Solved

configuring Exchange 2003 SMTP virtual server to accept mail from mail clients on port 587 with SSL

Posted on 2009-07-02
14
1,453 Views
Last Modified: 2012-05-07
I've got a 2003 SBS box.  Exchange is on it, and it runs fine - though I have a consultant who needs/wants to access her mail via POP3 and send via SMTP.  I've got a standard/turbo SSL certificate from godaddy, which works fine for everything I need it to.

Setting up POP3 to require SSL is easy.

But now, I want to configure the mail server to accept mail from mail clients (Outlook, Outlook Express, Eudora, etc) over port 587 and require a secure channel.  

I understand that I start by creating a new SMTP virtual server in ESM.  Easy.  For the IP address of this virtual server, I set it as "all unassigned."  After creating it, I got into the new virtual server's properties and change the TCP port to 587.  Then I go to the Access tab and choose certificate and select my godaddy SSL certificate.

And I can click communication on the access tab and choose "require secure channel."

When trying to send an email from outside the LAN to that server over port 587 with SSL, I get this error:

The connection to the server has failed. Account: 'mail.domainname.org', Server: 'mail.domainname.org', Protocol: SMTP, Port: 587, Secure(SSL): Yes, Socket Error: 10060, Error Number: 0x800CCC0E


Thoughts?
0
Comment
Question by:dmessman
  • 6
  • 5
  • 2
14 Comments
 
LVL 12

Expert Comment

by:marcustech
ID: 24764183
In the SMTP Virtual Server Properties goto access > Authentication > Allow annoymous access (don't worry this isn't the same as annoymous relay)

Tick Basic authetication

Default domain = your domain (example.com)

Tick intergrated windows authetication

Click users > Ensure autheticated users are allowed Submit permission & Relay permission
0
 
LVL 9

Author Comment

by:dmessman
ID: 24764214
This ensures that users must authenticate - but the text password info is still sent in clear text.  That's why I want to require that the connection use SSL.
0
 
LVL 12

Expert Comment

by:marcustech
ID: 24764285
Sorry yeah, ignore that part, the important part was the latter. Ensuring autheticated users are allowed to submit permission & relay permissions
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 24793305
Silly question - have you opened up port 587 on your firewall to forward to the Exchange server?
If you have, have you tested using telnet to your mail server from outside on port 587?
Syntax - telnet mail.yourdomain.com 587
Alan
0
 
LVL 9

Author Comment

by:dmessman
ID: 24816375
Not a silly question apparently.  Due to some stupidity on my part, there was an issue.  I had allowed port 587 through my firewall, but my new SMTP virtual server for port 587 was stopped.

Anyway, that is now up and running.  I can telnet to the server on port 587.  And in Outlook Express, messages successfully leave the outbox and seem to successfully send.

However, looking at the queue on my SBS box, I see the messages stuck in the queue.  The remote server says "the connection was dropped by the remote host"

I wonder if my local server is trying to communinicate with the remote server via port 587?  Or is there some kind of certificate, security issue between the two servers?  Below is screen shot of the queue and my port 587 setup.


queue.jpg
port-587a.jpg
port-587b.jpg
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 24816437
Check your domain for Reverse DNS on http://www.mxtoolbox.com/diagnostic.aspx
If there is no reverse DNS setup - call your ISP and ask then to set it up on your IP Address.
0
Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

 
LVL 9

Author Comment

by:dmessman
ID: 24816491
yes, I have reverse DNS setup.  I am able to send to these addresses under normal circumstances (not this port 587 business)
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 24816574
Can you please test your domain on www.dnsstuff.com and perform a domain report.
Report back any Fails or Warnings please.
Alternatively - please let me know your domain so that I can check it for you.
0
 
LVL 9

Author Comment

by:dmessman
ID: 24816643
domain is ovariancancer.org

if you'd like to run the test, thanks
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 24816752
Your 3 MX records are:

30 mail.ovariancancer.org. [TTL=21600] IP=208.118.191.155 [TTL=21600] [US]
10 mail2.ovariancancer.org. [TTL=21600] IP=63.251.93.146 [TTL=21600] [US]
20 vpn.ovariancancer.org. [TTL=21600] IP=208.118.191.115 [TTL=21600] [US]
 
3 Problems:
1)
ERROR: The IP of one or more of your mail server(s) have no reverse DNS (PTR) entries/* (if you see "Timeout" below, it may mean that your DNS servers did not respond fast enough)*/. RFC1912 2.1 says you should have a reverse DNS for all your mail servers. It is strongly urged that you have them, as many mailservers will not accept mail from mailservers with no reverse DNS entry. You can double-check using the 'Reverse DNS Lookup' tool on our site if you recently changed your reverse DNS entry (it contacts your servers in real time; the reverse DNS lookups in the DNS report use our local caching DNS server). The problem MX records are:
146.93.251.63.in-addr.arpa [Timeout (check it)]
Setup RDNS on IP 63.251.93.146
2)
WARNING: I could not complete a connection to 66% of your mailservers. This could lead to a performance issue in your reception of mail:
mail2.ovariancancer.org: Timed out [Last data sent: [Did not connect]]
vpn.ovariancancer.org: Timed out [Last data sent: [Did not connect]]
2 of your mailservers are down - non contactable on port 25 (not an issue if you are using port 587 as the test does not test port 587)
3)
WARNING: One or more of your mailservers is claiming to be a host other than what it really is (the SMTP greeting should be a 3-digit code, followed by a space or a dash, then the host name). If your mailserver sends out E-mail using this domain in its EHLO or HELO, your E-mail might get blocked by anti-spam software. This is also a technical violation of RFC821 4.3 (and RFC2821 4.3.1). Note that the hostname given in the SMTP greeting should have an A record pointing back to the same server. Note that this one test may use a cached DNS record.

mail.ovariancancer.org claims to be host ovariancancer.org [but that host is at 69.93.15.163 (may be cached), not 208.118.191.155]. <br />
Change your FQDN name to be mail.ovariancancer.org in the default SMTP Virtual Server Properties (Delivery Tab - Advanced Button)
0
 
LVL 9

Author Comment

by:dmessman
ID: 24823064
All changes made as requested.

I have sent a test message from this account using Outlook Express over port 587 with SSL to another Exchange server that I control.  The email sits in the queue of the local server.  The remote server doesn't seem to receive the email (at least not that I can tell in message tracking center).  

The local server still says "the connection was dropped by the remote host"

Thanks
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 24823330
Can you test the connection from a DOS prompt to the server you just emailed and report back with the rejection message please.
http://support.microsoft.com/kb/153119
0
 
LVL 9

Author Comment

by:dmessman
ID: 24854538
ok - so it works now.  Dammit.

Here's basically what I did - for those who follow these steps.  I did this on an SBS 2003 box.

Right click on SMTP and choose new SMTP Virtual Server
Name it 587, for IP address "all unassigned" is fine and say YES
Right click on 587 and choose properties
Click advanced, click edit
change the TCP port to 587
Click OK
Go to the access tab
Click certificate and choose your certificate (ideally you've already added a third party cert)
Click Communication and choose "require secure channel"

Click delivery and click advanced, make sure the FQDN matches the FQDN of your certificate

Click OK
Right click on 587 and choose START

Make sure your firewall allows port 587 incoming

And that should be it.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Easy CSR creation in Exchange 2007,2010 and 2013
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now