Re: Authentication Problems
From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 08/23/04
- Next message: Ken Schaefer: "Re: Win 2003 & Exchange 2003e"
- Previous message: Ken Schaefer: "Re: Switched DNS MX to new Server, Old Server still Gets Mail - What domain?"
- In reply to: Evan: "Re: Authentication Problems"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 23 Aug 2004 11:32:45 +1000
If it's not proxying mail, then it should not matter. Check in your mail
server logs to see what IP address MS SMTP server thinks the mail is coming
from. If your FreeBSD box is just a firewall, then it doesn't proxy SMTP
messages (it operates at a lower layer in the TCP/IP model). MS SMTP server
should see mail as coming from the original IP address (outside your
network).
Cheers
Ken
"Evan" <grime@forbiddenninja.com> wrote in message
news:a07701c486b2$34f10d50$a601280a@phx.gbl...
> No, it's not an SMTP gateway. It's just a
> gateway/firewall. It runs a version of FreeBSD called
> m0n0wall. Will this not work unless my email server is in
> the dmz?
>
>>-----Original Message-----
>>That setup should be correct if this machine is exposed
> directly to the
>>internet.
>>
>>When you say "gateway" are you talking about an SMTP
> gateway? If so, I think
>>that is where you should be preventing 3rd party relay,
> not on the internal
>>machine.
>>
>>Otherwise, you can manually add the other addresses in
> the 192.168.0.0
>>subnet, excluding 192.168.0.1 (but that's a hassle)
>>
>>Cheers
>>Ken
>>
>>
>><anonymous@discussions.microsoft.com> wrote in message
>>news:282201c4867e$3c87a3a0$a301280a@phx.gbl...
>>>I think that is exactly how I had it. Here are some
> images
>>> that might simplify things:
>>> http://home.centurytel.net/grime/auth.jpg
>>> http://home.centurytel.net/grime/relay.jpg
>>>
>>> With those settings I am able to send and receive mail
>>> both inside and outside the network, but it doesn't
>>> require authentication for any sending (inside or
>>> outside). Now if I remove the check from the anonymous
>>> auth, it makes me authenticate both inside AND outside
> the
>>> network. Seems to me that it's not processing my relay
>>> restrictions list, or I have something typed in there
>>> incorrectly. Could it be handling all external mail like
>>> internal mail because all external mail is being routed
>>> through my gateway (192.168.0.1), which is included in
> the
>>> access granted list? If so, how can I remove my gateway
>>> from that list and still keep the network range?
>>>
>>>>-----Original Message-----
>>>>OK,
>>>>
>>>>This is what you should do:
>>>>
>>>>a) Enable Anonymous + <some other authentication>
>>>>b) Allow relay only to your internal network IP
> addresses
>>>>c) Allow computers who authenticate to relay
>>>>d) Make sure you do not have any weak or blank passwords
>>>>e) Make sure Windows accounts like "Guest" are not
> enabled
>>>>
>>>>If you have set this up then:
>>>>a) users inside your network will be able to relay
>>> without needing to
>>>>authenticate
>>>>b) users outside your network will need to authenticate
>>> to relay
>>>>c) anyone outside your network can send mail to users
>>> insider your network
>>>>
>>>>Just be aware that some spammers look for servers that
>>> have weak passwords
>>>>for known accounts (eg Administrator, Guest etc). If
> they
>>> can guess the
>>>>password for one of these accounts, they will be able to
>>> send spam through
>>>>your server because they can authenticate just like
>>> anyone else.
>>>>
>>>>*If* you are still being used as a spam relay in this
>>> case, then you have
>>>>something else setup incorrectly.
>>>>
>>>>Cheers
>>>>Ken
>>>>
>>>>
>>>>"Evan" <grime@forbiddenninja.com> wrote in message
>>>>news:973401c48675$02f1e780$a501280a@phx.gbl...
>>>>> What I mean by spam is people outside my network are
>>> using
>>>>> my server as a relay for spam if I leave the anonymous
>>>>> auth enabled. I want my users to be able to send mail
>>>>> through this server when they are outside of the
> network
>>>>> (at home or wherever), but I want it to require
>>>>> authentication for that so only people with a username
>>> and
>>>>> password can. However if someone is trying to send
> mail
>>>>> from inside the network I want them to be able to do
> it
>>>>> without having to give a username and password. Is
> this
>>>>> not possible?
>>>>> With the anonymous auth disabled I can still send mail
>>>>> from outside the network using my server. All I have
> to
>>> do
>>>>> is set the option in my email client that
> says 'Outgoing
>>>>> Server Requires Authentication'. That is exactly how I
>>>>> want it to work outside the network. But it does the
>>> same
>>>>> thing inside the network, and I don't want users to
> have
>>>>> to set that option on their email clients inside the
>>>>> network.
