Avatar of RISLA
RISLA
Flag for United States of America asked on

Sending email from DMZ web server using Exchange 2010

I've been working on allowing my developers to send emails (Forgot password) from our DMZ web server - Securely.

I enabled SMTP from the DMZ web server IP to the exchange server IP on our firewall.

Set up a new receive connector using only the DMZ web server's IP address and port 25.
         -Tried every combination of check boxes (TLS, Basic, Externally secured, anonymous, ect...)
         -The ONLY way the email goes out is if I check off "Externally Secured".
                     -All other combinations return 571 - Authentication errors.


Here is my question...

With "Externally Secured", am I at risk of having someone outside of the company use my exchange server to send email?

If so, what other options do I have...other than Externally Secured?
VulnerabilitiesExchangeWindows Networking

Avatar of undefined
Last Comment
RISLA

8/22/2022 - Mon
Bembi

The exchange server has receive connectors. Which every connector it is defined, from which sources the exchange accepts emails and what are the conditions to take them (i.e authentication). If the mail can pass the firewall between the DMZ and Exchange (i.e. port 25 is open), the connector settings determine, if the mail is accepted or not.

If several connectors are defined, make sure, that the scopes are clearly separated. Means that not a different connector takes the mails and enforces a specified authentication method. The easiest way is to allow anonymous mails from a defined source (i.e IP address) from your DMZ and to make sure, that none of the other connectors take the mails. In practice it means, that you have to make sure, that the source is excluded (or not included) in all of the other connectors (overlapping scopes.).

So, a connector, which accepts mails from a dedicated IP (from the DMZ) which anonymous access should solve the problem.

The other point is the senders address. You have to make sure, that the senders address belongs to your organization, otherwise exchange may assume a not allowed relay.
RISLA

ASKER
Thanks for the info.

The three connector scopes are explicitly defined. So I know I'm using the correct connector.

 But with Externally Secured checked, am I at risk of having someone outside of the company use my exchange server to send email?
Bembi

The exchange connector defines, what methods are allowed. The connector should be defined, that it accepts connections from your DMZ IP address,  nothing else. Then only this source is allowed to relay over this connector.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
RISLA

ASKER
Thank you again Bembi. I just need a little clarification...

Since I've allowed my Exchange server to accept anonymous SMTP from my DMZ, could someone "Hack" my DMZ server and use it as a relay with little effort?
ASKER CERTIFIED SOLUTION
Bembi

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
RISLA

ASKER
Thank you for all of the information. Above and beyond for sure.