?
Solved

SMTP Port 25 Blocking - Possible solutions?

Posted on 2009-02-16
11
Medium Priority
?
722 Views
Last Modified: 2012-05-06
I have multiple users of our exchange email system that work from their home office and the on the road.  These users are currently7 setup to use POP/SMTP protocols for sending and receiving.  We have have a big issue in regards to ISP's blocking port 25 for SMTP sending.  Because the high volume of traveling these users are constantly going through different ISP's (airports, hotels, home, cafe's etc.).  We've come up with two main ideas for solutions, and I was looking to see if anyone had any Pro's and Con's or suggestions.
Our 2 ideas are:

Setup RCP over HTTP for external Exchange protocol use - Issue here is we do not currently have a front end server set up, but do have multiple exchange servers

-or-

Open an new Port for SMTP send - We do see any extra ports open to  be a security risk.  Also consider opening ports for SSL or TLS.

Any suggestion would be greatly appreciated
Thanks,
JJ
0
Comment
Question by:JamesonJendreas
11 Comments
 
LVL 18

Accepted Solution

by:
simsjrg earned 300 total points
ID: 23651747
I would have to say the most secure solution would be to have the users connect via VPN to a server or applicance. This way you don't need to open any additional ports and communication between the end user and the exchange server is encrypted. This is how I have my clients setup who have road warriors. They fire up their Cisco VPN Client or Cisco AnyConnect VPN Client and connect back to the office to hit their network resources. People who work from home I have gone a step further and placed a smaller device (Cisco ASA 5505) at their house. I setup one port to tunnel back to the office securly for the employee to use and the rest just route out to the internet for their other family members to use who should be have access to our network. I enabled port-security on that port so that no other device can be used on that port (unless they spoof the MAC). Kind of got carried away... sorry about that...
0
 
LVL 38

Assisted Solution

by:Hypercat (Deb)
Hypercat (Deb) earned 300 total points
ID: 23651761
How about having them use Outlook Web Access instead of Outlook client?  
0
 
LVL 1

Author Comment

by:JamesonJendreas
ID: 23651853
Thanks for the two suggestions. Both are venues we have used in the past (or are currently). As for VPN, we do currently have a VPN setup with our firewall (sonicwall), and some users are using this to connect and send via SMTP. there are a few reasons why we want to leave this, mostly that users don't 'like' having to jump on the VPN just to send emails (being on constantly slows traffic down for them considerably).  I was going to set up so that outlook knows to dial the connection for sending only - but we have a large number of Mac users, for which I cannot find a setting to do this (some use mac mail, some Entourage).  It's been mentioned by management to myself that this is not a viable solution, as we want a seamless easy to use system (this isn't my decision, I thought a VPN would be the best bet).

As for OWA, many are currently using this, but since we have Outlook 2007 and user calendars and other functions quite often, we want our users using Outlook if at all possible.

Thanks For the SUggestions.
JJ
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
LVL 65

Assisted Solution

by:Mestha
Mestha earned 600 total points
ID: 23651969
RPC over HTTPS is the only solution that I would use here for Outlook clients. You don't need ISA or a frontend server.
However if you have multiple Exchange servers you really should have a frontend server. Once you get past one backend server I consider a frontend server to be almost mandatory.

For Entourage, a VPN is probably about the only solution that will work reliably. You could look at using SMTP on the TLS port of 495. That port shouldn't be blocked, but a VPN is going to be the only 100% reliable solution.

-M
0
 
LVL 1

Author Comment

by:JamesonJendreas
ID: 23652041
Hm, I was under the impression a front end was needed to run rcp over http.  Regardless, I think we are going to set one up (we may be migrating to exchange 2008 as 2 servers are licensed for it, and an edge server may be in the mix)
0
 
LVL 65

Expert Comment

by:Mestha
ID: 23653079
Edge is just for SMTP traffic, nothing else.
Microsoft's documentation does seem to give people the impression that a frontend server was required. However if you have multiple servers then each server would need a unique IP address, host name and SSL certificate to use RPC over HTTPS. A frontend server would provide you with a single point of entry for all of the servers.

-M
0
 
LVL 1

Author Comment

by:JamesonJendreas
ID: 23653102
I just recall when setting up our newest exchange server a year ago, we attempted to setup RCP over HTTP, and it wouldn't let up without it being a front end (and I very well could and probably am wrong).  Anyway, I will use this information when deciding on our final solution with my boss (tomorrow).
0
 
LVL 1

Author Comment

by:JamesonJendreas
ID: 23653138
FYI - Edge comment had more to do with that we might have a front end server, as edge is required to be front end (as far as I know), not that an edge would necessarily fix this issue.
0
 
LVL 1

Author Comment

by:JamesonJendreas
ID: 23653156
Yep, no need for dront end, but it does sound like the best bet.  From the MS Deployment senario documentation

<blockquote>It is recommended that your RPC proxy server is an Exchange front-end server. The RPC over HTTP Proxy networking component extracts the RPC requests from the HTTP request and forwards the RPC requests to the appropriate server. The advantage of this approach is that only the RPC proxy server has to allow access from the Internet. Back-end Exchange servers do not have to allow access from the Internet. You should use the Secure Sockets Layer (SSL) to establish the HTTP session that you use to access Exchange Server over the Internet from an Outlook 2003 client.</blockquote>
0
 
LVL 65

Assisted Solution

by:Mestha
Mestha earned 600 total points
ID: 23653210
Edge is not a frontend server. It is for SMTP traffic and is designed to go in a DMZ.

The equivalent to an Exchange 2003 frontend server with Exchange 2007 is a CAS server. CAS can also hold the hub transport role which can receive SMTP traffic as well. Therefore if you have two servers with Exchange 2007 licenses then you could build one as a CAS, Hub and have that in front of any existing Exchange 2003 servers, plus any additional Exchange 2007 mailbox servers.

That would provide you with a seamless transition.

-M
0
 
LVL 31

Assisted Solution

by:rid
rid earned 300 total points
ID: 23654217
Opening up a "new" port for an already existing service (SMTP) can't possibly add to the risks. The robustness and resilience against attack should be there in the service, no matter how (through which port) you access it. Adding a track through your firewall, from a non-standard port (like 587 or whatever), to port 25 on your SMTP server, could be a good idea. Assuming, of course, you use SMTP-AUTH and/or other security measures and that the SMTP server is mature enough to be strengthened against whatever common hacks are performed against SMTP servers.

An "open port" in itself is not dangerous, it's the business of the answering service to fend off attacks. If port 25 is already open, your SMTP server knows all about this by now...
/RID
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
This video discusses moving either the default database or any database to a new volume.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question