Announcement

Collapse
No announcement yet.

How to configure external relay for authenticated users

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to configure external relay for authenticated users

    I have a server running exchange 2010.

    I have a user that can only connect to it via pop/smtp when working remotely.

    Pop works fine, but SMTP does not work - even when I test from outlook 2010, I make sure that smtp authentication is turned on, but it will not accept the username and password (although it accepts the same creds for pop).

    On the server there is currently only 1 receive connector, but I dont know how to tell if that allows relay from authenticated users or not.

    In addition, the user is working from home, so I cant restrict it to a single IP.
    David Silvester
    Systems Administrator

  • #2
    Re: How to configure external relay for authenticated users

    Is the account by any chance a member of an AD group with administrative privileges?

    Comment


    • #3
      Re: How to configure external relay for authenticated users

      could well be, is that likely to cause a problem?
      David Silvester
      Systems Administrator

      Comment


      • #4
        Re: How to configure external relay for authenticated users

        Members of "protected" groups (like Domain Admins, Backup Operators, Print Operators and so on) inherits rights from the AdminSDHolders object. The "Send As" permission is not set on this object, and is thus removed from any member of a protected group.

        The fun part is that as a member of a protected group, you lose the the "Send As" permission on your own account as well, which doesn't affect your ability to send e-mails using Outlook or OWA, but does prevent you from using authenticated SMTP.

        Comment


        • #5
          Re: How to configure external relay for authenticated users

          that's interesting and now that you mention it, I think I have come across that sort of scenario in the past and wondered what the reason for it was.

          In this case, I checked and the user is not a member of any protected groups. To be sure I have also created a test user that is just a standard user, and the issue still remains.

          In receive connectors I just have 1 connector, its set to listen on 25 and 587 and from 0.0.0.0-255.255.255.255.

          In authentication only TSL and basic auth is ticked.

          in permission groups, only anonymous users are ticked.
          David Silvester
          Systems Administrator

          Comment


          • #6
            Re: How to configure external relay for authenticated users

            You should have two connectors in a default configuration of Exchange.
            One on port 25 and the other on port 587. The first one will be called Default Receive Connector, the second Client Receive Connector. The second one is configured for authenticated relaying.

            It sounds to me like someone has removed the second one and put the port allocated on to the first. You should undo that. You need to have a receive connector with Exchange Users enabled on it to allow authenticated relaying. Don't enable it on the same connector that is using port 25 as that exposes you to authenticated relaying.

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment


            • #7
              Re: How to configure external relay for authenticated users

              Hi Simon,
              thanks for the reply. That makes sense, and in fact as it currently stands, I have done what you advised against - I ticked the exchange users box on the current, and only, connector, and that solved the problem.

              However, as I understand it, that means that authenticated relay is now available on port 25, and if an external body guesses an accounts credentials, they can relay through our server.

              The idea of the second connector is to only allow authenticated relay on port 587, is that right?

              I will try to put it back the way it should be.
              David Silvester
              Systems Administrator

              Comment


              • #8
                Re: How to configure external relay for authenticated users

                Correct - and that is how Exchange comes configured out of the box.

                Simon.
                --
                Simon Butler
                Exchange MVP

                Blog: http://blog.sembee.co.uk/
                More Exchange Content: http://exchange.sembee.info/
                Exchange Resources List: http://exbpa.com/
                In the UK? Hire me: http://www.sembee.co.uk/

                Sembee is a registered trademark, used here with permission.

                Comment

                Working...
                X