Solved

Setting up Secure SMTP Server for External Network

Posted on 2010-11-17
13
571 Views
Last Modified: 2012-06-21
Exchange 2007, SP1 RU8

We have 2 Physical boxes with CAS & HUB roles on them.
I have a specific requirement from business:

One of their application is being hosted by a vendor on an external network.
This application sends out mail notification to us using the vendor hosted SMTP services.
Now what the team want is that the externally hosted application should use our corporate SMTP Services to relay that application mails.
I belive thsi is omething that can be done by having a secure SMTP server.
I am not sure on how to set that up.

We also have ISA 2006 server publishing exchange services.

Please suggest
0
Comment
Question by:amku03
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 
LVL 10

Expert Comment

by:GlobaLevel
ID: 34155338
I'd like to know how this could be done...they would have to create a MX record and CNAME and point to your IP..how else will they allow your corp SMTP Services to interact with their application to send out the notifications..?? Unless their is a share involved, but I dotn know how much interaction you have with them...
0
 
LVL 11

Expert Comment

by:JuusoConnecta
ID: 34155377
Dont even know if this could be done..

An workaround would be creating a mailbox users in your domain and have the external hosted application send mail thru your exchange server using that accounts authentication,

cheers
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34155388

1. Configure a user account with a complex password which can be used to relay mail
2. Open up access to the SMTP Port from outside (if it's not already)

That's about it. The trouble comes if they can't authenticate the SMTP session. In that case you'd be looking at an anonymous relay, something you'd have to secure on the network layer (by locking down exactly what could talk to it).

Chris
0
Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

 

Author Comment

by:amku03
ID: 34155495
@Chris: when you say open the SMTP port, is that something through the ISA server?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34155531

How do you handle inbound mail at the moment? If you accept mail directly in from the outside then SMTP will already be open, the thing that prevents other people using your SMTP server as a relay is authentication.

I'm not an ISA expert, but I can help you find one if it comes to that, it would be good to understand how much of your system is exposed at the moment though.

Chris
0
 

Author Comment

by:amku03
ID: 34155806
This is what the vendor had asked for:

SMTP Server Address:
SMTP Port:
SMTP Username:
SMTP Password:
SSL/TLS:

So we have created a user account for the same, with a complex password.
now we have mail gateways behind firewalls accepting mail directly from internet.
I am big time confused on what should be the server address for them?
is it the hostname for the mail applaince?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34155873

Lets see, do you have this?

   << The Internet >>   ----   ISA   ----   Exchange

Or do you have an anti-spam system in the path?

The system above wants to talk to Exchange, so if there's an anti-spam system in the path you may not expose Exchange to the public at all right now.

If you don't have anything inbetween they need the IP of ISA (assuming that's publishing Exchange stuffs). The port would be 25 by default, and I would opt for SSL/TLS if you can (Exchange 2007 / 2010 are dead keen on having proper certificates so would be able to support that).

Chris
0
 

Author Comment

by:amku03
ID: 34158335
we have symantec appliance as mail gateway also working as antispam tool.
ISA is only for publishing OWA / Activesync / RPC
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34158400

Gotcha, that's going to be the hard bit then. To authenticate you'll need to get the app to the SMTP service on the Exchange server. That would mean poking holes on your firewall to let that traffic in. It's difficult to recommend that, are they dead set on using your Exchange server?

Chris
0
 

Author Comment

by:amku03
ID: 34159260
Thats something cominng in from our legal department to use the corporate SMTP services.
And I totally agree with you, its more of opening security holes on our firewall.
Well, thanks for your thoughts on this. I think I need to make our stand clear and probably get the network security team pitch in their recommendations.
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 34159299

Absolutely, if you have a network security team you should bug them about this :)

On the positive side you should be able to lock down inbound traffic to that server alone, on the negative side, permitting traffic directly into your the core of your corporate network isn't so fun (albeit necessary on occasion).

If I were given a choice, I would have an SMTP service running on the same site as the hosted service. I would ideally configure that with an SSL certificate (for TLS), and I would ideally configure an SPF record that stated exactly which systems were permitted to send as your domain name.

Chris
0
 

Author Comment

by:amku03
ID: 34159372
On that note : I am working on creating SPF record for my domain.
0
 

Author Closing Comment

by:amku03
ID: 34347804
tx
0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question