SBS 2008: how to setup an email only account to allow outside mail client to send/receive outsidedomain.com email that is being hosted on our server

johnhiro007
johnhiro007 used Ask the Experts™
on
Hello,

We have SBS 2008, which is configured to send/receive our outsidedomain.com email directly.  However, how do we setup an email only account to allow a program that sits outside our network to send mail from outsidedomain.com? In other words, in the previous setup of our email being hosted by a 3rd party, we would simply add a pop account user@outsidedomain.com and we could have any machine anywhere in the world, configured to send/recieve mail.  

With SBS, our current email accounts are tied to internal domain accounts, but I dont want to create internal domain accounts (counts against our CALs, right?) for a simple email only user that needs zero internal network access.

Thanks!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018
Commented:
what you describe is called relaying, and you can configure Exchange to relay. To keep it from being abused as a spam relay, you should configure the relay to require authentication, which means creating an account for the outside program/service to use to authenticate, which means a CAL will be required/used because you are then actually using SBS as an authenticating agent. This is the best and most secure option, but it will unfortunately require a CAL to implement properly.
http://www.ilopia.com/Articles/WindowsServer2003/EmailServer.aspx#Configure

Skip down to the Configure SMTP Server portion. it'll let an account send mail, and won't make you an open relay.

Author

Commented:
cgaliher, is the configuration of setting up relaying basically the same as setting up external access to the server: http://blogs.technet.com/b/sbs/archive/2008/09/19/how-to-configure-sbs-2008-to-host-pop3-imap4.aspx

Harell66, the link you provided is for Sever 2003, and I have 2008.  I went to the section you specified "Configure the SMTP Server", but it does not match our server.
Distinguished Expert 2018

Commented:
It is the same as setting up step 3 of that document (you won't need IMAP or POP3, just the SMTP portion), and that blog psot doesn't actually cover the SMTP portion of the setup. It instead just references this blog post:
http://blogs.technet.com/b/sbs/archive/2008/09/18/how-to-configure-trusted-smtp-relay-in-exchange-on-sbs-2008.aspx
Which, as you can see, is about setting up an SMTP relay.  :)

Author

Commented:
So if I have to setup an account on the server for each email address, what are the best practices to lock that account down so it cant do squat, but send email? (Bascially concerned about opening any further vulnerabilities on the server)
Distinguished Expert 2018

Commented:
Windows grants permissions based on security policies and has several default policies that are already mapped to decault security groups.
Windows also has a default behavior of "deny unless granted permissions" type of application for those security policies.
Thus, remove the user from any security groups you don't want them to have permissions inherited from and you
ll effectively lock down that account.
 

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial