RE: Relaying

From: Eric Sun [MSFT] (v-ericsu_at_online.microsoft.com)
Date: 09/08/04 

Date: Wed, 08 Sep 2004 01:53:09 GMT

Hi Vidro,

Thanks for taking time to let me know that this issue is resolved.

Regarding the configration of SMTP filter, we recommend you to disable it when you have ISA and Exchange installed on the
sameserver and without message screener installed.

Regarding the SMTP filter, this issue could also happen when if the Auth and Auth login commands (Extended Simple Mail
Transfer Protocol [SMTP] commands) are stripped by a Cisco firewall/router. You could refer to the following article.

295164 SMTP Clients Receive Relaying Prohibited Error Message When
http://support.microsoft.com/?id=295164

If you insist on using SMTP filter, you may need to manully configure it to add AUTH command and configiure a proper length.
For detailed information, you could refer to the following article.

320703 HOW TO: Configure the SMTP Filter in ISA Server to Block SMTP E-mail
http://support.microsoft.com/?id=320703

Hope that helps.

Best Regards,

Eric Sun,
MCSE2000 / MSCA / MCDBA
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights
--------------------
| Content-Class: urn:content-classes:message
| From: "vidro" <vidro@myalias.postalias>
| Sender: "vidro" <vidro@myalias.postalias>
| References: <67f101c4939f$be92ee80$a301280a@phx.gbl> <aKuvBMBlEHA.3436@cpmsftngxa10.phx.gbl> <6ef401c4945f
$f4bf7ad0$a601280a@phx.gbl> <3DjfKxLlEHA.3368@cpmsftngxa10.phx.gbl>
| Subject: RE: Relaying
| Date: Tue, 7 Sep 2004 03:22:02 -0700
| Lines: 320
| Message-ID: <72f201c494c4$84546200$a601280a@phx.gbl>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| thread-index: AcSUxIRGH2BUqFHcShi5CvkPRwosBA==
| Newsgroups: microsoft.public.isa
| Path: cpmsftngxa10.phx.gbl
| Xref: cpmsftngxa10.phx.gbl microsoft.public.isa:50676
| NNTP-Posting-Host: tk2msftngxa14.phx.gbl 10.40.1.166
| X-Tomcat-NG: microsoft.public.isa
|
| Yes, ISA and Exchange are on the same machine.
| Disabled SMTP filter and things seem to be working.
| Is this the correct configuration with ISA and Exchange
| working on the same machine?
|
|
|
| >-----Original Message-----
| >Hi Vidro,
| >
| >Thanks for your clarification. Based on my research, the
| problem is most likely caused by the SMTP
| >authentication which means that the authentication
| information is not sent to the Exchange server. So, I
| >would like to give you the following suggestions.
| >
| >1. Disable SMTP filter.You could disable it at ISA
| Management\Extensio\application filters\SMTP filter.
| >Right click it and click disable. What's the result?
| >
| >2. Is Exchange server installed on the same server box of
| ISA server? If not, do you have ever use Server
| >Publish rule to publish SMTP server? If they are on the
| same server box, do you have configure the package
| >filter to allow TCP port 25?
| >
| >Hope that helps.
| >
| >Best Regards,
| >
| >Eric Sun,
| >MCSE2000 / MSCA / MCDBA
| >Microsoft Online Partner Support
| >
| >Get Secure! - www.microsoft.com/security
| >
| >=====================================================
| >When responding to posts, please "Reply to Group" via
| >your newsreader so that others may learn and benefit
| >from your issue.
| >=====================================================
| >
| >This posting is provided "AS IS" with no warranties, and
| confers no rights
| >--------------------
| >| Content-Class: urn:content-classes:message
| >| From: "vidro" <vidro@myalias.postalias>
| >| Sender: "vidro" <vidro@myalias.postalias>
| >| References: <67f101c4939f$be92ee80$a301280a@phx.gbl>
| <aKuvBMBlEHA.3436@cpmsftngxa10.phx.gbl>
| >| Subject: RE: Relaying
| >| Date: Mon, 6 Sep 2004 15:22:12 -0700
| >| Lines: 211
| >| Message-ID: <6ef401c4945f$f4bf7ad0$a601280a@phx.gbl>
| >| MIME-Version: 1.0
| >| Content-Type: text/plain;
| >| charset="iso-8859-1"
| >| Content-Transfer-Encoding: 7bit
| >| X-Newsreader: Microsoft CDO for Windows 2000
| >| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| >| thread-index: AcSUX/S/czCgA7GLQ524BUWgd+R0/w==
| >| Newsgroups: microsoft.public.isa
