Announcement

Collapse
No announcement yet.

Securing clients SMTP connection to Exchange 2003

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Securing clients SMTP connection to Exchange 2003

    Hi everybody,
    Please excuse if some of my questions sound naive and might be realatively simple.
    I am wondering if somebody could advise how to approach the following scenario:
    1. Exchange 2003 works fine;
    2. We have number of employees in different parts of the country and they can connect to the Exchange 2003 server.
    3. My pain now is to find out how to secure Outlook Express users' SMTP connections to the Exchange server.
    4. No problems with securing POP3 (the certificate works just fine) using SSL over port 995; So POP3 for OE is SSL enabled and works just fine.
    5. I want to secure the SMTP connection to the Exchange server - we don't want the messages to be intercepted intransit on its way from OE to Exchange.
    6. What I don't understand - why the port is not changed in OE to 465 automatically and just stays the same 25. Sorry for the naive question. In case of POP3 as long as I checked "require SSL" it automatically changes to 995. Why it is different for the SMTP setting?
    7. ISP accross the country often prohibit SMTP trafic over port 25 (except to their own SMTP server). So the only way is to connect to the Exchange server over another port not 25. So the problem also can be reworded - how to connect authenticated users on another SMTP port?
    8. How I chould configure the Exchange SMTP Virtual server (or servers) to handle both - 1. regular incoming SMTP connection from the internet - e-mail from different sources and companies that goes to our users (shouldn't be secured for natural reasons) and 2. secure SMTP connection from our Outlook express users?
    9. I have heard that it is necessary to have two Virtual SMTP servers for such scenario - one for each category of SMTP connections as discribed in 8. Is it correct?
    10. I tried to test it from the LAN to exclude firewall, etc. In addition to the Default SMTP Server I created Second SMTP Server, enabled , certificate, etc. For the Second I set another port 465 and put the same on OE. When I launch OE it refuse to connect (SMTP). I have a feeling that it still tries to connect to the Default.
    11. We allow relay of the authenticated users.
    12. Please advise how to handle the scenario - or might be the whole perspective is wrong? Any related articles?
    Thank you so much!
    Sincerely,
    Victor.

  • #2
    Re: Securing clients SMTP connection to Exchange 2003

    The port for SMTP over SSL (TLS) is official depreciated. Microsoft support it over port 25 which is why things don't change.

    There is an easy way to deal with this. Open ESM, then go to servers, <your server>, Protocols, SMTP. Right click on the default SMTP VS and choose Properties. On the first tab, choose Advanced... then add. Set the IP address and enter the port number 465.
    Apply/OK out.

    You can now send email to the server via either port 25 or 465 and both variants will be secure by SSL if the client asks for it.

    Just make sure that you have not set SMTP to require a certificate. Let the client request it.

    That is how it works and I have it working that way on two or three sites.

    Although if you are on Exchange 2003/Windows 2003 with Outlook 2003 clients (or higher) then you should look at RPC over HTTPS instead. Full MAPI connection without any VPN.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: Securing clients SMTP connection to Exchange 2003

      Do you have OWA available from outside?
      It is the most convenient way to have full access to emails, contacts, calendar, tasks and Public folders.
      You should advertise it to your people instead POP3 via Outlook Express.
      Regards,
      Csaba Papp
      MCSA+messaging, MCSE, CCNA
      ...............................
      Remember to give credit where credit is due and leave reputation points where appropriate
      .................................

      Comment


      • #4
        Re: Securing clients SMTP connection to Exchange 2003

        Thank you so much to Simon and NETXT for their suggestions and comments.
        Still I want to clarify some things:
        I agree RPC over HTTPS and OWA over HTTPS are much better that Outlook Express access to Exchange 2003. I configured it (thanks to this wonderful forum!) and it works very well. However, I believe that users should make a choice which of 3 clients are the best to their production needs. From this perspective I would like to compliment the RPC over HTTPS and OWA over HTTPS with possibility of the secure Outlook Express access. I configured POP3 with SSL and it also works just fine. However, what I found is that Outlook Express 6.0 can use SMTP with SSL only over port 25 !!! Later I found some confirmations of the statement on the Internet. It contradicts Simon's reply in regards to the 465 port.
        Please help to understand it guys. To exclude firewall interference I put both Exchange 2003 and OE 6.0 client on the same sunnet - so it was kind of direct internal LAN connection. The result is the same - it SMTP in OE works fine with SSL enabled over port 25 and fails if you change it to any other ports including 465.
        But if only port 25 work for SSL (OE as a client) in this case we are running to the roadblock - ISPs block Port 25 so does it mean that it is impossible for users to connect to Exchange (SMTP+SSL)? Please help?

        Comment


        • #5
          Re: Securing clients SMTP connection to Exchange 2003

          I wouldn't want to give users access to Exchange using Outlook Express. Too easy for them to extract all their email out of the server. No backup and then when the machine that they are using fails they come crying to you because everything has been lost. Outlook Express is the last client of choice.

          I have an Outlook Express client connecting to an alternative port quite happily. It connects to an IIS server I have on my web server which I use to bounce email out to the internet when I am on client sites and need to test inbound email.

          Unless the statements you found about it not working are on Microsoft's web site, then they should be taken with a healthy state of cynicism. Just because someone has written it on a web page doesn't mean it is true.

          You should be able to telnet to port 465 if it has been setup correctly and get the same banner as you do on port 25.

          Simon.
          --
          Simon Butler
          Exchange MVP

          Blog: http://blog.sembee.co.uk/
          More Exchange Content: http://exchange.sembee.info/
          Exchange Resources List: http://exbpa.com/
          In the UK? Hire me: http://www.sembee.co.uk/

          Sembee is a registered trademark, used here with permission.

          Comment


          • #6
            Re: Securing clients SMTP connection to Exchange 2003

            Thank you so much Simon! Very valid point about OE as a last choice of the client -100% with you. However, it becomes for me a question of principles - I just have to force it to work. I use OE 6 with MS Exchange 2003. To confirm that OE work with SSL only over port 25 with MS Exchange I downloaded Eudora 7. I confirmed that Eudora works easily with MS Exchange 2003 (the same server!) over port 587 - it connects perfectly well establishing TSL v.1 connection etc. For me this test confirm that everything is fine with Exchange server and issue is on the Outlook side. It looks like something with negotiations between Exchange and OE. Interesting that Eudora works well. Any thoughts Simon? Thanks again.

            Comment

            Working...
            X