Microsoft Exchange server question

Lemming

Hey guys,

There's a setting in Microsoft Exchange Server 2002 to “Allow all computers which successfully authenticate to relay, regardless of list above”

This is to allow email clients connect to, and relay mail through the server. How secure/insecure is having this turned on/off?

Basically only machines using Outlook/Expess can connect to and send mail with this setting turned off, since the server now depends on windows authentication instead, which the likes of Mozilla/Netscape etc do not use.

It smacks of classic MS "We don't play wellw ith others" syndrome.

So what I'm looking for is reasons to/against the set-up described above.

Capt'n Midnight

Don't forget to set up the IP's that are allowed to connect to restict it to those you want - unless you are incredibly sure of your authentications.

If you use an IMAP client - eg Thunderbird then the username becomes
domain\username\mailbox
and the user uses their domain password to logon

you can also use the OWA to connect to the server.

Batbat

I think he is refering to spam relay control on the SMTP, set your SMTPO so it only relays your local network IP range, this wont effect the OWA

Lemming

Basically the problem is as follows:

A few users (myself included) don't use Outlook for various (sane) reasons so needless to say we don't use windows authentication. We can receive internal & external mail no problem. We can send internal mail no problem. We just can't send external mail.

Batbat

look, if its just outgoing mails your worried about while using a non outlook mail client (good idea), best to just leave Exchange as is, and just install IIS onto win 2000pro or xp and part of that install is the SMTP service, just use whatever pc ip address as your outgoing SMTP server address.

Now that will only work for outgoing mails, but thats all your interested in, since the exchange handles the incoming smtp mail for you

Lemming

Let me get this straight - you want me to install IIS on *my* machine?

Does it matter if IIS is disabled? Or does it need to be running?

/me shudders at thought of IIS

Gavin

How do you access the internet ? Can you not use an external smtp machine your isp runs ?

Or just install a smtp server on a spare box. Of course I'm sure it's possible to just use exchange to send mails from no outlook clients, just needs a bit of configuring.

Gav

Lemming

Originally posted by Verb
How do you access the internet ? Can you not use an external smtp machine your isp runs ?

This is workplace related. Basically the admins have 'fiddled' (being the operative word) around with Exchange and now myself and a few others can't relay mail outside the company.

Essentially a list of permitted devices on the network (the company domain) was permitted to use Exchange, and none else, but basically non-Outlook clients can't authenticate when trying to send mail externally.

So to me this smacks of "we don't like the competition" settings as opposed to any meaningful "security" measures.

Batbat

Let me get this straight - you want me to install IIS on *my* machine?

Does it matter if IIS is disabled? Or does it need to be running?

/me shudders at thought of IIS

nono, just install it because SMTP is one of the components of it for some reason, then just disable IIS and or FTP serverice after but leave SMTP service running

Lemming

Originally posted by Batbat
nono, just install it because SMTP is one of the components of it for some reason, then just disable IIS and or FTP serverice after but leave SMTP service running

This then bypasses the exchange server right?

ressem

The relay issue isn't peculiar to MS, just awkward that MS won't let you seperate email passwords from domain passwords.

Are you connecting to the server from inside or outside?

Threats with auth before relay and windows are that:
1 if a secure tunnel isn't used then authentication could be sniffed. More of a threat inside the company than outside?

2 If externally accessible, allows external parties to test your domain passwords.

3 If you have weak passwords, your server could be used as a spam relay.

It sounds like you just want to use this internally, and I assume you're only using 1 exchange server in a DMZ.

So if you can limit authentication to IPs in your internal subnet, use SSL, and have a good domain password complexity and expiry policy you should be OK.

(or as has been suggested a smtp server that can only be accessed internally, postfix, Exchange or whatever, just for sending mail purpose. Thing is that without authentication, senders can pretend to be anyone, which isn't a good thing to security minded people. So having the mail relay server authenticating using LDAP/Kerberos is preferable. )

Capt'n Midnight

Originally posted by Capt'n Midnight
If you use an IMAP client - eg Thunderbird then the username becomes
domain\username\mailbox
and the user uses their domain password to logon

you can also use the OWA to connect to the server.

If you have no control over the exchange server at least you could ask what protocols are enabled for connection smtp / imap etc.
You could also try to open a connection to the server using
net use \\server /user:domain\username
a long shot as usually only works for file/printer shares

Lemming

Originally posted by ressem
The relay issue isn't peculiar to MS, just awkward that MS won't let you seperate email passwords from domain passwords.

Are you connecting to the server from inside or outside?

Inside.

Threats with auth before relay and windows are that:
1 if a secure tunnel isn't used then authentication could be sniffed. More of a threat inside the company than outside?

2 If externally accessible, allows external parties to test your domain passwords.

Forwarding has been restricted to domain machines only apparently. There's a webmail service for anyone outside the domain at a given moment in time.

It sounds like you just want to use this internally, and I assume you're only using 1 exchange server in a DMZ.

Something like that. Simply - I want to be able to send mail outside the domain without having to violate my machine with the security hole known as "Outlook". I can send mail internally to others, but I can't send it out.