Setting up Secure SMTP Server for External Network

Exchange 2007, SP1 RU8

We have 2 Physical boxes with CAS & HUB roles on them.
I have a specific requirement from business:

One of their application is being hosted by a vendor on an external network.
This application sends out mail notification to us using the vendor hosted SMTP services.
Now what the team want is that the externally hosted application should use our corporate SMTP Services to relay that application mails.
I belive thsi is omething that can be done by having a secure SMTP server.
I am not sure on how to set that up.

We also have ISA 2006 server publishing exchange services.

Please suggest
amku03Asked:
Who is Participating?
 
Chris DentConnect With a Mentor PowerShell DeveloperCommented:

Absolutely, if you have a network security team you should bug them about this :)

On the positive side you should be able to lock down inbound traffic to that server alone, on the negative side, permitting traffic directly into your the core of your corporate network isn't so fun (albeit necessary on occasion).

If I were given a choice, I would have an SMTP service running on the same site as the hosted service. I would ideally configure that with an SSL certificate (for TLS), and I would ideally configure an SPF record that stated exactly which systems were permitted to send as your domain name.

Chris
0
 
GlobaLevelProgrammerCommented:
I'd like to know how this could be done...they would have to create a MX record and CNAME and point to your IP..how else will they allow your corp SMTP Services to interact with their application to send out the notifications..?? Unless their is a share involved, but I dotn know how much interaction you have with them...
0
 
JuusoConnectaCommented:
Dont even know if this could be done..

An workaround would be creating a mailbox users in your domain and have the external hosted application send mail thru your exchange server using that accounts authentication,

cheers
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Chris DentPowerShell DeveloperCommented:

1. Configure a user account with a complex password which can be used to relay mail
2. Open up access to the SMTP Port from outside (if it's not already)

That's about it. The trouble comes if they can't authenticate the SMTP session. In that case you'd be looking at an anonymous relay, something you'd have to secure on the network layer (by locking down exactly what could talk to it).

Chris
0
 
amku03Author Commented:
@Chris: when you say open the SMTP port, is that something through the ISA server?
0
 
Chris DentPowerShell DeveloperCommented:

How do you handle inbound mail at the moment? If you accept mail directly in from the outside then SMTP will already be open, the thing that prevents other people using your SMTP server as a relay is authentication.

I'm not an ISA expert, but I can help you find one if it comes to that, it would be good to understand how much of your system is exposed at the moment though.

Chris
0
 
amku03Author Commented:
This is what the vendor had asked for:

SMTP Server Address:
SMTP Port:
SMTP Username:
SMTP Password:
SSL/TLS:

So we have created a user account for the same, with a complex password.
now we have mail gateways behind firewalls accepting mail directly from internet.
I am big time confused on what should be the server address for them?
is it the hostname for the mail applaince?
0
 
Chris DentPowerShell DeveloperCommented:

Lets see, do you have this?

   << The Internet >>   ----   ISA   ----   Exchange

Or do you have an anti-spam system in the path?

The system above wants to talk to Exchange, so if there's an anti-spam system in the path you may not expose Exchange to the public at all right now.

If you don't have anything inbetween they need the IP of ISA (assuming that's publishing Exchange stuffs). The port would be 25 by default, and I would opt for SSL/TLS if you can (Exchange 2007 / 2010 are dead keen on having proper certificates so would be able to support that).

Chris
0
 
amku03Author Commented:
we have symantec appliance as mail gateway also working as antispam tool.
ISA is only for publishing OWA / Activesync / RPC
0
 
Chris DentPowerShell DeveloperCommented:

Gotcha, that's going to be the hard bit then. To authenticate you'll need to get the app to the SMTP service on the Exchange server. That would mean poking holes on your firewall to let that traffic in. It's difficult to recommend that, are they dead set on using your Exchange server?

Chris
0
 
amku03Author Commented:
Thats something cominng in from our legal department to use the corporate SMTP services.
And I totally agree with you, its more of opening security holes on our firewall.
Well, thanks for your thoughts on this. I think I need to make our stand clear and probably get the network security team pitch in their recommendations.
0
 
amku03Author Commented:
On that note : I am working on creating SPF record for my domain.
0
 
amku03Author Commented:
tx
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.