Solved

how to let user on remote system use Exchange for SMTP

Posted on 2013-02-02
34
309 Views
Last Modified: 2013-03-08
A vendor installed a new VOIP phone system in our office. He has asked me to provide an email account and SMTP settings for sending email and voice mail attachments to the office. We have a SBS 2008 server fir our office domain controller and that server runs Exchange for our self hosted email. I'll have to confess that I've never set up an email account for a non-domain user, nor do I even know if this is possible. I've set up aliases and forwards, and I've even setup a LAN Linux server to permit relaying through the Exchange server. Apparently, he wants to use the office Exchange server as the VOIPs system email server. I think the target for all those emails will be users on the office domain, so I don't think he wants a relay.

Does someone understand what he wants and how to set it up, or do I need more information?
0
Comment
Question by:jmarkfoley
  • 15
  • 10
  • 3
  • +3
34 Comments
 
LVL 6

Accepted Solution

by:
Neadom Tucker earned 350 total points
ID: 38847639
His phone system needs an address to send mail from like Voicemail@domain.com.  You will need to tell your Exchange server to allow messages from the phone system.

Here is a nice guide to walk you through it:
http://blogs.technet.com/b/exchange/archive/2006/12/28/3397620.aspx

You will need the IP address of his phone system and just setup a user with an email account.  It depends on how his phone system sends the messages if he needs the password or not.

Cheers!
0
 
LVL 23

Expert Comment

by:Malli Boppe
ID: 38853843
1.)You can setup an email relay for the phone system (Controller) and give him your exchange server IP address and  he should be able to relay the voicemails through the exchange server to the  relavant users.

2.) You can setup a normal domain accoutn with a mailbox. Give username and password and the exchange server IP address and he should be able to configure the phone system to send voice mails

Also you probably need to populate all the users accounts with the relavant phone system information
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 38932542
Sorry about the delay, but the phone vendor tech just got around to testing things today. I set up a new receive connector as described in suthngin's link, posting ID 38847639. This was basically exactly what I had done in the past to set up our exchange server as the Smart Host for our Linux webserver's sendmail configuration.

When the phone guy sent a test message from earthlink@mydomain.org, he got the error:

WARNING - SMTP '.' command failed. Server 64.129.xx.xx [IP of mail server] Response '554 5.1.0 Sender denied

In my connector properties, I have General Tab: FQDN this connector will provide set the mail.mydomain.org. Network tab: Local IP Address(es) = (All available IPv4 addresses) 25; Remote IP address(es) = 66.202.xx.xx [the IP the phone guy gave me as his device]. Authentication tab: Transport Layer Security (TLS). Permission Groups: Anonymous Users.

Those are all the settings. So, what did I do wrong?
0
 
LVL 6

Expert Comment

by:Neadom Tucker
ID: 38936743
Your phone system is on the WAN?  That is NOT what you need to do then.  He does not have an IP Address on your LAN?
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 38936840
no, IP is WAN, not LAN. What should I do differently?
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 38940771
Does anyone have anything on this? I'm getting some pressure to get it working. Thanks.
0
 
LVL 35

Assisted Solution

by:Cris Hanna
Cris Hanna earned 40 total points
ID: 38944304
Here's the blog that will do the trick
http://blog.mpecsinc.ca/2009/09/sbs-2008-mfpcopier-to-scan-to-e-mail.html
you can skip over the stuff related to SharePoint but this blog is specific to SBS 2008

The thing I find odd is that he gave you the public IP for his VOIP system...it should have a IP address on the LAN
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38945029
if this is only being used for email addresses that exist on the Exchange server, you don't need to do anything, the phone system should just send using anonymous SMTP as any other email server trying to deliver to your Exchange server
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 38946300
Thanks for the responses!


CrisHanna_MVP: I've made the changes suggested in your blog link. The difference with my connect receiver set up is removing the TLS authenticiation from Authentication and running the "Get-ReceiverConnector" command in the Exchange Shell. I kept the Internet-public FQDN instead of the Domain FDQN because the vendor computer is not on the LAN. Unfortunately, we'll have to wait until Monday for the vendor tech to be able to test this. So I'll post results then.

