those settings in place, I can no longer receive mail from external sources.

I can trace the external mail coming in to our gateway, but log messages indicate that 'Client does not have permission to submit'.  How can I accept incoming messages from my gateway server to my exchange server AND still require authentication for incoming messages from my SMTP clients?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

On the access tab in the ESM smtp server properties, click on Relay rather than Authentication, there is a checkbox that says "All all computer which successfully auth....". Check that.
AmericanBridge,  as you can already tell, that setup will not alow external servers to connect to your server without proper authentication.  You have to have anonymous access allowed to accept world wide web email.  If prohibiting relaying is your objective make sure that you have under Protocols>SMTP>Default SMTP Virtual Server>Access tab>Relay Restrictions>Relay Button> Make sure you have selected >Select only the list below and leave the computers blank, unless of course you are relaying, such as a scan to e-mail server, then input that ip address.
AmericanBridgeAuthor Commented:
Thanks jar3817 and haas1427.  However each of your recommendations were already in place.

Does this mean I have it setup correctly to prohibit relaying?  If so, What else do I need to do to force authentication? Currently it seems that it requires authentication to send to external domains, but not internally.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Wait, you want this for local recipients? This won't help with open relaying. Your server should always accept unauthenticated mail for local users (the users whose mailbox is on that server (or exchange environment)). This way internet users can send email to your users. An open relay is when internet users try to send to other internet users through your server.

If you've done with haas11427 and I have suggested, you're not an open relay. Pop clients will have to either authenticate or have their IP in the that relay exemption box in order to send to internet users, but not to local users. The behavior is normal and safe.
AmericanBridgeAuthor Commented:
thanks jar3817.

I see your point.  But I have one more question: If POP clients do not have to authenticate to send internally, what stops anyone from setting up a POP account with my server, spoofing one of my addresses, and blasting internal users?

Thanks again!
POP is just one protocol for retrieving mail from the server to read it. To send mail they will still use SMTP just like other servers sending mail to your internal users.

"what stops anyone from setting up a POP account with my server, spoofing one of my addresses, and blasting internal users?"

The same thing that stops other external users from blasting your internal users, nothing. That is why spam is such a problem.
AmericanBridgeAuthor Commented:
Sorry to be under-educated on this...but I'm wondering if you are missing my point...Or maybe I haven't made it clear enough...

Lets assume 'mail.email.com' is my mail server and boss@email.com is my boss' email address.  If I set up the following account in outlook whether I'm remote OR on my local network, I can successfully send mail to anybody with a valid address at 'email.com':

Outgoing (SMTP) server: mail.email.com
Email: boss@email.com
Outgoing Authentication is NOT required

In other words, with these settings, I can send an email to anyone in the company as my boss.  Is that normal?  I can't assume that it is.

Thanks again, any more help is greatly appreciated!
Actually it is. It's called sender spoofing. They basically forge the "From" and/or "Return-Path" headers on the email to trick a user into opening a spam/virus message. It happens all the time, but most spam filtering software catches it from outside attackers.

You're talking about someone on your lan forging a email from the boss to other employees? That is what message tracking is for, it'll show you source IP address an all the info you need to hunt down and kill the offender. There really isn't a way of preventing that without causing problems to legit mail flow.

You have to understand all these email protocols were written like 30 years ago when the ideas of forging headers and spam never existed, so there aren't definite ways of preventing them.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Actually, you can sort of control it if you have outlook setup as a MAPI client to exchange (not POP3/SMTP). In that case users have to be given special permission (send-as) to send email as other users. It's probably not going to stop someone who is really determined, but that in combination with some good spam filtering software and you won't have too many problems.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Servers

From novice to tech pro — start learning today.