Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Microsoft Exchange server question

  • 19-07-2004 10:18am
    #1
    Registered Users, Registered Users 2 Posts: 14,149 ✭✭✭✭


    Hey guys,

    There's a setting in Microsoft Exchange Server 2002 to “Allow all computers which successfully authenticate to relay, regardless of list above”

    This is to allow email clients connect to, and relay mail through the server. How secure/insecure is having this turned on/off?

    Basically only machines using Outlook/Expess can connect to and send mail with this setting turned off, since the server now depends on windows authentication instead, which the likes of Mozilla/Netscape etc do not use.

    It smacks of classic MS "We don't play wellw ith others" syndrome.

    So what I'm looking for is reasons to/against the set-up described above.


Comments

  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,581 Mod ✭✭✭✭Capt'n Midnight


    Don't forget to set up the IP's that are allowed to connect to restict it to those you want - unless you are incredibly sure of your authentications.

    If you use an IMAP client - eg Thunderbird then the username becomes
    domain\username\mailbox
    and the user uses their domain password to logon

    you can also use the OWA to connect to the server.


  • Closed Accounts Posts: 394 ✭✭Batbat


    I think he is refering to spam relay control on the SMTP, set your SMTPO so it only relays your local network IP range, this wont effect the OWA


  • Registered Users, Registered Users 2 Posts: 14,149 ✭✭✭✭Lemming


    Basically the problem is as follows:

    A few users (myself included) don't use Outlook for various (sane) reasons so needless to say we don't use windows authentication. We can receive internal & external mail no problem. We can send internal mail no problem. We just can't send external mail.


  • Closed Accounts Posts: 394 ✭✭Batbat


    look, if its just outgoing mails your worried about while using a non outlook mail client (good idea), best to just leave Exchange as is, and just install IIS onto win 2000pro or xp and part of that install is the SMTP service, just use whatever pc ip address as your outgoing SMTP server address.

    Now that will only work for outgoing mails, but thats all your interested in, since the exchange handles the incoming smtp mail for you


  • Registered Users, Registered Users 2 Posts: 14,149 ✭✭✭✭Lemming


    Let me get this straight - you want me to install IIS on *my* machine?

    Does it matter if IIS is disabled? Or does it need to be running?

    /me shudders at thought of IIS


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 4,676 ✭✭✭Gavin


    How do you access the internet ? Can you not use an external smtp machine your isp runs ?

    Or just install a smtp server on a spare box. Of course I'm sure it's possible to just use exchange to send mails from no outlook clients, just needs a bit of configuring.

    Gav


  • Registered Users, Registered Users 2 Posts: 14,149 ✭✭✭✭Lemming


    Originally posted by Verb
    How do you access the internet ? Can you not use an external smtp machine your isp runs ?

    This is workplace related. Basically the admins have 'fiddled' (being the operative word) around with Exchange and now myself and a few others can't relay mail outside the company.

    Essentially a list of permitted devices on the network (the company domain) was permitted to use Exchange, and none else, but basically non-Outlook clients can't authenticate when trying to send mail externally.

    So to me this smacks of "we don't like the competition" settings as opposed to any meaningful "security" measures.


  • Closed Accounts Posts: 394 ✭✭Batbat


    Let me get this straight - you want me to install IIS on *my* machine?

    Does it matter if IIS is disabled? Or does it need to be running?

    /me shudders at thought of IIS

    nono, just install it because SMTP is one of the components of it for some reason, then just disable IIS and or FTP serverice after but leave SMTP service running


  • Registered Users, Registered Users 2 Posts: 14,149 ✭✭✭✭Lemming


    Originally posted by Batbat
    nono, just install it because SMTP is one of the components of it for some reason, then just disable IIS and or FTP serverice after but leave SMTP service running

    This then bypasses the exchange server right?


  • Registered Users, Registered Users 2 Posts: 2,426 ✭✭✭ressem


    The relay issue isn't peculiar to MS, just awkward that MS won't let you seperate email passwords from domain passwords.

    Are you connecting to the server from inside or outside?

    Threats with auth before relay and windows are that:
    1 if a secure tunnel isn't used then authentication could be sniffed. More of a threat inside the company than outside?

    2 If externally accessible, allows external parties to test your domain passwords.

    3 If you have weak passwords, your server could be used as a spam relay.

    It sounds like you just want to use this internally, and I assume you're only using 1 exchange server in a DMZ.

    So if you can limit authentication to IPs in your internal subnet, use SSL, and have a good domain password complexity and expiry policy you should be OK.

    (or as has been suggested a smtp server that can only be accessed internally, postfix, Exchange or whatever, just for sending mail purpose. Thing is that without authentication, senders can pretend to be anyone, which isn't a good thing to security minded people. So having the mail relay server authenticating using LDAP/Kerberos is preferable. )


  • Advertisement
  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,581 Mod ✭✭✭✭Capt'n Midnight


    Originally posted by Capt'n Midnight
    If you use an IMAP client - eg Thunderbird then the username becomes
    domain\username\mailbox
    and the user uses their domain password to logon

    you can also use the OWA to connect to the server.
    If you have no control over the exchange server at least you could ask what protocols are enabled for connection smtp / imap etc.
    You could also try to open a connection to the server using
    net use \\server /user:domain\username
    a long shot as usually only works for file/printer shares


  • Registered Users, Registered Users 2 Posts: 14,149 ✭✭✭✭Lemming


    Originally posted by ressem
    The relay issue isn't peculiar to MS, just awkward that MS won't let you seperate email passwords from domain passwords.

    Are you connecting to the server from inside or outside?

    Inside.


    Threats with auth before relay and windows are that:
    1 if a secure tunnel isn't used then authentication could be sniffed. More of a threat inside the company than outside?

    2 If externally accessible, allows external parties to test your domain passwords.

    Forwarding has been restricted to domain machines only apparently. There's a webmail service for anyone outside the domain at a given moment in time.


    It sounds like you just want to use this internally, and I assume you're only using 1 exchange server in a DMZ.

    Something like that. Simply - I want to be able to send mail outside the domain without having to violate my machine with the security hole known as "Outlook". I can send mail internally to others, but I can't send it out.


Advertisement