Announcement

Collapse
No announcement yet.

relay issue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • relay issue

    i have a few field users that have a laptop configured with outlook 2003 using pop3. for the past few years, i had the accounts configured to send using the ISPs SMTP server. i got user names and passwords for each user from the ISP...no problem, up til now. over the past few months, their ISPs smpt server has been very inconsistent and there are times when emails wont go through. regular text emails, nothing too large in size. internet browsing always works, i can even remote into the PC that is having trouble sending via the ISP smtp relay. now, our users are always in different cities, towns, states, etc...and not all users experience issues at the same time. obviously it has something to do with the cell tower that the user is connected at the time they are sending the email.

    i am certain that my exchange 2003 server is NOT AN OPEN RELAY and since i have never made the following change, i would like some guidance.

    is it as simple as opening ESM, going to the properties of the SMTP connector, and changing the relay options to allow the few users using pop3?

    the bounce back message that i got when i did try to test with my server as the outgoing email server was....

    550 5.7.1 Unable to relay for [email protected]

    this is only an issue when sending to an address outside of our company domain.

    90% of email for our field users come directly to our users within our organization, so relaying has never been an issue until it is time to send an email to someone outside of our organization.

    any help is appreciated.

    thanks.

  • #2
    Re: relay issue

    Why are you using POP3?
    If you are on Outlook 2003 and Exchange 2003, use RPC over HTTPS. More secure and you don't have to run the risk of the SMTP traffic being blocked from whatever remote ISP is being used.

    POP3 is the last protocol to use after every other eventuality (including OWA, Blackberry, VPN, Outlook RPC over HTTPS) has been exhausted. Awful protocol, no place in a business environment.

    While your machine is not an open relay, to allow users to relay through it you need to use authentication. That means your server is exposed to an authenticated user attack - if the user's haven't been stupid enough to be taken in by a phishing attack. If you aren't using SSL, then usernames and passwords are going across in the clear as well.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: relay issue

      Originally posted by Sembee View Post
      Why are you using POP3?
      If you are on Outlook 2003 and Exchange 2003, use RPC over HTTPS. More secure and you don't have to run the risk of the SMTP traffic being blocked from whatever remote ISP is being used.

      POP3 is the last protocol to use after every other eventuality (including OWA, Blackberry, VPN, Outlook RPC over HTTPS) has been exhausted. Awful protocol, no place in a business environment.

      While your machine is not an open relay, to allow users to relay through it you need to use authentication. That means your server is exposed to an authenticated user attack - if the user's haven't been stupid enough to be taken in by a phishing attack. If you aren't using SSL, then usernames and passwords are going across in the clear as well.

      Simon.
      in this case, POP3 IS the last resort.

      we started with rpc over https, then we went to imap, and finally we are at pop3.

      no webmail, owa, blackberries, vpn, etc....we issue the field techs a laptop with outlook 2003/2007.

      they use mobile cards and the areas they are in are not mobile card friendly. syncing mail with rpc and https and with imap protocols take too long.

      pop3 is great becuase it doesn't sync. it just downloads and removes the mail from the server (i know we can change that, but we dont want to).

      thanks.

      Comment


      • #4
        Re: relay issue

        Originally posted by Sembee View Post
        RPC over HTTPS

        Simon.


        OK, well i decided to try RPC over HTTPS one more time. maybe i just had bad luck last time?

        anyway, i had RPC over https working properly with my old exchange server. however, once i upgraded to a new exchange server, still exchange 2003, i never configured RPC over https.

        i did that earlier today and when i try this site

        https://www.testexchangeconnectivity.com

        rps over https fails

        Testing Http Authentication Methods for URL https://mail.companyname.com/rpc/rpcproxy.dll
        The HTTP authentication test failed.

        and it takes me here...

        http://technet.microsoft.com/en-us/l...EXCHG.80).aspx

        this is what i cant remember from my old server...

        To correct this error
        Confirm that Basic authentication is enabled on the Exchange ActiveSync virtual directory in the Exchange Management Console and in IIS on the Microsoft-Server-ActiveSync virtual directory

        For Outlook Anywhere users, verify the following server and client settings:

        Confirm that Basic and/or Integrated Windows Authentication is enabled on the /Rpc virtual directory in IIS. Please note that these authentication methods should be managed through the Set-OutlookAnywhere cmdlet and not directly in IIS.
        Confirm that Basic or NT LAN Manager (NTLM) authentication is selected under Exchange Proxy Settings in Microsoft Outlook. This setting should match the authentication method you have enabled in IIS. If this setting is being obtained via Autodiscover, then ensure that your ClientAuthenticationMethod or DefaultAuthenticationMethod is specified properly on your Outlook Anywhere Configuration.

