setting up a secure SMTP server

Hello everyone
Just wanted to get an idea what be most secure method for configuring our 
SMTP gateway server.
In our environment all smtp servers are exchange 2003  that are members of a 
single forest/domain .

Currently our SMTP gateway (exchange 2003) is a muti home server with 2 
separate nic cards,  each have been assigned to separate virtual server for 
inbound and outbound connections to the internet.
We have created two SMTP connectors and under the local bridge head server 
we added the corresponding virtual server .For example, for connections out 
to the internet we added the outbound smtp virtual under the local 
bridgehead connection tab.
On  the inbound virtual server properties settings  we have enable all 
filtering (sender,recipient and connection) .In addition, under the 
"Authentication" properties settings we have checked anonymous  UN-checked 
basic and integrated and under the "relay restrictions" settings only the 
"list below" is checked and added the IP address of the outbound virtual 
server.
On the outbound virtual properties settings ONLY "integrated windows Auth" 
and Relay for "Authenticated users only" is checked.
My question is should filtering be enable on the outbound virtual server 
properties settings and what are some of the best practices for setting up a 
SMTP gateway . And, is it OK to have my SMTP gateway server be on the same 
domain as your internal exchange servers ??

TIA
Any feedback would be certainly appreciated




0
Darren2661 (19)
1/9/2007 8:14:27 PM
exchange.admin 57650 articles. 2 followers. Follow

2 Replies
509 Views

Similar Articles

[PageSpeed] 33

Responses inline.

-- 
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
www.exchangepedia.com/blog
----------------------------------------------



"Darren@community.nospam" <GQ@community.nospam> wrote in message 
news:engOErCNHHA.2456@TK2MSFTNGP06.phx.gbl...
> Hello everyone
> Just wanted to get an idea what be most secure method for configuring our 
> SMTP gateway server.
> In our environment all smtp servers are exchange 2003  that are members of 
> a single forest/domain .
>
> Currently our SMTP gateway (exchange 2003) is a muti home server with 2 
> separate nic cards,  each have been assigned to separate virtual server 
> for inbound and outbound connections to the internet.
> We have created two SMTP connectors and under the local bridge head server 
> we added the corresponding virtual server .For example, for connections 
> out to the internet we added the outbound smtp virtual under the local 
> bridgehead connection tab.
> On  the inbound virtual server properties settings  we have enable all 
> filtering (sender,recipient and connection) .In addition, under the 
> "Authentication" properties settings we have checked anonymous  UN-checked 
> basic and integrated and under the "relay restrictions" settings only the 
> "list below" is checked and added the IP address of the outbound virtual 
> server.
> On the outbound virtual properties settings ONLY "integrated windows Auth" 
> and Relay for "Authenticated users only" is checked.

> My question is should filtering be enable on the outbound virtual server 
> properties settings and what are some of the best practices for setting up 
> a SMTP gateway .

If both the sending Exchange server and the relay SMTP server (Exchange in 
this case) are from the same Org, the sessions are authenticated. By default 
filtering isn't applied and is usually meaningless, though some 
organizations prefer to run outbound mail through anti-virus scans as well. 
Many deployments do policy/complaince/disclaimer stuff on outbound mail 
relays.

Best practice is not to use domain members for internet-exposed SMTP hosts, 
particularly if they sit in a perimeter network.

And, is it OK to have my SMTP gateway server be on the same
> domain as your internal exchange servers ??

Answered above. Preferably not.

This best practice doc may help:
http://www.microsoft.com/technet/itshowcase/content/smtpggatewaysnote.mspx

>
> TIA
> Any feedback would be certainly appreciated
>
>
>
> 


0
bharatsuneja1 (3146)
1/9/2007 9:15:02 PM
Hi,

Thank you for posting here.

You may consider to place an ISA Server that acting a 3-legs advance 
Firewall Server to control traffic, and place a SMTP relay server in the 
premium network, the dedicated SMTP gateway server doesn't require Exchange 
installation and you can simply configure the SMTP Service included in 
Windows Server to act as SMTP gateway. For more information about how to 
configure a Windows Server to be SMTP gateway server, please refer to the 
following Knowledge Base (KB) article:

http://support.microsoft.com/default.aspx?scid=KB;EN-US;293800


Hope this helps. Have a nice day!


Best Regards,
 
Chace Zhang (MSFT)
 
Microsoft CSS Online Newsgroup Support
 
Get Secure! - www.microsoft.com/security
 
=====================================================
This newsgroup only focuses on Exchange technical issues. If you have 
issues regarding other Microsoft products, you'd better post in the 
corresponding newsgroups so that they can be resolved in an efficient and 
timely manner. You can locate the newsgroup here: 
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
 
When opening a new thread via the web interface, we recommend you check the 
"Notify me of replies" box to receive e-mail notifications when there are 
any updates in your thread. When responding to posts via your newsreader, 
please "Reply to Group" so that others may learn and benefit from your 
issue.
 
Microsoft engineers can only focus on one issue per thread. Although we 
provide other information for your reference, we recommend you post 
different incidents in different threads to keep the thread clean. In doing 
so, it will ensure your issues are resolved in a timely manner. 
 
For urgent issues, you may want to contact Microsoft CSS directly. Please 
check http://support.microsoft.com for regional support phone numbers.
 
Any input or comments in this thread are highly appreciated.
 
=====================================================
 
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "Bharat Suneja [MVP]" <bharatsuneja@no.spam.org>
| References: <engOErCNHHA.2456@TK2MSFTNGP06.phx.gbl>
| Subject: Re: setting up a secure SMTP server
| Date: Tue, 9 Jan 2007 13:15:02 -0800
| Lines: 67
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.3028
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
| X-RFC2646: Format=Flowed; Response
| Message-ID: <#NM77MDNHHA.4384@TK2MSFTNGP03.phx.gbl>
| Newsgroups: microsoft.public.exchange.admin
| NNTP-Posting-Host: 64-169-85-157.ded.pacbell.net 64.169.85.157
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.exchange.admin:6227
| X-Tomcat-NG: microsoft.public.exchange.admin
| 
| Responses inline.
| 
| -- 
| Bharat Suneja
| MVP - Exchange
| www.zenprise.com
| NEW blog location:
| www.exchangepedia.com/blog
| ----------------------------------------------
| 
| 
| 
| "Darren@community.nospam" <GQ@community.nospam> wrote in message 
| news:engOErCNHHA.2456@TK2MSFTNGP06.phx.gbl...
| > Hello everyone
| > Just wanted to get an idea what be most secure method for configuring 
our 
| > SMTP gateway server.
| > In our environment all smtp servers are exchange 2003  that are members 
of 
| > a single forest/domain .
| >
| > Currently our SMTP gateway (exchange 2003) is a muti home server with 2 
| > separate nic cards,  each have been assigned to separate virtual server 
| > for inbound and outbound connections to the internet.
| > We have created two SMTP connectors and under the local bridge head 
server 
| > we added the corresponding virtual server .For example, for connections 
| > out to the internet we added the outbound smtp virtual under the local 
| > bridgehead connection tab.
| > On  the inbound virtual server properties settings  we have enable all 
| > filtering (sender,recipient and connection) .In addition, under the 
| > "Authentication" properties settings we have checked anonymous  
UN-checked 
| > basic and integrated and under the "relay restrictions" settings only 
the 
| > "list below" is checked and added the IP address of the outbound 
virtual 
| > server.
| > On the outbound virtual properties settings ONLY "integrated windows 
Auth" 
| > and Relay for "Authenticated users only" is checked.
| 
| > My question is should filtering be enable on the outbound virtual 
server 
| > properties settings and what are some of the best practices for setting 
up 
| > a SMTP gateway .
| 
| If both the sending Exchange server and the relay SMTP server (Exchange 
in 
| this case) are from the same Org, the sessions are authenticated. By 
default 
| filtering isn't applied and is usually meaningless, though some 
| organizations prefer to run outbound mail through anti-virus scans as 
well. 
| Many deployments do policy/complaince/disclaimer stuff on outbound mail 
| relays.
| 
| Best practice is not to use domain members for internet-exposed SMTP 
hosts, 
| particularly if they sit in a perimeter network.
| 
| And, is it OK to have my SMTP gateway server be on the same
| > domain as your internal exchange servers ??
| 
| Answered above. Preferably not.
| 
| This best practice doc may help:
| http://www.microsoft.com/technet/itshowcase/content/smtpggatewaysnote.mspx
| 
| >
| > TIA
| > Any feedback would be certainly appreciated
| >
| >
| >
| > 
| 
| 
| 