>>>>> However, if I enable the anonymous auth it takes away
>>> the
>>>>> need for clients outside the network to set
>>> that 'Outgoing
>>>>> Server Requires Authentication' option, and thus
> anyone
>>>>> can use my server to send mail (including spammers).
>>> And,
>>>>> with anonymous auth enabled it does the same thing
>>> inside
>>>>> the network as it does outside the network (not ask
> for
>>>>> authentication), which I DO want. Am I making any
>>> sense? :P
>>>>>
>>>>>>-----Original Message-----
>>>>>>Hi,
>>>>>>
>>>>>>What do you mean "spam sent through your network"? Do
>>> you
>>>>> mean people where
>>>>>>delivering spam to your users? If so, then simply edit
>>>>> the connection
>>>>>>properties of the SMTP server so that only users in
> your
>>>>> IP addresses can
>>>>>>connect to the server at all. This will stop anyone
> out
>>>>> on the internet from
>>>>>>being able to connect to your SMTP server. Users on
> your
>>>>> internal network
>>>>>>can connect, and send mail out without authenticating.
>>>>>>
>>>>>>However, if you want to receive mail from outside, you
>>>>> will need to have
>>>>>>anonymous authentication enabled, otherwise how is
>>> anyone
>>>>> supposed to send
>>>>>>your email? :-)
>>>>>>
>>>>>>Cheers
>>>>>>Ken
>>>>>>
>>>>>>"Evan" <grime@forbiddenninja.com> wrote in message
>>>>>>news:991001c4866d$582abe50$a401280a@phx.gbl...
>>>>>>> the IP addresses of my internal networks are
>>> 192.168.0.0
>>>>>>> and 10.10.0.0. I tried with and without the
> anonymous
>>>>>>> auth. With it enabled sending and receiving all
> worked
>>>>>>> fine, but it made the server not require
> authorization
>>>>> to
>>>>>>> send from both inside the network and outside the
>>>>> network,
>>>>>>> which means I get a lot of spam mail sent through my
>>>>>>> server. With it disabled everything works correctly
>>>>>>> (sending/receiving) except it required authorization
>>> to
>>>>>>> send, but both outside AND inside the network. That
>>>>>>> stopped the spam, but I want it to not require the
>>>>>>> authorization for inside the network. Thanks again.
>>>>>>>
>>>>>>>
>>>>>>>>-----Original Message-----
>>>>>>>>a) You need to enable anonymous auth (otherwise no
> one
>>>>> is
>>>>>>> going to be able
>>>>>>>>to send you mail from outside)
>>>>>>>>
>>>>>>>>b) The next question is - what are the IP addresses
> of
>>>>>>> your internal
>>>>>>>>networks?
>>>>>>>>
>>>>>>>>Cheers
>>>>>>>>Ken
>>>>>>>>
>>>>>>>>"Evan" <grime@forbiddenninja.com> wrote in message
>>>>>>>>news:998701c48636$afb04fa0$a601280a@phx.gbl...
>>>>>>>>> Ok, I finally got everything set up just how I
> want
>>>>>>> it...
>>>>>>>>> except the authentication. It is requiring me to
>>>>>>>>> authenticate before sending mail both outside of
> my
>>>>>>>>> network and inside of my network. I don't want to
>>>>>>> require
>>>>>>>>> authentication inside my network though. How can I
>>> fix
>>>>>>>>> this? I have only 'Integrated Windows
>>> Authentication'
>>>>>>>>> checked for the acceptable authentication types. I
>>>>> also
>>>>>>>>> have 'Only the list below' selected for Relay
>>>>>>> Restritions,
>>>>>>>>> and I have granted 192.168.0.0/255.255.255.0,
>>>>>>>>> 10.10.0.0/255.255.255.128, and just in case
>>> 127.0.0.1.
>>>>>>>>> Also, I have the option checked to allow computers
>>>>> that
>>>>>>>>> successfully authenticate to send. What am I doing
>>>>>>> wrong?
>>>>>>>>> Thanks for your help.
>>>>>>>>
>>>>>>>>
>>>>>>>>.
>>>>>>>>
>>>>>>
>>>>>>
>>>>>>.
>>>>>>
>>>>
>>>>
>>>>.
>>>>
>>
>>
>>.
>>
- Next message: Ken Schaefer: "Re: Win 2003 & Exchange 2003e"
- Previous message: Ken Schaefer: "Re: Switched DNS MX to new Server, Old Server still Gets Mail - What domain?"
- In reply to: Evan: "Re: Authentication Problems"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
