Allow visitors to use Exchange to send email

Posted on 2009-04-27
Last Modified: 2013-11-30
We have port 25 blocked for all ip addresses except for our Exchange server. We sometimes have visitors (our clients) who connect to our network with their laptops for Internet access and need to send/receive email. How would you allow them to send email without risking having an infected laptop to start sending spam when connected ?
Question by:ndidomenico
    LVL 7

    Expert Comment

    Hi, this could get to be a complicated network setup for such cases..

    if its a large network - you can try "cisco network admission control"

    else if its smaller - keep a small segment on DHCP for the visitors and then allow that segment to send out SMTP traffic.

    LVL 6

    Expert Comment

    setup a visitors network vlan and configure firewall rules accordingly. i would not allow non company personel access to any network resourses.
    LVL 21

    Expert Comment

    When you allow internet access for visitors you already allow at your visitors to access the OWA, so they can send e-mails using his own exchange servers. If not they can use gmail or other free provider, but you can't allow smtp trafic from your network, unless un infected laptop can put you in all black list for spam. You can also open the vpn port for your visitors, allowing him to connect to home/business network.

    LVL 49

    Accepted Solution

    make these guests use a DMZ zone and allow them SMTP outbound.

    Make sure that the natted real IP of that DMZ is different than the one exchange is using to send emails

    Like that, in case this ip gets blacklisted it won't affect the email flow of your company


    Author Comment

    Thanks for your responses.

    We don't have a DMZ with its own public IP. The wireless AP that clients are using for Internet access is on a different subnet than our company network and isolated using a firewall, like this:

    Internet --> Firewall A --> Firewall B --> Company network, Exchange Server
                                        --> Firewall C --> Wireless network for visitors
    1) I don't want to open port 25 on Firewall C for visitors because my only public IP will get blacklisted if an infected client pc starts sending spam.

    2) Our visitors do not all have Exchange with OWA, gmail, mail through VPN accessetc. Many use pop3 accounts with their ISP in Outlook Express and need to use smtp to send out email through our ISP smtp server on port 25.

    Wouldn't it be possible to have them use our Exchange server as a smtp relay (not an open relay) with some sort of login authentication they would need to enter in order to use it ?
    LVL 49

    Expert Comment

    what exchange server are you on ? 2003 or 2007 ?

    Author Comment

    LVL 49

    Expert Comment

    as far as I know in exchange 2003 you can only do it based on IP address.

    If you create a user this user will not be able to send unless his/her "From" address is the one you assigned to him in AD.

    a potential workaround (up to you to test it)

    1) create a user in you AD for the guest
    2) assign to this user an alias (
    3) let the guest authentication using your exchange as outgoing smtp with the user/pass you provided him


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Learn more about how the humble email signature can be used as more than just an electronic business card. When used correctly, a signature can easily be tailored for different purposes by different departments within an organization.
    Use email signature images to promote corporate certifications and industry awards.
    In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now