[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Security vulnerability resulting from '550 5.7.1 Unable to relay' fix.

Posted on 2011-04-19
17
Medium Priority
?
585 Views
Last Modified: 2013-11-30
Added a second domain using the following steps:
1) setup a second accepted domain in hub transport as an authoritative domain
2) added my new email address to my mailbox settings (user@def.com)
3) set up the new email address as an IMAP account in Outlook 2010

I was able to receive email from outside and inside my organization and send email internally.  I just couldn't send externally and got the NDR message '550 5.7.1 Unable to relay'.  I did alot of research and found that my issue may lie in my default receive connector security settings.  The changes were to uncheck the security mechanisms on the "Authentication" tab and check the "Externally Secured" option.  Then on the "Permission Groups" tab I unchecked the "Anonymous" option.

Keeping in mind that these changes were made to the Default Receive Connector, have I opened up a security risk by selecting the "Externally Secured" option?  

I unchecked the "Anonymous" permission group in an effort to close any gap.  I don't want this to be an open relay server.  I just need the single exchange server to send\receive for both domains.

Here's what I have....
Exchange 2007
Outlook 2010
domain 1= abc.com  (original)
domain 2= def.com  (additional)

user@abc.com email is setup as exchange email in Outlook 2010.  user@def.com is setup using IMAP for same person in Outlook 2010.

Screen shots are attached
Receive-connector-settings.pdf
0
Comment
Question by:SKeezot
12 Comments
 
LVL 13

Expert Comment

by:soostibi
ID: 35431958
You should restore the settings of the default receive connector to its default settings (no anonym user, etc).
You should set up Outlook IMAP profile so that it authenticates to the outgoing mail server and uses port 587 (this is the client port for relaying for authenticated users)
0
 

Author Comment

by:SKeezot
ID: 35433207
ok.  I'm researching what the default settings should be.  

One mistake, I actually have the Outlook client setup as a POP3 account , not IMAP.  I forget why IMAP wouldn't work before so I had to use the POP3 settings.  Does it matter which I use?

Thanks
0
 
LVL 13

Expert Comment

by:soostibi
ID: 35433442
No, POP account uses SMTP for sending e-mail the same way as IMAP does. Set it up as server requires authentication, fill in the username and password there, and set the port to 587.
0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 

Author Comment

by:SKeezot
ID: 35433760
Ok, it's testing the settings... says that it's completed "Log onto incoming server" but it keeps popping up asking for the username and password. I've tried USER, DOMAIN\USER, USER@DOMAIN.COM and it still pops up.  Any ideas?
0
 

Author Comment

by:SKeezot
ID: 35441469
I have read these articles in detail but they don't apply to SP1 or above.  There are many more options in Outlook and Exchange and something still isn't right.  The client is still persistently asking me for the username and password.  I can basically remove and all security and get Outlook 07 to send the email but this can't be the only option.

Can someone with knowledge of Outlook 2007 or 2010 and Exchange Server 2007 SP1 or greater please assist me in finding the magic combination of settings to get IMAP or POP3 to work for sending email from a second authoritative domain?  Thanks in advance.
0
 
LVL 13

Expert Comment

by:soostibi
ID: 35441572
Can you send email out by a person from the first authoritative domain?
0
 

Author Comment

by:SKeezot
ID: 35442545
Yes, email from and to the first authoritative domain works fine but it isn't setup through IMAP or POP3.

I went back and created an IMAP account from scratch and made a few tweaks.  It actually worked.  Once again, I've attached screen shots of my Exchange and Outlook 2010 IMAP settings for your review.  Again, I'm looking for any security vulnerabilities or anything that stands out as a potential threat or problem.  I haven't been able to get the POP3 account to work.

Also, the IMAP account in Outlook creates a PST file which attempts to download the entire Inbox which is about 2.5 GB. I've removed the IMAP account from the Send\Receive All group in Outlook.  Is this the best I can do?  I JUST need to be able to select the Send From address to flip back and forth between "user1@abc.com" and "user1@def.com".

Thanks again for the assistance.
Exchange-2007-IMAP-settings.pdf
0
 

Author Comment

by:SKeezot
ID: 35460356
Update:  I noticed this morning (Monday) that I didn't receive any of the job notification emails from my backup software (Backup Exec 12.5).  I assume that it is due to the change in the settings.    Please take this into account when you look into the settings in the attachment.  I'm not sure if it is related to the "Anonymous" user or not, I just don't want to open a security threat.
0
 

Author Comment

by:SKeezot
ID: 35460399
The Backup Exec service is using SMTP port 25 with the administrator's email\user\password.  It shouldn't be anonymous.  And the Default_SERVER receive connector (port 25) should still have the default settings.
0
 
LVL 28

Accepted Solution

by:
peakpeak earned 2000 total points
ID: 35692725
You should allow both 'default' and 'anonomous', it has nothing to do with relay. Read more here: http://technet.microsoft.com/en-us/library/bb124423.aspx#RDomains
 
0
 
LVL 31

Expert Comment

by:James Murrell
ID: 36483035
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Check out the latest tech news, community articles, and expert highlights in August's newsletter.
The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
This Micro Tutorial will demonstrate the easy use of Gmail embedding images in your email so the recipient of your email can view them in context.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Suggested Courses
Course of the Month20 days, 3 hours left to enroll

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question