        I thought basic is what i DONT want?

        also, if i am using rpc over https (not http), do i still need to do the registry port hack?

        i am confused on the basic and ntlm authentication settings in iis and when setting up the email profile.

        thanks.

        Comment


        • #5
          Re: relay issue

          The registry settings are always required unless you are in a frontend/backend scenario with multiple servers.

          When it comes to authentication settings, the key difference is that basic will work pretty much everywhere, but the user will get an authentication prompt each time Outlook starts, whether or not the machine is on the domain, whereas NTLM will not cause an authentication prompt if the machine is a member of the domain, but cannot be guaranteed to work everywhere.

          I usually enable both on Exchange 2003 in IIS manager, then toggle between them to see what works in most locations. If you have a mix of clients on and off the domain, then you could use both.

          The instructions you have been pointed to are for Exchange 2007 and 2010, not 2003. That is not unusual for Microsoft. Once a new version or two has come out they tend to try and pretend the older versions don't exist and new tools, like EXRCA will be biased to the new versions.

          Simon.
          --
          Simon Butler
          Exchange MVP

          Blog: http://blog.sembee.co.uk/
          More Exchange Content: http://exchange.sembee.info/
          Exchange Resources List: http://exbpa.com/
          In the UK? Hire me: http://www.sembee.co.uk/

          Sembee is a registered trademark, used here with permission.

          Comment


          • #6
            Re: relay issue

            Originally posted by Sembee View Post
            The registry settings are always required unless you are in a frontend/backend scenario with multiple servers.

            When it comes to authentication settings, the key difference is that basic will work pretty much everywhere, but the user will get an authentication prompt each time Outlook starts, whether or not the machine is on the domain, whereas NTLM will not cause an authentication prompt if the machine is a member of the domain, but cannot be guaranteed to work everywhere.

            I usually enable both on Exchange 2003 in IIS manager, then toggle between them to see what works in most locations. If you have a mix of clients on and off the domain, then you could use both.

            The instructions you have been pointed to are for Exchange 2007 and 2010, not 2003. That is not unusual for Microsoft. Once a new version or two has come out they tend to try and pretend the older versions don't exist and new tools, like EXRCA will be biased to the new versions.

            Simon.
            ok, so the reason this isnt working is because the port changes have not been made in the registry.

            ok, i will have to change those tonight, after hours and reboot the server.

            check out these directions...

            Note: While RPC over HTTP does not require SSL, you must modify the registry to enable RPC over HTTP if you do not want to use SSL. This is why I've used the term "RPC over HTTP/S" in this set of articles.

            a little mis leading, dont you think?

            Comment


            • #7
              Re: relay issue

              Originally posted by tomdlgns View Post
              ok, so the reason this isnt working is because the port changes have not been made in the registry.

              ok, i will have to change those tonight, after hours and reboot the server.

              check out these directions...

              Note: While RPC over HTTP does not require SSL, you must modify the registry to enable RPC over HTTP if you do not want to use SSL. This is why I've used the term "RPC over HTTP/S" in this set of articles.

              a little mis leading, dont you think?

              edit- i read that as...if you use SSL, then no registry changes need to be made.

              Comment


              • #8
                Re: relay issue

                I wouldn't have read that as meaning you don't need the registry settings if you are using SSL. I also have never deployed RPC over HTTPS without SSL. Wouldn't dream of doing so as the main point of the feature is to allow secure email access without a VPN. If you aren't using SSL then it isn't secure.

                A reboot shouldn't be required, I have certainly configured the feature without a reboot. The most you would have to do is run IISRESET to ensure the changes are seen by the process.

                Simon.
                --
                Simon Butler
                Exchange MVP

                Blog: http://blog.sembee.co.uk/
                More Exchange Content: http://exchange.sembee.info/
                Exchange Resources List: http://exbpa.com/
                In the UK? Hire me: http://www.sembee.co.uk/

                Sembee is a registered trademark, used here with permission.

                Comment


                • #9
                  Re: relay issue

                  Originally posted by Sembee View Post
                  I wouldn't have read that as meaning you don't need the registry settings if you are using SSL. I also have never deployed RPC over HTTPS without SSL. Wouldn't dream of doing so as the main point of the feature is to allow secure email access without a VPN. If you aren't using SSL then it isn't secure.

                  A reboot shouldn't be required, I have certainly configured the feature without a reboot. The most you would have to do is run IISRESET to ensure the changes are seen by the process.

                  Simon.

                  ok, one more and i should be ok for now...

                  the article i followed last time is linked below.

                  http://www.petri.com/how-can-i-confi...r-scenario.htm

                  i dont recall if i did the following steps or not in my old setup...

