Re: allow authenticated relay?
- From: "David" <nickm@xxxxxxxxxxxx>
- Date: Wed, 3 Dec 2008 12:51:42 +1000
I'm having a similar problem with Exchange 2003 on SBS 2003 Prem
we have an SMTP virtual server setup on port 25 which does not allow
relaying for anyone, but will accept mail from anyone as long as it's going
to our domain. That's working fine for receiving email.
The problem is on our second SMTP virtual server, setup on a different port,
needs to accept mail from staff members using Outlook who are not located at
head office and who do not have VPN access to be able to send email via our
server from their unknown and variable IP addresses (ie. Airport lounges,
wireless internet, hotels, etc).
Outlook complains that it can't send because it doesn't have permission.
When diagnosing what is happening with sending mail via this port using
telnet I get the following responses
EHLO it.testing.internal.net
250-ourdomain.com.au Hello [127.0.0.1]
250-TURN
250-SIZE
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-TLS
250-STARTTLS
250-X-EXPS GSSAPI NTLM LOGIN
250-X-EXPS=LOGIN
250-AUTH GSSAPI NTLM LOGIN
250-AUTH=LOGIN
250-X-LINK2STATE
250-XEXCH50
250 OK
AUTH LOGIN
334 VXNlcm5hbWU6
base64 encoded username
334 UGFzc3dvcmQ6
base64 encoded password
235 2.7.0 Authentication successful.
MAIL FROM: username@xxxxxxxxxxxxxxxx
454 5.7.3 Client does not have permission to Send As this sender.
Connection to host lost.
How do I give the user permission to send email from themselves via this
virtual server?
This does not seem to be a problem for all users. I've looked in the SMTP
Virtual server properties -> Access -> Authentication -> Users... and added
the group "Domain Users" to allow "submit" and "relay" as well as the
particular user(manager) that is having troubles. The boxes for Basic auth
and integrated windows auth are ticked with anonymous access and require tls
encryption unticked.
Under SMTP Virtual server properties -> Access -> Relay... it has chosen
"Only the list below" with ip internal IP addresses and 127.0.0.1 in the
list. Then with Allow all computers which successfully authenticate to
relay, regardless of the list above is ticked. The Users... button on this
screen is not available because the box is ticked (I've tried it both ways
adding the user to the list of allowed)
One other thing I'm not so clear on is the "default domain" field, whether I
should put in the local domain name or the internet side domain name.
Similarly under the delivery->Advanced... virtual server dialog the
masquerade domain and the FQDN. Currently I have the local domain name in
the authentication screen and internet side FQDN in the delivery areas.
"Andy David {MVP}" <adavid@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:uht8j4l5fqduvc5stcu0mtqgmllm8e08hh@xxxxxxxxxx
On Mon, 1 Dec 2008 13:13:03 -0800, Ron Proschan
<RonProschan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
This is Exchange 2003.
The default setting in SMTP server settings, Relay Restrictions is:
"Allow all computers which successfully authenticate to relay, regardless
of
the list above"
Is it recommended to keep this option checked? Would turning it off
prevent
SMTP AUTH attacks? Thanks in advance.
If you do not require authenticated relay, uncheck it.
If all you have are mapi Outlook, OWA, and Active Sync users you can
disable authenticated relay.
If you have processes or applications that need to relay, you may need
to enable it or only allow relay by specific ip addresses.
If you have POP3 or IMAP clients that require a SMTP server to relay
their outbound messages, then you'll need to allow authenticated
relay.
Ron Proschan
.
- References:
- allow authenticated relay?
- From: Ron Proschan
- Re: allow authenticated relay?
- From: Andy David {MVP}
- allow authenticated relay?
- Prev by Date: Re: SMTP AUTH attack possible on E2K7?
- Next by Date: Re: native backup running on server 2008
- Previous by thread: Re: allow authenticated relay?
- Next by thread: Mail Box Manager
- Index(es):
Relevant Pages
|