One thing I found out after my initial post is that this is NOT a VOIP setup. I thought it was. The phone system is set up over regular land lines.

I'll be back! Thanks!
0
 
LVL 22

Expert Comment

by:Paka
ID: 38947452
It's a bad idea to open an external receive connector to anonymous.  Are you sure you can't get the vendor to use a local IP?  What's the VOIP system model number?
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38947549
its perfectly normal to allow anonymous on receive connectors.

to allow relay is a different kettle of fish.

if you didn't allow anonymous, you'd have trouble receiving email from any external senders....
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 38948766
The anonymous access on the receive connector in this scenario is restricted to a single IP address...not allowing the entire world in.
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38949461
@CrisHanna_MVP I think we might be at cross purposes

All I am saying is that to receive email from the rest of the internet you need to allow anonymous SMTP, and as long as the voicemails are only being sent to addresses on the Exchange server, there is no requirement to allow relay, therefore the external voicemail server only needs to send using anonymous SMTP.

If any of the voicemail destinations are not on the Exchange server, then either the voicemail server should send them direct to the other destinations, or they could be created as contacts in Exchange, at which point they are being forwarded rather than relayed to the external  addresses.

I have made the assumption that the voicemail server is able to send using SMTP using DNS to lookup the MX record, I have made this assumption based on the fact that it is externally hosted, and as it is externally hosted it is unlikely to be dedicated to one company, and would therefore either be able to send to multiple domain via DNS lookup of MX records, or have a local smarthost that is able to do DNS lookup of MX records.

This is very different to an MFP which might be used inside a company to send scans to "any" address, and is unable to use DNS for sending email, but instead requires a "smarthost" to be configured, this would require that relaying was allowed on the receive connector on the Exchange server.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 38952378
Paka: no, the vendor cannot use a local IP since the phone device is not on the LAN, nor would I want it to be, actually. This site contains confidential information and I wouldn't want a 3rd party computer system as part of the LAN. As CrisHanna_MVP points out, this access is being restricted to a single IP.

Results of test: The vendor tech is still getting the message: "WARNING - SMTP '.' command failed. Server 64.129.23.xx Response '554 5.1.0 Sender denied." I do not see any log messages in the Exchange log file showing this attempted access, which I find a bit odd (or maybe I'm not looking in the right log).

The sender email name is arbitrary. I'm just having him use earthlink@mydomain.com. Nothing is supposed to go back to this address as a recipient. I didn't really want to create a local domain account just for relaying messages to local users. Do I need to create this account in Exchange?

Any idea where this is going wrong?
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 38952386
CrisHanna_MVP: in re-reading your post, you wrote, "... as it is externally hosted it is unlikely to be dedicated to one company,". The phone system does have an external IP, but I do believe it is dedicated to this one company. The box is physically located in the office, but with it's own Internet connection directly from Earthlink. It does not even use the building cable wiring. I assume they are trying to use our Exchange server as a smart host and do not have access to any other mail server.
0
 
LVL 22

Assisted Solution

by:Paka
Paka earned 20 total points
ID: 38952399
That 5.1.0 is coming from sender filtering; see:
http://technet.microsoft.com/en-us/library/bb124354.aspx
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 1

Author Comment

by:jmarkfoley
ID: 38955403
In further reading in the link supplied by Paka, it appears likely that the Exchange server is regarding the sender as spoofed address. I could possibly configure the Sender ID and Sender Filter to permit this IP, but that is looking way complicated (and why am I not seeing a Sender ID status of 'Fail' or something in the Exchange log?)

What I want to do is very common. For example, I have an SMTP account at NetworkSolutions, through which I send SMTP mail to whoever I want from Outlook on my home laptop. My home laptop's IP is certainly not within the NetworkSolutions local domain. I have to authenticate using a ID and password and that's it. Surely something similar can be done to with Exchange. Perhaps that would be the simplest solution?

Sill need help on this! Vendor getting irritated.
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38955482
Ask the vendor, what address they are trying to send as ?

