Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 405
  • Last Modified:

Allow visitors to use Exchange to send email

We have port 25 blocked for all ip addresses except for our Exchange server. We sometimes have visitors (our clients) who connect to our network with their laptops for Internet access and need to send/receive email. How would you allow them to send email without risking having an infected laptop to start sending spam when connected ?
1 Solution
Hi, this could get to be a complicated network setup for such cases..

if its a large network - you can try "cisco network admission control"

else if its smaller - keep a small segment on DHCP for the visitors and then allow that segment to send out SMTP traffic.

setup a visitors network vlan and configure firewall rules accordingly. i would not allow non company personel access to any network resourses.
When you allow internet access for visitors you already allow at your visitors to access the OWA, so they can send e-mails using his own exchange servers. If not they can use gmail or other free provider, but you can't allow smtp trafic from your network, unless un infected laptop can put you in all black list for spam. You can also open the vpn port for your visitors, allowing him to connect to home/business network.

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

make these guests use a DMZ zone and allow them SMTP outbound.

Make sure that the natted real IP of that DMZ is different than the one exchange is using to send emails

Like that, in case this ip gets blacklisted it won't affect the email flow of your company

ndidomenicoAuthor Commented:
Thanks for your responses.

We don't have a DMZ with its own public IP. The wireless AP that clients are using for Internet access is on a different subnet than our company network and isolated using a firewall, like this:

Internet --> Firewall A --> Firewall B --> Company network, Exchange Server
                                    --> Firewall C --> Wireless network for visitors
1) I don't want to open port 25 on Firewall C for visitors because my only public IP will get blacklisted if an infected client pc starts sending spam.

2) Our visitors do not all have Exchange with OWA, gmail, mail through VPN accessetc. Many use pop3 accounts with their ISP in Outlook Express and need to use smtp to send out email through our ISP smtp server on port 25.

Wouldn't it be possible to have them use our Exchange server as a smtp relay (not an open relay) with some sort of login authentication they would need to enter in order to use it ?
what exchange server are you on ? 2003 or 2007 ?
ndidomenicoAuthor Commented:
as far as I know in exchange 2003 you can only do it based on IP address.

If you create a user this user will not be able to send unless his/her "From" address is the one you assigned to him in AD.

a potential workaround (up to you to test it)

1) create a user in you AD for the guest
2) assign to this user an alias (guest@hisdomain.com)
3) let the guest authentication using your exchange as outgoing smtp with the user/pass you provided him


Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now