Solved

Setting up Secure SMTP Server for External Network

Posted on 2010-11-17
13
568 Views
Last Modified: 2012-06-21
Exchange 2007, SP1 RU8

We have 2 Physical boxes with CAS & HUB roles on them.
I have a specific requirement from business:

One of their application is being hosted by a vendor on an external network.
This application sends out mail notification to us using the vendor hosted SMTP services.
Now what the team want is that the externally hosted application should use our corporate SMTP Services to relay that application mails.
I belive thsi is omething that can be done by having a secure SMTP server.
I am not sure on how to set that up.

We also have ISA 2006 server publishing exchange services.

Please suggest
0
Comment
Question by:amku03
13 Comments
 
LVL 10

Expert Comment

by:GlobaLevel
ID: 34155338
I'd like to know how this could be done...they would have to create a MX record and CNAME and point to your IP..how else will they allow your corp SMTP Services to interact with their application to send out the notifications..?? Unless their is a share involved, but I dotn know how much interaction you have with them...
0
 
LVL 11

Expert Comment

by:JuusoConnecta
ID: 34155377
Dont even know if this could be done..

An workaround would be creating a mailbox users in your domain and have the external hosted application send mail thru your exchange server using that accounts authentication,

cheers
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34155388

1. Configure a user account with a complex password which can be used to relay mail
2. Open up access to the SMTP Port from outside (if it's not already)

That's about it. The trouble comes if they can't authenticate the SMTP session. In that case you'd be looking at an anonymous relay, something you'd have to secure on the network layer (by locking down exactly what could talk to it).

Chris
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:amku03
ID: 34155495
@Chris: when you say open the SMTP port, is that something through the ISA server?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34155531

How do you handle inbound mail at the moment? If you accept mail directly in from the outside then SMTP will already be open, the thing that prevents other people using your SMTP server as a relay is authentication.

I'm not an ISA expert, but I can help you find one if it comes to that, it would be good to understand how much of your system is exposed at the moment though.

Chris
0
 

Author Comment

by:amku03
ID: 34155806
This is what the vendor had asked for:

SMTP Server Address:
SMTP Port:
SMTP Username:
SMTP Password:
SSL/TLS:

So we have created a user account for the same, with a complex password.
now we have mail gateways behind firewalls accepting mail directly from internet.
I am big time confused on what should be the server address for them?
is it the hostname for the mail applaince?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34155873

Lets see, do you have this?

   << The Internet >>   ----   ISA   ----   Exchange

Or do you have an anti-spam system in the path?

The system above wants to talk to Exchange, so if there's an anti-spam system in the path you may not expose Exchange to the public at all right now.

If you don't have anything inbetween they need the IP of ISA (assuming that's publishing Exchange stuffs). The port would be 25 by default, and I would opt for SSL/TLS if you can (Exchange 2007 / 2010 are dead keen on having proper certificates so would be able to support that).

Chris
0
 

Author Comment

by:amku03
ID: 34158335
we have symantec appliance as mail gateway also working as antispam tool.
ISA is only for publishing OWA / Activesync / RPC
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34158400

Gotcha, that's going to be the hard bit then. To authenticate you'll need to get the app to the SMTP service on the Exchange server. That would mean poking holes on your firewall to let that traffic in. It's difficult to recommend that, are they dead set on using your Exchange server?

Chris
0
 

Author Comment

by:amku03
ID: 34159260
Thats something cominng in from our legal department to use the corporate SMTP services.
And I totally agree with you, its more of opening security holes on our firewall.
Well, thanks for your thoughts on this. I think I need to make our stand clear and probably get the network security team pitch in their recommendations.
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 34159299

Absolutely, if you have a network security team you should bug them about this :)

On the positive side you should be able to lock down inbound traffic to that server alone, on the negative side, permitting traffic directly into your the core of your corporate network isn't so fun (albeit necessary on occasion).

If I were given a choice, I would have an SMTP service running on the same site as the hosted service. I would ideally configure that with an SSL certificate (for TLS), and I would ideally configure an SPF record that stated exactly which systems were permitted to send as your domain name.

Chris
0
 

Author Comment

by:amku03
ID: 34159372
On that note : I am working on creating SPF record for my domain.
0
 

Author Closing Comment

by:amku03
ID: 34347804
tx
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question