I would suggest that they used a subdomain such as @voicemail.company.com, or a completely different domain, but the important part, is that it should NOT be a domain that the Exchange server is authorative for.

Ask the vendor, why if the voicemail server is in the same building, why send the voicemails out over the internet to come back in again ?

Do you have a DMZ that the voicemail server can connect to, to send the email "internally"

It is unlikely that the voicemail server can send email using username and password for SMTP authentication, however if it can, you should not enable authentication on teh existing receive connector, but create a new one just for it, you can then use IP address filtering on the receive connectors, to restrict it from the main connector, and allow it one the connector that is just for it.

Authenticated email ending should be done on port 587, using TLS to secure the username and password.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 38955672
ArneLovius: your questions:

> Ask the vendor, what address they are trying to send as ?

I do have the IP address of the phone system and have created a new receive connector according to the link in CrisHanna_MVP's post D: 38944304. Under the Network tab this specifies the local Exchange server's IP, port 25 as the local IP and the vendor's phone system IP as the remote IP. Under authentication I have nothing checked. Under Permission Group I have Anonymous users.

> I would suggest that they used a subdomain such as @voicemail.company.com, or a completely different domain, but the important part, is that it should NOT be a domain that the Exchange server is authorative for.

I could try this but I'm not confident. The domain they specify will likely not include this IP and may not have such a user, but I'll likely give this a shot next.

> Ask the vendor, why if the voicemail server is in the same building, why send the voicemails out over the internet to come back in again ?

The answer is that this box is not connected to the building wiring at all and is a separate line from the ISP provider Earthlink. I guess this is just policy.

> Do you have a DMZ that the voicemail server can connect to, to send the email "internally"

No, but as stated, the phone system is not physically connected to the building. We' likely have to loo at VPN for a similar solution, I think.


> It is unlikely that the voicemail server can send email using username and password for SMTP authentication, however if it can, you should not enable authentication on teh existing receive connector, but create a new one just for it, you can then use IP address filtering on the receive connectors, to restrict it from the main connector, and allow it one the connector that is just for it.

According to the vendor, it can use username/PW authentication as such a setup is supposedly working at other customer sites. I do have a separate receive connector set up. (but see my next message).

> Authenticated email ending should be done on port 587, using TLS to secure the username and password.

The vendor's box cannot do TLS
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 38955691
If they can do username password, why not just have them send out through your network solutions SMTP server, which is the same way you do.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 38955694
I have stepped back and tried to do a basic relay using my home laptop's Outlook and using the office Exchange server as the SMTP server. I've followed the directions in the link http://www.petri.co.il/authenticated-or-anonymous-smtp-relay-with-exchange-2007.htm, which had me modify the existing 'Windows SBS Internet Recieve MAIL' receive connector. The Authentication was "TLS" only, and I added "Basis Authentication". The permission Group was "Anonymous Users" only and I added "Exchange Users".

I then configured a new account on my laptop Outlook specifying this Exchange Server host as the SMTP server (and some other known working host as my POP server). In 'more settings > Outgoing Server', I checked: "My outgoing server (SMTP) requires authentication", and I entered my Domain ID and Password in "log on using." When I clicked the 'Send test e-mail message' button I got: "Unable to send test Message. Please verity the E-Mail Address Field."

Apparently I am completely clueless as to how to set up what I need!
0
 
LVL 36

Assisted Solution

by:ArneLovius
ArneLovius earned 90 total points
ID: 38955696
If it can't do TLS, then any authentication is sent in clear text, as the account would be a domain account, that would be a domain username and password being sent in clear text over the internet, I'm sure you can see the issue....

I am going to guess that the vendor is trying to send as either your internal or external domain name, and Exchange is quite correctly blocking the email.

If you look at it another way, If I wanted to do a spear phishing attack on your company and you block your domain name on your receive connectors, I can't send an email that appears to be from your CTO to your CEO asking the CEO to have a look at a pdf tht contains a 0 day attack....
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 38955726
> If it can't do TLS, then any authentication is sent in clear text, as the account would be a domain account, that would be a domain username and password being sent in clear text over the internet, I'm sure you can see the issue....