| >| Path: cpmsftngxa10.phx.gbl
| >| Xref: cpmsftngxa10.phx.gbl microsoft.public.isa:50663
| >| NNTP-Posting-Host: tk2msftngxa14.phx.gbl 10.40.1.166
| >| X-Tomcat-NG: microsoft.public.isa
| >|
| >| SP2 is installed. I have verified and done what you
| >| suggested but it still doe not work. Let me make sure I
| >| have described the issue clearly.
| >| I am on Windows 2003, using Exchange 2003, using ISA...
| >|
| >| I have clients in remote areas using the Exchange
| server
| >| as there SMTP POP3 messaging server. These clients need
| to
| >| email their customers that do not use our messaging
| system.
| >| In this scenario I need my clients to be able to relay
| to
| >| their clients. I have relaying enable if user is
| >| authenticated. This is the same configuration I use
| with
| >| 5.5, the remote clients are configured to authenticate.
| >| But when they go to send they get an error showing that
| >| the address they are sending TO: has not been
| >| authenticated to relay. To the best of my knowledge I
| am
| >| not filtering by "Sent to Address". All my remote
| clients
| >| are having this problem and all have accounts on my
| server.
| >| For testing purposes to verify if it was ISA or
| EXCHANGE I
| >| set up an SMTP profile behind the fire wall and sent to
| an
| >| out side source , this works. This is what makes me
| think
| >| it is an ISA problem.
| >|
| >|
| >| >-----Original Message-----
| >| >Hi Vidro,
| >| >
| >| >The hotfix is included in SP2. Please make sure first
| >| that you have Sevice Pack2 installed.
| >| >
| >| >I am not sure if you have installed Message Screener.
| If
| >| not, the filter can screen only SMTP commands and not
| >| message content.
| >| >
| >| >In order to be fully secured by the ISA Server,
| Exchange
| >| 2000 must be specially configured to listen only on the
| >| internal interface. Perform
| >| >the following steps:
| >| >
| >| >To configure Exchange 2000 to listen for SMTP traffic
| on
| >| internal interface:
| >| >
| >| >Open the Exchange System Manager. Click Start, click
| >| Programs, click Microsoft Exchange, and then click
| System
| >| Manager.
| >| >In the console tree of System Manager, click Servers,
| >| click the applicable server, click Protocols, click
| SMTP,
| >| right-click Default SMTP
| >| >Virtual Server, and then click Properties.
| >| >On the General tab, click Advanced.
| >| >Verify/ensure that only internal IP addresses are
| listed
| >| in the Address box. Remove any other addresses by
| >| selecting them and clicking the
| >| >Remove button.
| >| >To add the internal IP address, click Add. Then,
| select
| >| the internal IP address from the list. In TCP port,
| type:
| >| >
| >| >25
| >| >
| >| >By default, Socket Pooling is enabled. That is, even
| if
| >| you configure Exchange Server's SMTP service to listen
| on
| >| Port 25 for just one
| >| >interface, it will still listen on all interfaces. To
| >| ensure that the Exchange Server listens on the
| specified
| >| interface: Use MDUTIL.exe or
| >| >ADSI to set the Metadata raw property ID numbered 1029
| >| (DisableSocketPooling).
| >| >
| >| >Example:
| >| >mdutil set -path smtpsvc/1 -value 1 -dtype 1 -prop
| 1029 -
| >| attrib 1
| >| >
| >| >Configure the ISA Server
| >| >===================
| >| >
| >| >In order to fully secure the co-located Exchange
| Server,
| >| ISA Server must be specially configured by performing
| the
| >| following tasks:
| >| >
| >| >Enable the SMTP Filter:
| >| >
| >| >In the console tree of ISA Server, click Internet
| >| Security and Acceleration Server, click Servers and
| >| Arrays, click the applicable array,
| >| >click Extensions, and then click Application Filters.
| >| >In the details pane, right-click SMTP Filter, and then
| >| click Properties.
| >| >On the General tab, verify that Enable this filter is
| >| selected.
| >| >
| >| >2. Configure a server publishing rule to make the
| >| Exchange Server accessible:
| >| >
| >| >Note: Do not use the Mail Server Security Wizard.
| >| >
| >| >In the console tree of ISA Server, click Internet
