Announcement

Collapse
No announcement yet.

SMTP Relay authorisation issue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • SMTP Relay authorisation issue

    Hi,

    We are running Windows SB Server with Exchange 2003.

    We have an ordering application which has the ability to send confirmation emails to customers via SMTP. Attemping to use this produces an "SMTP 550" error when sending to an external email address but no problems when sending to an internal email address. A search of Petri showed this was a relay authorisation issue so I went into SMTP Virtual Server and added the IP address of the client machine trying to do the send to the "Allow" box.

    This fixed the problem but I'm not happy with the solution. Client machines get their IP addresses via DHCP so keeping the authorised addresses list up to date will be an issue. Its not certain yet how many clients will be using this facility but I don't want to keep maintaining a list.

    We could assign static IP addresses just to those clients who who sending emails but this seems really ugly.

    Does anyone have an elegant, low maintenance solution?

  • #2
    Re: SMTP Relay authorisation issue

    From Exchange 2003 Help (search on Relay):
    Grant or Deny Relay Permissions to Users or Groups
    In Exchange 2003, you can grant or deny relay permissions to specific users and groups on an SMTP virtual server. Relay permissions grant the user the ability to use the SMTP virtual server to send mail to a destination outside of your organization.

    Put the users in a group
    Give relay permision to that group
    Modify the group membership as required


    Tom
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: SMTP Relay authorisation issue

      Hi Ossian,

      Okay, thanks for that. Appreciate the help.

      Comment


      • #4
        Re: SMTP Relay authorisation issue

        There are a couple of solutions to this problem.

        The first one depends on whether the application can authenticate or not. If it can, then simply use authenticated relaying.

        Next solution is to use the ISPs SMTP server. This will often not require authentication and is a trick I often use. Emails will come back in through regular SMTP email and be delivered. Means that you don't have to open up your server.

        Third solution that could work for you would be to setup a second SMTP virtual server on the server. That would require a second internal IP address. Then configure relaying for your subnet on that virtual server. As long as that second IP address and virtual server cannot be seen from outside, it shouldn't be abused.

        Of the three solutions, I have listed them in order of preference - the last one I do only if I really have no other choice.

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment


        • #5
          Re: SMTP Relay authorisation issue

          Tom,

          How do I allow a group to relay? When I go into Protocols --> SMTP --> Virtual Server --> Properties --> Access --> Relay --> Add the only options I get are

          1) Single computer (IP address)
          2) Group of computers (IP address range)
          3) Whole Domain

          How do I specify that a Group is authenticated?

          Comment


          • #6
            Re: SMTP Relay authorisation issue

            Uncheck the box and click on the Users button... But why wouldn't you want the whole subnet to be able to relay?
            Attached Files
            Last edited by JeremyW; 8th September 2006, 03:19.
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment


            • #7
              Re: SMTP Relay authorisation issue

              Hi Jeremy,

              The problem is the application can't authenticate (its a DOS program).

              We are now in the midst of moving exchange to a new server. I'll wait until all this is done and then report back.

              Comment


              • #8
                Re: SMTP Relay authorisation issue

                Unless there's computers you don't control, why not give the whole subnet permission to relay?
                Regards,
                Jeremy

                Network Consultant/Engineer
                Baltimore - Washington area and beyond
                www.gma-cpa.com

                Comment


                • #9
                  Re: SMTP Relay authorisation issue

                  Hi Jeremy,

                  Yes, that seems simplest. Just add DCHP IP range for all client machines. As only machines on the local subnet can relay there shouldn't be any security concerns. Good idea. Thanks.

                  Comment

                  Working...
                  X