Link to home
Start Free TrialLog in
Avatar of RISLA
RISLAFlag for United States of America

asked on

Sending email from DMZ web server using Exchange 2010

I've been working on allowing my developers to send emails (Forgot password) from our DMZ web server - Securely.

I enabled SMTP from the DMZ web server IP to the exchange server IP on our firewall.

Set up a new receive connector using only the DMZ web server's IP address and port 25.
         -Tried every combination of check boxes (TLS, Basic, Externally secured, anonymous, ect...)
         -The ONLY way the email goes out is if I check off "Externally Secured".
                     -All other combinations return 571 - Authentication errors.


Here is my question...

With "Externally Secured", am I at risk of having someone outside of the company use my exchange server to send email?

If so, what other options do I have...other than Externally Secured?
Avatar of Bembi
Bembi
Flag of Germany image

The exchange server has receive connectors. Which every connector it is defined, from which sources the exchange accepts emails and what are the conditions to take them (i.e authentication). If the mail can pass the firewall between the DMZ and Exchange (i.e. port 25 is open), the connector settings determine, if the mail is accepted or not.

If several connectors are defined, make sure, that the scopes are clearly separated. Means that not a different connector takes the mails and enforces a specified authentication method. The easiest way is to allow anonymous mails from a defined source (i.e IP address) from your DMZ and to make sure, that none of the other connectors take the mails. In practice it means, that you have to make sure, that the source is excluded (or not included) in all of the other connectors (overlapping scopes.).

So, a connector, which accepts mails from a dedicated IP (from the DMZ) which anonymous access should solve the problem.

The other point is the senders address. You have to make sure, that the senders address belongs to your organization, otherwise exchange may assume a not allowed relay.
Avatar of RISLA

ASKER

Thanks for the info.

The three connector scopes are explicitly defined. So I know I'm using the correct connector.

 But with Externally Secured checked, am I at risk of having someone outside of the company use my exchange server to send email?
The exchange connector defines, what methods are allowed. The connector should be defined, that it accepts connections from your DMZ IP address,  nothing else. Then only this source is allowed to relay over this connector.
Avatar of RISLA

ASKER

Thank you again Bembi. I just need a little clarification...

Since I've allowed my Exchange server to accept anonymous SMTP from my DMZ, could someone "Hack" my DMZ server and use it as a relay with little effort?
ASKER CERTIFIED SOLUTION
Avatar of Bembi
Bembi
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of RISLA

ASKER

Thank you for all of the information. Above and beyond for sure.