Solved

imap and SMTP security

Posted on 2011-03-21
33
661 Views
Last Modified: 2012-05-11
hi,

We havea  sales office and they have business phones and the only way they can connect to the exchange server is by IMAP so thats fine, but if they are connecting over the cellular network how am i going to keep the chances of people connecting to our SMTP connector and sending out tons of spam, i cant really lock down access to to ip address
0
Comment
Question by:jonathanduane2010
  • 17
  • 16
33 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35184740
What version of Exchange do you have and what sort of phones do you have?

Is Activesync not an available option on the phones?
0
 

Author Comment

by:jonathanduane2010
ID: 35184782
its a nokia c500 it comes built with MFE but it just work with Exchange 2003
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35184821
Mail for Exchange on a Nokia is not limited to Exchange 2003 - it should work with All versions of Exchange.

Where did you get the info about it only working with Exchange 2003 from?

What version of Exchange server do you have?
0
 

Author Comment

by:jonathanduane2010
ID: 35184843
sorry!

my bad, it is supposed to work with Exchange but it just wont work with exchange 2003 even though other phones and iphones work with same exchange
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35184854
Okay - so do you have Exchange 2003 and can't get the Nokia phone working with your Exchange server?
0
 

Author Comment

by:jonathanduane2010
ID: 35184889
yes! and i have tried the phone with exchange 2007 in one of our other companies and it works
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35184926
Okay - please can you work through my Exchange 2003 / Activesync article and check your server configuration to make sure that all is well.

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html

Check the IIS settings, run the test on the test site and if you have any errors that need fixing, please read the relevant section in my article and follow the instructions.

If you get stuck anywhere - please let me know.

Thanks

Alan
0
 

Author Comment

by:jonathanduane2010
ID: 35184944
see it definitely work because i cant get a nokia c5 to wrk no problem with it
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35184957
Sorry - I don't understand your last comment.
0
 

Author Comment

by:jonathanduane2010
ID: 35184975
Actvesync definitely works, as i have successfully connected different business phones to it
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35184992
Okay - that's fine - but bad configuration can cause some phones to work whilst other's don't.

Activesync is a much better option for you if you can get it working because SMTP can and is blocked by some ISP's and you will have headaches if you try to use it.

If you can hook up the Nokia to the server and make that sync happily, then you can breathe a sigh of relief.

Please run through my article - it will hopefully help you.
0
 

Author Comment

by:jonathanduane2010
ID: 35185000
ok will do, thank you
0
 

Author Comment

by:jonathanduane2010
ID: 35201650
Hi alan,

I got around to testing it and it failed on the active sync test it failed at teh following


 Testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
   Test Steps
   Validating the certificate name.
  Certificate name validation failed.
   Tell me more about this issue and how to resolve it
   Additional Details
  Host name mail.domain.ie doesn't match any name found on the server certificate CN=192.168.168.168, OU=HTTPS Management Certificate for SonicWALL (self-signed), O=HTTPS Management Certificate for SonicWALL (self-signed), L=Sunnyvale, S=California, C=US.
 
 
 
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35202430
That suggests that your Sonicwall is grabbing port 443 - does it use this port for Remote Management of the device and if so, can you change the port to say 444 and then allow port 443 through to the server?
0
 

Author Comment

by:jonathanduane2010
ID: 35202464
Yes of course so I just need to port forward 443 to my exchange server??
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35202586
Yep - that will enable Activesync to work - if the server is configured properly!
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:jonathanduane2010
ID: 35203165
hi alan,

I have done that but am getting the same results


 ExRCA is testing Exchange ActiveSync.  
  The Exchange ActiveSync test failed.
   Test Steps
   Attempting to resolve the host name mail.q102.ie in DNS.
  The host name resolved successfully.
   Additional Details
  IP addresses returned: 213.146.164.194
 
 Testing TCP port 443 on host mail.q102.ie to ensure it's listening and open.
  The port was opened successfully.
 Testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
   Test Steps
   Validating the certificate name.
  Certificate name validation failed.
   Tell me more about this issue and how to resolve it
   Additional Details
  Host name mail.domain.ie doesn't match any name found on the server certificate CN=192.168.168.168, OU=HTTPS Management Certificate for SonicWALL (self-signed), O=HTTPS Management Certificate for SonicWALL (self-signed), L=Sunnyvale, S=California, C=US.
 
 
 
 Do i need to create a new cert??
 
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35203348
No - the cert is suggesting HTTPS is still being sent to the SonicWall and not your server.

