Solved

Setting up Secure SMTP Server for External Network

Posted on 2010-11-17
13
567 Views
Last Modified: 2012-06-21
Exchange 2007, SP1 RU8

We have 2 Physical boxes with CAS & HUB roles on them.
I have a specific requirement from business:

One of their application is being hosted by a vendor on an external network.
This application sends out mail notification to us using the vendor hosted SMTP services.
Now what the team want is that the externally hosted application should use our corporate SMTP Services to relay that application mails.
I belive thsi is omething that can be done by having a secure SMTP server.
I am not sure on how to set that up.

We also have ISA 2006 server publishing exchange services.

Please suggest
0
Comment
Question by:amku03
13 Comments
 
LVL 10

Expert Comment

by:GlobaLevel
ID: 34155338
I'd like to know how this could be done...they would have to create a MX record and CNAME and point to your IP..how else will they allow your corp SMTP Services to interact with their application to send out the notifications..?? Unless their is a share involved, but I dotn know how much interaction you have with them...
0
 
LVL 11

Expert Comment

by:JuusoConnecta
ID: 34155377
Dont even know if this could be done..

An workaround would be creating a mailbox users in your domain and have the external hosted application send mail thru your exchange server using that accounts authentication,

cheers
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34155388

1. Configure a user account with a complex password which can be used to relay mail
2. Open up access to the SMTP Port from outside (if it's not already)

That's about it. The trouble comes if they can't authenticate the SMTP session. In that case you'd be looking at an anonymous relay, something you'd have to secure on the network layer (by locking down exactly what could talk to it).

Chris
0
 

Author Comment

by:amku03
ID: 34155495
@Chris: when you say open the SMTP port, is that something through the ISA server?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34155531

How do you handle inbound mail at the moment? If you accept mail directly in from the outside then SMTP will already be open, the thing that prevents other people using your SMTP server as a relay is authentication.

I'm not an ISA expert, but I can help you find one if it comes to that, it would be good to understand how much of your system is exposed at the moment though.

Chris
0
 

Author Comment

by:amku03
ID: 34155806
This is what the vendor had asked for:

SMTP Server Address:
SMTP Port:
SMTP Username:
SMTP Password:
SSL/TLS:

So we have created a user account for the same, with a complex password.
now we have mail gateways behind firewalls accepting mail directly from internet.
I am big time confused on what should be the server address for them?
is it the hostname for the mail applaince?
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 70

Expert Comment

by:Chris Dent
ID: 34155873

Lets see, do you have this?

   << The Internet >>   ----   ISA   ----   Exchange

Or do you have an anti-spam system in the path?

The system above wants to talk to Exchange, so if there's an anti-spam system in the path you may not expose Exchange to the public at all right now.

If you don't have anything inbetween they need the IP of ISA (assuming that's publishing Exchange stuffs). The port would be 25 by default, and I would opt for SSL/TLS if you can (Exchange 2007 / 2010 are dead keen on having proper certificates so would be able to support that).

Chris
0
 

Author Comment

by:amku03
ID: 34158335
we have symantec appliance as mail gateway also working as antispam tool.
ISA is only for publishing OWA / Activesync / RPC
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34158400

Gotcha, that's going to be the hard bit then. To authenticate you'll need to get the app to the SMTP service on the Exchange server. That would mean poking holes on your firewall to let that traffic in. It's difficult to recommend that, are they dead set on using your Exchange server?

Chris
0
 

Author Comment

by:amku03
ID: 34159260
Thats something cominng in from our legal department to use the corporate SMTP services.
And I totally agree with you, its more of opening security holes on our firewall.
Well, thanks for your thoughts on this. I think I need to make our stand clear and probably get the network security team pitch in their recommendations.
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 34159299

Absolutely, if you have a network security team you should bug them about this :)

On the positive side you should be able to lock down inbound traffic to that server alone, on the negative side, permitting traffic directly into your the core of your corporate network isn't so fun (albeit necessary on occasion).

If I were given a choice, I would have an SMTP service running on the same site as the hosted service. I would ideally configure that with an SSL certificate (for TLS), and I would ideally configure an SPF record that stated exactly which systems were permitted to send as your domain name.

Chris
0
 

Author Comment

by:amku03
ID: 34159372
On that note : I am working on creating SPF record for my domain.
0
 

Author Closing Comment

by:amku03
ID: 34347804
tx
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Read this checklist to learn more about the 15 things you should never include in an email signature.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
This video discusses moving either the default database or any database to a new volume.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now