| >| Security and Acceleration Server, click Servers and
| >| Arrays, click the applicable array,
| >| >click Publishing, click Server Publishing Rules, click
| >| New, and then click Rule.
| >| >Type a name for the rule and then click Next..
| >| >On Address Mapping, in IP address of internal server,
| >| type the IP address on which the Exchange Server is
| >| configured to listen. In this case,
| >| >this should be one of the ISA Server computer's
| internal
| >| IP addresses.
| >| >In External IP address on ISA Server, type the ISA
| >| Server's external IP address. Then, click Next.
| >| >On the Protocol Settings page, select SMTP Server.
| Then,
| >| click Next.
| >| >On the Client Type page, select the clients that can
| >| access the SMTP Server. Then, click Next, and then
| click
| >| Finish to exit the wizard.
| >| >
| >| >For more detailed information, please refer to the
| >| following article:
| >| >
| >| >Microsoft ISA Server 2000 - Configuring and Securing
| >| Microsoft Exchange 2000 Server and Clients
| >|
| >http://www.microsoft.com/technet/prodtechnol/isa/deploy/is
| >| aexch.mspx
| >| >
| >| >Best Regards,
| >| >
| >| >Eric Sun,
| >| >MCSE2000 / MSCA / MCDBA
| >| >Microsoft Online Partner Support
| >| >
| >| >Get Secure! - www.microsoft.com/security
| >| >
| >| >=====================================================
| >| >When responding to posts, please "Reply to Group" via
| >| >your newsreader so that others may learn and benefit
| >| >from your issue.
| >| >=====================================================
| >| >
| >| >This posting is provided "AS IS" with no warranties,
| and
| >| confers no rights
| >| >--------------------
| >| >| Content-Class: urn:content-classes:message
| >| >| From: "vidro" <vidro@myalias.postalias>
| >| >| Sender: "vidro" <vidro@myalias.postalias>
| >| >| Subject: Relying
| >| >| Date: Sun, 5 Sep 2004 16:26:17 -0700
| >| >| Lines: 43
| >| >| Message-ID: <67f101c4939f$be92ee80$a301280a@phx.gbl>
| >| >| MIME-Version: 1.0
| >| >| Content-Type: text/plain;
| >| >| charset="iso-8859-1"
| >| >| Content-Transfer-Encoding: 7bit
| >| >| X-Newsreader: Microsoft CDO for Windows 2000
| >| >| Thread-Index: AcSTn76S2QP/qbGbQxWMjzLXiLHUjg==
| >| >| X-MimeOLE: Produced By Microsoft MimeOLE
| V5.50.4910.0300
| >| >| Newsgroups: microsoft.public.isa
| >| >| Path: cpmsftngxa10.phx.gbl
| >| >| Xref: cpmsftngxa10.phx.gbl microsoft.public.isa:50654
| >| >| NNTP-Posting-Host: tk2msftngxa11.phx.gbl 10.40.1.163
| >| >| X-Tomcat-NG: microsoft.public.isa
| >| >|
| >| >| I have been fighting a problem that I thought was an
| >| >| Exchange problem, I now think it is an ISA issue.
| >| >| I have the EXACT problems that is referenced in the
| >| >| Knowledge base Q313318 or PSS ID# 313318
| >| >| But the files that I have are 4/25/2004.
| >| >| and they reference files with dates of 2002.
| >| >|
| >| >| The problem is my out side clients can not relay to
| out
| >| >| side clients because of the authentication?
| >| >|
| >| >| It seems it is looking at the address that is being
| >| sent
| >| >| TO:
| >| >| The error comes back with "the recipeint address
| does
| >| >| not have authority to relay".
| >| >|
| >| >| Configurations are:
| >| >| Windows Server 2003
| >| >| Exchange 2003
| >| >| ISA 2000
| >| >|
| >| >| I did not have this problem when I was on NT4 with
| >| >| ExCHANGE 5.5 and Proxy 2.
| >| >|
| >| >| The denial of relay started with the ISA and
| Exchange
| >| 2003
| >| >| upgrade
| >| >| The client configurations have not been modified
| with
| >| the
| >| >| upgrades of the server but again All the settings
| for
| >| >| authenticaiton should be the same from 5.5 to 2003,
| I
| >| >| would think.
| >| >|
| >| >| PS
| >| >| On the Intranet, behind ISA using and SMTP client I
| >| can
| >| >| relay email. but with the same client configuration
| >| >| pointing to the outside IP it gives me that previos
| >| error
| >| >| about authentication.
| >| >|
| >| >|
| >| >|
| >| >|
| >| >|
| >| >|
| >| >| Any Help PLEASE
| >| >|
| >| >|
| >| >
| >| >
| >| >.
| >| >
| >|
| >
| >
| >.
| >
|