That is why I was setting up the receive connector to specify the phone device's specific IP address and why I wasn't wanting to require him to have a login account.

Perhaps the solutions is to somehow tell Exchange that this IP is part of the LAN/Domain?

I have already set up something similar with a Linux host on the LAN which specifies the Exchange Server as the 'Smart Host' and also specifies the same public domain as the SBS Domain (masquerade_as). User accounts on the Linux host can send to Domain accounts and external addresses, no login is necessary. But this apparently doesn't work with the phone device, possibly because it is not on the LAN?
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38955779
If you put the receive connectors back to the way they were originally, then get the vendor to send as something that is not your domain, it should "just work".
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 38957411
Well, I got it working! I followed this blog: http://msexchangeteam.com/archive/2006/12/28/432013.aspx, option #1. According to the author, you first have to set the permission group to "Exchange Servers", then go to authentication and select "Externally Secured." The author says, "If you do not perform these two steps in order, the GUI blocks you from continuing." Anyway, doing this worked. I asked the vendor more specifically about TLS and he decided that the phone device can do TLS, so I turned that on as well. I've done an nmap on the phone IP and port 25 is not open, so I supposed I don't have to worry about spammers using that box as a relay (correct me if I'm wrong). The sender address works with either a phone device generated email address, or with one having the SBS domain name.

I think we can stick a fork in this one. Other comments?
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38957424
that is for allowing relay, which should not be required if the voicemail server is only sending to accounts that exist on your exchange server...
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 38957490
Well, you are right, that does allow relaying, and I would actually like to prevent relaying to accounts outside the exchange server. Do you have an alternate configuration suggestion? Everything else I've tried so far has resulted in the voicemail server getting, ""WARNING - SMTP '.' command failed. Server 64.129.23.xx Response '554 5.1.0 Sender denied."

The voicemail server does not have port 25 open, so there shouldn't really be an issue with spammers relaying, right? Therefore, only the recipient addresses configured in the voicemail server (which are tied to individual phone extensions) should receive email. Still, I would like to actually prevent relaying outside the office. What is your suggestion?
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38957558
as long as the voicemail server is not trying to send using @internaldomain or @externaldomain, then it should work over the standard receive connector for receiving email from any external source in exactly the same way as receiving _any_ external email...

unless of course they are trying to send to addresses that are not on your Exchange server...
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 38959764
That didn't work for whatever reason. After setting the receive connector up according to by: CrisHanna_MVP's post ID 38944304 he got that 5.1.0 error. I had, in fact, asked him to use a the local domain in his sender address, but once we got it working it was obvious he had not done that, i.e. he was sending using something other than our internal or external domain. I was having him send to my domain address, which is on the exchange server. So, I believe I was doing as you suggested, but no go.
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38959852
the link provided in that post is to setup an additional receive connector, I am suggesting that it is not required.

if however that connector would only work when you had enabled relay on the new receive connector, "something else" is happening.

As the "something else" is unknown, I'm afraid I'm at the limit of "blind diagnosis" beyond checking that the IP address used by the voicemail system is not on any RBLs configured on the Exchange server, and is not on any deny lists used by the Exchange server...
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 38963820
Thanks ArneLovius, but no, things did not work without setting up the connector. Remember that the voicemail server is not its own mail server and wants to use our Exchange server as its email server. So, a new connector seems like the only thing that actually works.
0
 
LVL 1

Author Closing Comment

by:jmarkfoley
ID: 38963868
As it turns out, suthngin's very first response to my posting referenced the exact same blog I finally used to get this working (which blog I had archived a few years ago). So, suthngin really needs to take the credit on this one. I don't know why I couldn't get it to work following those instructions initially, but maybe because I didn't pay close enough attention to that all import order-of-operation the blog author talked about. Nevertheless, I will spread out some of the points in proportion to participation level because I am grateful to all of you for working with me on this problem. Thank!
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38965147
If it needs relay enabled, then ipso facto, it is using Exchange to send to addresses that are not on your Exchange server...
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now