How to configure external relay for authenticated users

Home Forums Messaging Software Exchange 2007 / 2010 / 2013 How to configure external relay for authenticated users

This topic contains 7 replies, has 4 voices, and was last updated by Avatar universal 5 years, 9 months ago.

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • Avatar
    davids355
    Member
    #163901

    I have a server running exchange 2010.

    I have a user that can only connect to it via pop/smtp when working remotely.

    Pop works fine, but SMTP does not work – even when I test from outlook 2010, I make sure that smtp authentication is turned on, but it will not accept the username and password (although it accepts the same creds for pop).

    On the server there is currently only 1 receive connector, but I dont know how to tell if that allows relay from authenticated users or not.

    In addition, the user is working from home, so I cant restrict it to a single IP.

    Avatar
    universal
    Member
    #388679

    Re: How to configure external relay for authenticated users

    Is the account by any chance a member of an AD group with administrative privileges?

    Avatar
    EarthReactor
    Member
    #377226

    Re: How to configure external relay for authenticated users

    could well be, is that likely to cause a problem?

    Avatar
    universal
    Member
    #388680

    Re: How to configure external relay for authenticated users

    Members of “protected” groups (like Domain Admins, Backup Operators, Print Operators and so on) inherits rights from the AdminSDHolders object. The “Send As” permission is not set on this object, and is thus removed from any member of a protected group.

    The fun part is that as a member of a protected group, you lose the the “Send As” permission on your own account as well, which doesn’t affect your ability to send e-mails using Outlook or OWA, but does prevent you from using authenticated SMTP.

    Avatar
    EarthReactor
    Member
    #377227

    Re: How to configure external relay for authenticated users

    that’s interesting and now that you mention it, I think I have come across that sort of scenario in the past and wondered what the reason for it was.

    In this case, I checked and the user is not a member of any protected groups. To be sure I have also created a test user that is just a standard user, and the issue still remains.

    In receive connectors I just have 1 connector, its set to listen on 25 and 587 and from 0.0.0.0-255.255.255.255.

    In authentication only TSL and basic auth is ticked.

    in permission groups, only anonymous users are ticked.

    Avatar
    Sembee
    Member
    #261356

    Re: How to configure external relay for authenticated users

    You should have two connectors in a default configuration of Exchange.
    One on port 25 and the other on port 587. The first one will be called Default Receive Connector, the second Client Receive Connector. The second one is configured for authenticated relaying.

    It sounds to me like someone has removed the second one and put the port allocated on to the first. You should undo that. You need to have a receive connector with Exchange Users enabled on it to allow authenticated relaying. Don’t enable it on the same connector that is using port 25 as that exposes you to authenticated relaying.

    Simon.

    Avatar
    EarthReactor
    Member
    #377228

    Re: How to configure external relay for authenticated users

    Hi Simon,
    thanks for the reply. That makes sense, and in fact as it currently stands, I have done what you advised against – I ticked the exchange users box on the current, and only, connector, and that solved the problem.

    However, as I understand it, that means that authenticated relay is now available on port 25, and if an external body guesses an accounts credentials, they can relay through our server.

    The idea of the second connector is to only allow authenticated relay on port 587, is that right?

    I will try to put it back the way it should be.

    Avatar
    Sembee
    Member
    #261359

    Re: How to configure external relay for authenticated users

    Correct – and that is how Exchange comes configured out of the box.

    Simon.

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.