                  Configure all your global catalogs to use specific ports for RPC over HTTP for directory services

                  Exchange Server 2003 Service Pack 1 note: Exchange Server 2003 Service Pack 1 has a new built-in RPC over HTTP/S GUI setting on the Exchange Server properties page in Exchange System Manager. If you configure the RPC over HTTP/S option from the GUI, there is NOT need to make any manual changes in the Registry.

                  To make the changes via the GUI follow these steps:

                  Click Start, point to Microsoft Exchange, and then click System Manager.
                  Expand your organization, expand Administrative Groups > First Administrative Group > Servers.
                  Right-click on your server name and select Properties.
                  On the General tab, verify that you have SP1 installed. Verify that a tab called RPC-HTTP is present.


                  On the RPC-HTTP tab, click on RPC-HTTP Back-End Server.


                  You might get an error:

                  Exchange System Manager There is no RPC-HTTP front-end in your Exchange organization. There must be at least one RPC-HTTP front-end server in the organization before the RPC-HTTP back-end server can be accessed.

                  Acknowledge the error.

                  Click Ok all the way out.
                  You need to reboot your server for the settings to take place.

                  Comment


                  • #10
                    Re: relay issue

                    Originally posted by Sembee View Post
                    I wouldn't have read that as meaning you don't need the registry settings if you are using SSL. I also have never deployed RPC over HTTPS without SSL. Wouldn't dream of doing so as the main point of the feature is to allow secure email access without a VPN. If you aren't using SSL then it isn't secure.

                    A reboot shouldn't be required, I have certainly configured the feature without a reboot. The most you would have to do is run IISRESET to ensure the changes are seen by the process.

                    Simon.
                    just used that program to change the registry values and reset IIS, still fails the RPC test.

                    although, i havent done the last part of the article.

                    i assume the last part of the article is needed for everything to work, but i only have one exchange server and i cant reboot right now, anyway.

                    thanks.

                    Comment


                    • #11
                      Re: relay issue

                      Originally posted by tomdlgns View Post
                      just used that program to change the registry values and reset IIS, still fails the RPC test.

                      although, i havent done the last part of the article.

                      i assume the last part of the article is needed for everything to work, but i only have one exchange server and i cant reboot right now, anyway.

                      thanks.
                      ok, well i decided to follow the rest of the guide. since it told me that i needed to reboot after that ESM change, i rebooted.

                      the test still fails at

                      https://www.testexchangeconnectivity.com/

                      but i was able to successfully configure outlook to start pulling mail.

                      my mailbox is syncing as i type this post.

                      Comment


                      • #12
                        Re: relay issue

                        update-

                        my PC wired to a LAN (outside the work network) works w/o any issues.

                        i grabbed a laptop with a usb air card and it doesnt work very well with rpc over https configured. i guess the mobile broadband is still an issue with rpc over https.

                        i will test with another laptop and usb air card tomorrow and see if i get better results.

                        Comment


                        • #13
                          Re: relay issue

                          tested a few more laptops with broadband data card...nothing, outlook hangs.

                          tested those same laptops with a wired internet connection, rpc over https works fine (off of the LAN with the exchange server).

                          edit- which is why i gave up on rpc over https a few years back when i first read about it. not reliable for the field workers. however, pop3 works great for them.

                          oh well...

                          Comment


                          • #14
                            Re: relay issue

                            As long as Outlook is on cached mode, there is nothing about using a wireless card that should cause Outlook to hang. I have been using RPC over HTTPS for years, over every kind of connection from a mobile phone (9.6k) up to leased lines. It has never let me down. Everything happens in the background, as that is what it is designed to do.

                            Simon.
                            --
                            Simon Butler
                            Exchange MVP

                            Blog: http://blog.sembee.co.uk/
                            More Exchange Content: http://exchange.sembee.info/
                            Exchange Resources List: http://exbpa.com/
                            In the UK? Hire me: http://www.sembee.co.uk/

                            Sembee is a registered trademark, used here with permission.

                            Comment


                            • #15
                              Re: relay issue

                              Originally posted by Sembee View Post
                              As long as Outlook is on cached mode, there is nothing about using a wireless card that should cause Outlook to hang. I have been using RPC over HTTPS for years, over every kind of connection from a mobile phone (9.6k) up to leased lines. It has never let me down. Everything happens in the background, as that is what it is designed to do.

                              Simon.
                              i agree with you. and you are more knowledgeable than me with anything that involves exchange.

                              i just dont know what else to try.

                              any input on why the test fails but i did everything that guide says? also, the fact that it works, flawlessly, on my laptop using rpc over https tells me that the test is wrong.

                              Comment

                              Working...
                              X