0
v-chacez (123)
1/10/2007 6:55:10 AM
Reply:

Similar Artilces:

Changing WinRM service/server port
Anyone know how to change the server/service port? I've created a listener, but I think I need to change the WinRM client and server to use the new port... PS C:\> Set-WSManInstance -ResourceURI winrm/config/service/DefaultPorts -Value @{HTTP="6000"} Set-WSManInstance : The WinRM client cannot process the request because it is trying to update a read-only setting. Rem ove this setting from the command and try again. At line:1 char:18 + Set-WSManInstance <<<< -ResourceURI winrm/config/service/DefaultPorts -Value @{HTTP="6000"} + Category...

How to handle abnormal user disconnection condition from server?
I use MFC Visual C++ 4.2. I developed a simple network application to send message inter-clients and the number of clients also only a few persons ( about less than 10 persons ). I have succeeded in establishing server-client and client-server connection, sending and receiving messages from client. Now my problem are: 1. I need to send a message from a client to other client. How to know that the message I sent will be received by the correct user intended, not missed to other user? 2. How to handle the condition of unexpected user disconnection from server? E.g. : the user worksta...

Adding 2nd server in an Exchange 5.5 environment
Is there an easy way to move the IMS connector from one Exchange 5.5 server to another? I recently added a new Exchange 5.5 server running on Windows 2000( No AD). Now I would like to move the IMS connector so I can remove the original mail server from the network. ( The Original server is a dog) I have just started this process and the goal is to get my old P2 system out of the network and replace it with a much faster Dual Xeon box, then upgrade the new mail server to Exchange 2000.. Any suggestions would be greatly appreciated... -- Dale I believe the correct process is to instal...

The Settings button keeps disappearing
Hi, I'm having a weird problem when I access CRM using the web client. When I access the site, I see all the buttons (Workplace, Sales, etc) except the Settings button. If I reboot, the button is back. My security role is system Admin. Any idea what is wrong? Thanks! Simon Are you running the Microsoft CRM Outlook Desktop client in parallel? Frank Lee, Microsoft CRM MVP Workopia, Inc. http://microsoft-crm.spaces.live.com "Simon Renshaw" wrote: > Hi, > > I'm having a weird problem when I access CRM using the web client. When I > access the site, I s...

Public Folders: How to set up Auto-Reply in EX2003?
Hi guys, I've configured a public folder to receive mail from the Internet, and also set up an auto-reply rule using the Folder Assistant to reply when an e-mail is sent to the folder. The folder will auto-reply just fine if I e-mail it from within the Exchange organization, but if folks from the Internet e-mail the folder, it doesn't reply. Any ideas? Thanks! Jeff I ended up figuring out what the problem was. Just in case anyone else has this problem, what I needed to do to fix it was: - Open Exchange System Manager > Global Settings > Internet Message Formats - Right-c...

