Solved

Setting up Secure SMTP Server for External Network

Posted on 2010-11-17
13
566 Views
Last Modified: 2012-06-21
Exchange 2007, SP1 RU8

We have 2 Physical boxes with CAS & HUB roles on them.
I have a specific requirement from business:

One of their application is being hosted by a vendor on an external network.
This application sends out mail notification to us using the vendor hosted SMTP services.
Now what the team want is that the externally hosted application should use our corporate SMTP Services to relay that application mails.
I belive thsi is omething that can be done by having a secure SMTP server.
I am not sure on how to set that up.

We also have ISA 2006 server publishing exchange services.

Please suggest
0
Comment
Question by:amku03
13 Comments
 
LVL 10

Expert Comment

by:GlobaLevel
ID: 34155338
I'd like to know how this could be done...they would have to create a MX record and CNAME and point to your IP..how else will they allow your corp SMTP Services to interact with their application to send out the notifications..?? Unless their is a share involved, but I dotn know how much interaction you have with them...
0
 
LVL 11

Expert Comment

by:JuusoConnecta
ID: 34155377
Dont even know if this could be done..

An workaround would be creating a mailbox users in your domain and have the external hosted application send mail thru your exchange server using that accounts authentication,

cheers
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34155388

1. Configure a user account with a complex password which can be used to relay mail
2. Open up access to the SMTP Port from outside (if it's not already)

That's about it. The trouble comes if they can't authenticate the SMTP session. In that case you'd be looking at an anonymous relay, something you'd have to secure on the network layer (by locking down exactly what could talk to it).

Chris
0
 

Author Comment

by:amku03
ID: 34155495
@Chris: when you say open the SMTP port, is that something through the ISA server?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34155531

How do you handle inbound mail at the moment? If you accept mail directly in from the outside then SMTP will already be open, the thing that prevents other people using your SMTP server as a relay is authentication.

I'm not an ISA expert, but I can help you find one if it comes to that, it would be good to understand how much of your system is exposed at the moment though.

Chris
0
 

Author Comment

by:amku03
ID: 34155806
This is what the vendor had asked for:

SMTP Server Address:
SMTP Port:
SMTP Username:
SMTP Password:
SSL/TLS:

So we have created a user account for the same, with a complex password.
now we have mail gateways behind firewalls accepting mail directly from internet.
I am big time confused on what should be the server address for them?
is it the hostname for the mail applaince?
0
Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

 
LVL 70

Expert Comment

by:Chris Dent
ID: 34155873

Lets see, do you have this?

   << The Internet >>   ----   ISA   ----   Exchange

Or do you have an anti-spam system in the path?

The system above wants to talk to Exchange, so if there's an anti-spam system in the path you may not expose Exchange to the public at all right now.

If you don't have anything inbetween they need the IP of ISA (assuming that's publishing Exchange stuffs). The port would be 25 by default, and I would opt for SSL/TLS if you can (Exchange 2007 / 2010 are dead keen on having proper certificates so would be able to support that).

Chris
0
 

Author Comment

by:amku03
ID: 34158335
we have symantec appliance as mail gateway also working as antispam tool.
ISA is only for publishing OWA / Activesync / RPC
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34158400

Gotcha, that's going to be the hard bit then. To authenticate you'll need to get the app to the SMTP service on the Exchange server. That would mean poking holes on your firewall to let that traffic in. It's difficult to recommend that, are they dead set on using your Exchange server?

Chris
0
 

Author Comment

by:amku03
ID: 34159260
Thats something cominng in from our legal department to use the corporate SMTP services.
And I totally agree with you, its more of opening security holes on our firewall.
Well, thanks for your thoughts on this. I think I need to make our stand clear and probably get the network security team pitch in their recommendations.
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 34159299

Absolutely, if you have a network security team you should bug them about this :)

On the positive side you should be able to lock down inbound traffic to that server alone, on the negative side, permitting traffic directly into your the core of your corporate network isn't so fun (albeit necessary on occasion).

If I were given a choice, I would have an SMTP service running on the same site as the hosted service. I would ideally configure that with an SSL certificate (for TLS), and I would ideally configure an SPF record that stated exactly which systems were permitted to send as your domain name.

Chris
0
 

Author Comment

by:amku03
ID: 34159372
On that note : I am working on creating SPF record for my domain.
0
 

Author Closing Comment

by:amku03
ID: 34347804
tx
0

Featured Post

Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now