Announcement

Collapse
No announcement yet.

Default SMTP Virtual Server

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Default SMTP Virtual Server

    I have a question about something in the properties of the default smtp virtual server. If I right-click this and go to the properties, click on the access tab, then i click on the certificates tab and add our ssl cert in there, the communication button lights up. If I go under Commmunication, there's an option to check Required Secure Channel and Require 128 Bit Encryption.
    My director asked that I set this up and only check Require Secure Channel for events/notifications coming from our web server in our dmz. When I enabled this feature, outside people on the internet who were sending emails to users in our exchange server were getting the following:

    A message that you have sent could not be delivered to one or more
    recipients. This is a permanent error. The following address(es) failed:
    <Email_address@domain.com>: 530 Validating Sender

    (the email_address and domain name were added to replace the real email and domain name for listing purposes)

    Our environment: Win2k3 domain - (1) Exchange 2k3 sp2 server running on a win2k3 standard server fully patched.

    any ideas on this? does anyone out there actually use this feature in the default smtp virtual server?


    Update:

    Since my posting, I've copied and pasted the event that occurs when this item is checked. I think from what this tells me, that the person sending the email does not have TLS enabled, therefore our internal exchange server wants to validate the sender, therefore them not having TLS encryption generates this error. Does this sound correct?

    Virtual Server 1: TLS will be required of all inbound connections.
    Last edited by Jamie; 4th September 2009, 19:13.

  • #2
    Re: Default SMTP Virtual Server

    Exchange 2003 does not do opportunist TLS. Therefore if you turn that option on, then any servers that do not support TLS (the vast majority of them) will fail to be able to send email to your server. Therefore you cannot turn it on.

    If you want to use TLS for internal communications then you will need to setup a second SMTP virtual server, either using a different IP address or a different port (587 usually) with TLS enabled.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: Default SMTP Virtual Server

      Yes I did create a secondary virtual smtp server. this will only get used for our web server to send smtp notifications from within our dmz to our exchange server. the higher ups want to have the "require secure channel" enabled but as you said - this would require TLS to be enabled?

      If I now have 2 smtp virtual servers, how can I tell our web server (in our dmz) to send notifications through the secondary smtp server vs the default smtp server? when trying to send test msgs, i get

      Client does not have permission to submit mail to this server. The server response was: 5.7.3 Client does not have permission to Send As this sender.

      Update:
      since this post, I tried a different user to try and send mail .. I used my userid which has domain admin rights and sent an email notification successfully. The userid we want to use does not need domain admin privileges - is there a permission setting I can add to this user to allow him to send these notifications? I double checked that the "send as" permission is checked but not sure what else i need to look for?
      Last edited by Jamie; 9th September 2009, 21:45.

      Comment


      • #4
        Re: Default SMTP Virtual Server

        You tell the application by pointing it at the right combination of IP address and port. Authenticated relaying is enabled by default in Exchange, so you shouldn't have to change anything or use any higher rights. It should just be a matter of having an account and using the right format for credentials (domain\username).

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment

        Working...
        X