Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

SMTP Relay Issue

Posted on 2016-08-18
12
Medium Priority
?
143 Views
Last Modified: 2016-08-22
Hi,

We have an issue where we have a business application that sends emails via a SMTP relay (Microsoft IIS) .
Authentication is set to "Anonymous Access", Relay Restrictions set to a list of servers that is allowed to Relay From.

So two things, one, we now want to deploy this app to all users thick clients, which means we either need to lift the restriction or find another authentication mechanism. I personally dont want to open up all internal subnets to be able to relay, especially if a malware begins spamming.
What are my other options? Ideally, I would like to allow all internal subnects to relay but place a service account username and password in the app (which we can do as the app is internally developed) which only that account has rights to relay. Can I do this?

I don't want to use Integrated AD authentication or Exchange Authentication as an malware can just pass the user credentials the user has already logged into their thick clients with.

Or is there a better solution that I should look at? What is the best practice around this?

Thanks in advance.
0
Comment
Question by:Daniel Garcia
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 3
12 Comments
 
LVL 18

Expert Comment

by:LesterClayton
ID: 41762040
Writing in an authentication method into your application would be a good choice.  The default permisisons of Exchange is to allow any users to relay, provided they authenticate - no additional relay connector needs to be created to use this.  The issue you may run into is that the user may attempt to send mail on behalf of somebody other than himself, in which case you do require an anonymous relay. If your solution permits, try the following:

  • Set up a standard exchange user with a generic name, like "No Reply", and set their e-mail address to "noreply@yourcompany.domain".  Note the username and password for authentication
  • Make your application connect to the Exchange server on SMTP Port (usually 25)
  • Make your application negotiate TLS encryption
  • Make your application log in as the No Reply user
  • Send the e-mail from noreply@yourcompany.domain to whomever you want

If you are not able to build TLS into your application, then you can change your "Client Frontend" connector, and uncheck the box "Offer basic authentication only after starting TLS"
0
 

Author Comment

by:Daniel Garcia
ID: 41762050
Hi Lester,

Thanks for your response. So instead of using a IIS SMTP virtual server you are suggesting that we create a new SMTP Receive connector on Exchange and setup Authentication as TLS only? In permission group, do I set up "Exchange users"?

Should I add a different IP to the receiver to minimise the chance of other exchange users being able to authenticate on this receiver? ( I am assuming that this setup also allow any exchange user to use this reciever to relay should they know the DNS/IP of the receiver?)
0
 
LVL 18

Expert Comment

by:LesterClayton
ID: 41762055
You don't create a new SMTP receive connector - just use the Client Frontend one :)  It's already set to accept basic authentication with TLS.  No additional IP's needed either.  You won't conflict with Outlook or anything else, you're just using what Exchange has provided to you out of the box.  I've highlighted the one I would refer to (this is of course on one of my Exchange Servers).

Client Frontend Connector
NOTE: This is port 587 - not 25 as I originally said.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 27

Expert Comment

by:MAS
ID: 41762056
Hi Daniel,
If it is internal to your network of Exchange no need additional settings to relay.
Please mention the Exchange version.


Thanks
MAS
0
 

Author Comment

by:Daniel Garcia
ID: 41762059
Exchange 2013
0
 

Author Comment

by:Daniel Garcia
ID: 41762068
thanks lester. But is it better in terms of security to have another receiver with a different IP? I am concerned about a SMTP auth attack using this receiver. I want my configuration to be apart from current config for if any future SMTP Auth attack occurs, my configuration won't be a factor in the investigation as traffic is diverted to a separate receiver with a different address. Or am I being to pendantic?
0
 
LVL 27

Expert Comment

by:MAS
ID: 41762074
Daniel,
Please run these command from a telnet client or Putty from your apps server and post the result.
Telnet <Exchange2013IP> 25
EHLO contoso.com
MAIL FROM: <email-configured-in-ur-apps>@youremaildomain.com
250 2.1.0 Sender OK
RCPT TO: daniel@youremaildomain.com

Open in new window

0
 
LVL 18

Accepted Solution

by:
LesterClayton earned 1000 total points
ID: 41762076
Having it on a different IP won't prevent that one - or the original one - from being SMTP auth attacked :)

You can of course set up a new receive connector on a different IP - this would also be just fine.  Multiple IP's on an exchange server can lead to other troubles though (like if DNS updates with the new IP, clients might be tempted to use it).  Perhaps a safer solution is to create a new receive connector on a different port.
0
 

Author Comment

by:Daniel Garcia
ID: 41764762
Hi MAS,

220 credit-sydexch4.lan.creditcorp.com.au Microsoft ESMTP MAIL Service ready at
Mon, 22 Aug 2016 13:35:01 +1000
EHLO creditcorp.com.au
250-credit-sydexch4.lan.creditcorp.com.au Hello [172.21.10.6]
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH NTLM
250-8BITMIME
250-BINARYMIME
250 CHUNKING
MAIL FROM: test@creditcorp.com.au
250 2.1.0 Sender OK
RCPT TO: dgarcia@creditcorp.com.au
250 2.1.5 Recipient OK
0
 

Author Comment

by:Daniel Garcia
ID: 41764767
Thanks Lester. It appears there is no ideal solution that secures SMTP then.
0
 
LVL 27

Assisted Solution

by:MAS
MAS earned 1000 total points
ID: 41764784
H Daniel,
Did you create additional receive connector?

As of now Exchange server is accepting emails from IP 172.21.10.6,  Assuming  172.21.10.6 is your application server IP.

Did you test it now? If it is still not working please check the eventviewer for related error.
It should be working as per the results posted.

Thanks
MAS
0
 

Author Closing Comment

by:Daniel Garcia
ID: 41766194
THanks guys you have cleared up for me what was an ambigious solution
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question