Re: Need help configuring Exchange Server for outgoing messages

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Hey, Rich.

Thanks for all your help and insight. Now that AT&T Yahoo has re-un-blocked
port 25, email is flowing again. Only now, I'm using BlueHost's SMTP server
with TLS enabled. Does this authentication make my outgoing email somewhat
secure?

I really appreciate your help. I learned a lot.

- Rob


"Rich Matheisen [MVP]" wrote:

Robarb <Robarb@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

[ snip ]

Yesterday, AT&T changed their SMTP servers to now require SSL authentication,

Are you sure they require SSL and not TLS? And that they require the
certificates to be used for authentication and not just a
userid/password (i.e. use AUTH)?

They are quite adament that they now require SSL.

When you use telnet to connect to their mail server, send "EHLO
<your-domain-name>" Do you see STARTTLS an/or TLS in the list of
keywords returned?

which Exchange Server doesn't seem to be able to do.

Exchange can use TLS, and it can use AUTH. You'll need an SSL
certificate for your machine, though.

They insist they require SSL, not TLS and I'm not sure how I would get a
certificate from them.

You don't. You get a cert from either your own CA or from a public CA
(Verisign, GoDaddy, Thawte, etc.). GoDaddy sells 'em for about $20 a
year.

If they really mean they're going to use the certificate for
authentication, find out whether they're just insisting that you
/have/ a certificate, or if the certificate name has to match your
server's name, or if the CA has to validate the cert (which would
prevent you from creating your own cert).

I still think they mean TLS and not SSL.

[ snip ]
That's actually the easy thing to do. Of course, ATT may not allow you
to use port 25 except to connect to their relay servers.

Yesterday, they told me they would unblock port 25 for my connection.

Then I guess they aren't insisting you use an encrypted connection.
:-)

I'm not sure how to configure Exchange (or MX records, etc.) to do this. Is
it difficult to set up Small Business Server 2003 to send emails without
needing an outside smtp server?

Don't know about SBS, but using a SMTP Connector is pretty easy. And
delivering email to the target servers is the default configuration.
Again, don't forget to remove the smart host stuff from your SMTP
Virtual Server.

I've tried this and the emails never get delivered. But I haven't changed
the MX or anything else in DNS.

You don't use your MX to deliver mail to other domains -- you use
theirs for that. But that doesn mean that your DNS is able to contact
other DNS servers.

Try running NSLookup from the command line on your Exchange server:
nslookup

Then enter these commands:
set q=mx
ibm.com

Do you see the IP addresses of IBM's mail servers, or do you get an
error?

If you don't host your own DNS then you'll have your ISP (ATT?) add
the MX to your DNS zone on their DNS servers.

Our DNS is Earthlink. Does the MX record matter if we're only sending from
our SBS? The POP stuff from external sources is working fine.

Your MX record is what /other/ mail servers use to find the mail
exchanger for your domain.

--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott@xxxxxxxxxxxxx
Or to these, either: mailto:h.pott@xxxxxxxxxxxxxxx mailto:melvin.mcphucknuckle@xxxxxxxxxxxxx mailto:melvin.mcphucknuckle@xxxxxxxxxxxxxxx

.

Relevant Pages

  • Re: Domain Controllers Cant reach Default Gateway...
    ... DNS it was missing the CNAME entry with the GUID for the other ... If a BIND server is being used, the design would be based on what ... One of them has Certificate ... Because the XP laptop wouldn't get the root certificate on it's own I ...
    (microsoft.public.win2000.active_directory)
  • Re: Domain Controllers Cant reach Default Gateway...
    ... DNS it was missing the CNAME entry with the GUID for the other ... If a BIND server is being used, the design would be based on what ... One of them has Certificate ... Because the XP laptop wouldn't get the root certificate on it's own I ...
    (microsoft.public.win2000.active_directory)
  • Re: One Post to Sum It All Up
    ... > I am not suure I have my DNS configured conrrectly. ... I aslo have a DNS server in the ... > via the external IP:port however, when I am at a remote ... > prompted with the certificate warning and a credentials ...
    (microsoft.public.win2000.dns)
  • Re: Domain Controllers Cant reach Default Gateway...
    ... In the _msdcs area of DNS it was ... BIND or non-DC as a DNS server doesn't support this feature. ... One of them has Certificate ... Because the XP laptop wouldn't get the root certificate on it's own I ...
    (microsoft.public.win2000.active_directory)
  • Re: Domain Controllers Cant reach Default Gateway...
    ... In the _msdcs area of DNS ... If a BIND server is being used, the design would be based on what ... One of them has Certificate ... Because the XP laptop wouldn't get the root certificate on it's own I ...
    (microsoft.public.win2000.active_directory)