From the server - please visit www.canyouseeme.org and test port 443 - do you see SUCCESS?
0
 

Author Comment

by:jonathanduane2010
ID: 35205384
yes i have tried that and it is a success, i have just checked on the exchange server and i cant view the certificate, its greyed out..
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35205759
Do you really need to open up another question for this?  I am probably the only Expert on this site who knows Activesync inside out - so you may not get much help from other experts other than pointing to my article!

It's your call - but it does seem a little daft.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35205777
From a browser - if I go to https://mail.q102.ie I get your Sonicwall device.  You need to reconfigure this to stop using port 443 for remote management before you can use Activesync configured to use SSL which is the recommended way.

Please consult your Sonicwall documentation to change this.

You are probably using Activesync without SSL which is not in the least bit recommended and not secure!!
0
 

Author Comment

by:jonathanduane2010
ID: 35205946
sorry Alan,

You are right it was a little bit daft i am just under a little bit pressure thats all, no offence...

ok i have actually went onto my sonicwall and have actually setup a wizard pointing 443 to my exchange server, maybe there is another rule on the sonicwall you think??
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35205957
No problems - I don't take offence easily and understand the delights of pressure : )

I would imagine it is the Remote Monitoring / Remote Management options (whatever that looks like on a Sonicwall).

The rule you have won't work because as soon as Port 443 traffic hits the sonicwall - it takes the traffic for the Firewall and won't pass it on.

What model is it?  Might be able to do some digging for you.
0
 

Author Comment

by:jonathanduane2010
ID: 35206004
thanks for understanding!

its a sonicwall TZ 190

thanks again
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35206009
You are welcome.  I'll get you working - have no fear.

Digging for info - back shortly.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35206060
Please check the following link:

http://www.sonicwall.com/us/support/2213.html?Browser=chrome+10.0.648.151&FormURL=http%3A%2F%2Fwww.sonicwall.com%2Fus%2Fsupport%2F3653.html&keyword=tz190

Last image in the link shows the Administration> Web Management port - the one with 443 will be your problem - change it to 444 and save / reboot.

Then we might get further with the test site.

Alan
0
 

Author Comment

by:jonathanduane2010
ID: 35206135
ok i have now done that
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35206141
Okay - now can you please re-run the test on the test site and see what results you get now.

Thanks

Alan
0
 

Author Comment

by:jonathanduane2010
ID: 35206166
now i am getting this

ExRCA is testing Exchange ActiveSync.  
  The Exchange ActiveSync test failed.
   Test Steps
   Attempting to resolve the host name mail.q102.ie in DNS.
  The host name resolved successfully.
   Additional Details
  IP addresses returned: 213.146.164.194
 
 Testing TCP port 443 on host mail.q102.ie to ensure it's listening and open.
  The specified port is either blocked, not listening, or not producing the expected response.
   Tell me more about this issue and how to resolve it
   Additional Details
  A network error occurred while communicating with the remote host.
Exception details:
Message: No connection could be made because the target machine actively refused it 213.146.164.194:443
Type: System.Net.Sockets.SocketException
Stack trace:
at System.Net.Sockets.TcpClient.Connect(String hostname, Int32 port)
at Microsoft.Exchange.Tools.ExRca.Tests.TcpPortTest.PerformTestReally
 
 
 
even though i have setup the rule on the sonicwall - see attachment
test.JPG
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35206255
Okay - please check your default website properties and make sure that it is using SSL (Port 443).

Run the following from a command prompt please and then upload netstat.txt

netstat -anbp tcp >c:netstat.txt
0
 

Author Comment

by:jonathanduane2010
ID: 35207941
here you go
netstat.txt
0
 

Author Comment

by:jonathanduane2010
ID: 35207958
now i am getting this

ExRCA is testing Exchange ActiveSync.  
  The Exchange ActiveSync test failed.
   Test Steps
   Attempting to resolve the host name mail.q102.ie in DNS.
  The host name resolved successfully.
   Additional Details
  IP addresses returned: 213.146.164.194
 
 Testing TCP port 443 on host mail.q102.ie to ensure it's listening and open.
  The port was opened successfully.
 Testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
   Tell me more about this issue and how to resolve it
   Additional Details
  A network error occurred while communicating with the remote host.
Exception details:
Message: Authentication failed because the remote party has closed the transport stream.
Type: System.IO.IOException
Stack trace:
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost)
at Microsoft.Exchange.Tools.ExRca.Tests.SSLCertificateTest.PerformTestReally()
 
 
 
 
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 35209267
Okay - please check the Sonicwall rules to make sure port 443 is allowed from all external IP's and also check the IIS settings / permissions on the Default website to make sure that there are no IP restrictions on the Default website etc.

Any Anti-Virus / Anti-Spam on the server?
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now