We help IT Professionals succeed at work.

Sending email from DMZ web server using Exchange 2010

1,854 Views
Last Modified: 2014-05-22
I've been working on allowing my developers to send emails (Forgot password) from our DMZ web server - Securely.

I enabled SMTP from the DMZ web server IP to the exchange server IP on our firewall.

Set up a new receive connector using only the DMZ web server's IP address and port 25.
         -Tried every combination of check boxes (TLS, Basic, Externally secured, anonymous, ect...)
         -The ONLY way the email goes out is if I check off "Externally Secured".
                     -All other combinations return 571 - Authentication errors.


Here is my question...

With "Externally Secured", am I at risk of having someone outside of the company use my exchange server to send email?

If so, what other options do I have...other than Externally Secured?
Comment
Watch Question

BembiCEO
CERTIFIED EXPERT

Commented:
The exchange server has receive connectors. Which every connector it is defined, from which sources the exchange accepts emails and what are the conditions to take them (i.e authentication). If the mail can pass the firewall between the DMZ and Exchange (i.e. port 25 is open), the connector settings determine, if the mail is accepted or not.

If several connectors are defined, make sure, that the scopes are clearly separated. Means that not a different connector takes the mails and enforces a specified authentication method. The easiest way is to allow anonymous mails from a defined source (i.e IP address) from your DMZ and to make sure, that none of the other connectors take the mails. In practice it means, that you have to make sure, that the source is excluded (or not included) in all of the other connectors (overlapping scopes.).

So, a connector, which accepts mails from a dedicated IP (from the DMZ) which anonymous access should solve the problem.

The other point is the senders address. You have to make sure, that the senders address belongs to your organization, otherwise exchange may assume a not allowed relay.

Author

Commented:
Thanks for the info.

The three connector scopes are explicitly defined. So I know I'm using the correct connector.

 But with Externally Secured checked, am I at risk of having someone outside of the company use my exchange server to send email?
BembiCEO
CERTIFIED EXPERT

Commented:
The exchange connector defines, what methods are allowed. The connector should be defined, that it accepts connections from your DMZ IP address,  nothing else. Then only this source is allowed to relay over this connector.

Author

Commented:
Thank you again Bembi. I just need a little clarification...

Since I've allowed my Exchange server to accept anonymous SMTP from my DMZ, could someone "Hack" my DMZ server and use it as a relay with little effort?
CEO
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Thank you for all of the information. Above and beyond for sure.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.