RE: Use that security update
--dedtgpho Content-Type: multipart/related; boundary="yzkfzsfqtv"; type="multipart/alternative" --yzkfzsfqtv Content-Type: multipart/alternative; boundary="qeviqcxczwaquy" --qeviqcxczwaquy Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Microsoft Consumer this is the latest version of security update, the "October 2003, Cumulative Patch" update which eliminates all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express as well as three newly discovered vulnerabilities. Install now to hel...

Last day of posting via Microsoft server
Well, I guess this is the last day of posting via the Microsoft server. http://www.teranews.com/ Your own free account ($3.95 one time setup fee) that allows posting or use public.teranews.com without an account (no posting & speed capped). You can use any standard news client you choose to read and post to any newsgroup. Or Google it: http://groups.google.com/groups/search?hl=en&q=microsoft.public.win98.gen_discussion&qt_s=Search God Bless America, Bill O|||||||O mailto:BillHughes@billhughes.com http://www.billhughes.com/jeep_bookmark.htm "D...

Outlook client connect to exchange server 5.5 problem
Outlook client connect to exchange server 5.5, i get the following message box: "The name could not be resolved. The connection to the microsoft exchange server is unavailable. All other clients are able to connect and resolve the mailbox name. I can't ping and resolve the exchange server from the problems outlook client. The problems occur after i run repair the w2k pro. can anyone help? EL can not ping... well start with basic IP testing. use ipconfig /all from a command prompt on the misconfigured client. Check for DHCP default Gateway - make sure it looks like a client t...

SQL Server Reporting Services Reports in Access
Using Access 2007 and SQL Server 2008. Is there a way to display SQL Server Reporting Services reports in Access 2007? If so, links to documentation/examples would be appreciated. -- AG Email: npATadhdataDOTcom Hi AG, No,there is no compatible interface for converting SSRS report to Access 2007 now.You may consider first export your SSRS report to an Excel file and then embed an OLE object "Microsoft Office Excel 97-2003 Worksheet". If you only need the data, you can directly import data from Excel to your Access database. Best regards, Charles Wa...

GP 10 and Terminial Server 2008
My customer is having issues with GP 10 sp4 and Terminal Server 2008. Whenever they are in one of the Navigation panes (Purchasing) and they choose an option in the navigation Pane other than the PURCHASING (ie VENDORS) they are kicked out of GP. Has anyone come across this? ...

Setting .doc default to .doc, not .dox
Version: 2008 Operating System: Mac OS X 10.5 (Leopard) Processor: intel How do i do this for all new documents? > How do i do this for all new documents? I meant .doc instead of .docx Word> Preferences> Save, choose Word 97-2004 Document (.doc) from the Save Word files as: list - just keep in mind that you'll be constantly working in Compatibility Mode which will prevent the use of some of 2008's features. HTH |:>) Bob Jones [MVP] Office:Mac On 4/23/08 7:50 PM, in article ee99690.-1@webcrossing.caR9absDaxw, "dbdbdb@officeformac.com" <dbdbdb@officeform...

Setting directory for file save in macro
Hi Thanks to a generous poster I now have a great bit of code to use in a macro for Excel which saves a text file (I'm no VBA programmer so this was really helpful), i.e.: Open "Test.txt" For Output As #1 (rest of code) My problem now is this: The macro saves test.txt to Excel's current active folder, rather than the folder that the current workbook is contained in. For example, if I last saved an Excel workbook to c:\workbooks\, and the workbook that I have open exists in c:\workbooks\workbook1\, when I run the macro it saves the text file in c:\workbooks\. If I ...

Trying to set up account, geting nowhere FAST!
From: "Lenora" <lmandre@windstream.net> Subject: Understanding what Microsoft Communities Date: Friday, September 14, 2007 5:41 PM Hello out there! What is Microsoft Communities all about? Is it something that comes with no charge when you get Microsoft Vista? This is the 4th computer I've had (besides ones at work). First a Compaq that I loaded everything I could from work, the computer guy gave me stuff...did work at home, brought it back to work, and visa versa. Second was a re-built computer that was given to me by a man in the town we had moved to...out of the g...

GP 6.0 Security
Hi! I am setting User Classes in GP 6.0 and am interested if there's any document showing relations between windows, reports, files. Information in Tools/Resource Decriptions doesn't look usefull. For example if I need to enable Trial Balance Report option for the user, which Windows, Reports and Files have to be included in order for the report to print correctly without 'not privileged' errors. What should be better approach: disable everything and add wanted options or enable everything than disable just screens that I don't want users to see. Latter looks easi...

Printing
Hope you folks can help me out with a strange one. I have several worksheets formatted in exactly the same way as follows: Col A - width 4 Col B - hidden Col C - width 4 Col D - Width 108 Col E - Width 3 Col F - Width 11 Col G - Hidden Col H - Width 11 & Empty My print range should be Cols A:G (I have used page setup to set the scaling to fit 1 page wide by [blank] pages tall, thus each sheet will print as many pages as required depending on number of rows] When I have the print range set to A:G only columns A:E show on the print preview (and also on the actual print out) and when I m...

SMTP connector on Exchange 5.5?
Does anyone know how to setup an SMTP connector on Exchange 5.5? Something that is equivalent to Exchange 2000 SMTP connector? Thank you, Jack Black IMS. On Wed, 5 Jan 2005 17:02:38 -0500, "Jack Black" <JackBlack@hat.com> wrote: >Does anyone know how to setup an SMTP connector on Exchange 5.5? Something >that is equivalent to Exchange 2000 SMTP connector? > >Thank you, Jack Black > ...

Security tasks necessary to post from Sales >Receivables Batch scr
I created a new role and assigned task trx-sales-022, enter/edit receipts batches. Description of task says it doesn't include posting. When I click on post on the Receivables Batch screen I get message that I don't have security to the window that is trying to open. I assume it is one of the posting journals. What tasks do I have to assign to the new role so that I can post receivables batches? This could be a really tricky question to answer depending on whether you wish to use the default tasks that are set up, or if you need to modify to make your security more specific...

Access to Server
Hi All. I install CRM 1.2 in a Windows 2003 Server. From the server with a Administrator Logon and by the explorer, i access to CRM Administration without problems. If i use the Implemetation aplication or if i try to install the CRM Outlook, the message is: "The Localhost server is not responce" Thanks for a possible help. Hi, Can you do a 'nslookup' and 'ping' to the server name? "Rui Sousa" wrote: > Hi All. > > I install CRM 1.2 in a Windows 2003 Server. > > From the server with a Administrator Logon and by the explorer, i acces...

Setting up Exchange 2003
I had this problem the other day while extending the schema in preparation for an upgrade to Exchange 2003. I searched through a lot of databases and search engines, and found that a lot of people have had this problem, but none of the forums led to a clear cut answer to the issue. So, I thought I'd share my solution to try and help others out, and save them some time and frustration. I was ready to call Microsoft support right before I figured this out. While running forest prep (setup /forestprep), setup failed with Error code 0XC103798A. It then specified to check the Exchange inst...

Security Issue after upgrade to 2003
I upgraded a client to Office 2003. He then received an email with excel attachments. When he tried to open the attachment, excel gave him the error: "Cannot open file. Your antivirus has found a problem with this file" I forwarded over to my email (we are on the same network) and while I had to enable a macro, it opened fine. I downloaded both files and sent it back to him. Same message. I then disabled Norton Enterprise so that he has no AV running and tried to open it again. Same message. Everyone else I have sent it to has no trouble, and this is occurring only since t...

question about leaving messages on server
My husband and I have 1 POP mail account. I am accessing it from a computer in Virginia, where I'm staying with relatives. He is accessing the same account from California. I have my Outlook set up to keep messages on the server, but to delete them after 1 day (so that he will still get the messages, but the server won't get clogged). His email program, Eudora, is set up so the messages will be deleted from the server after he downloads them. Is there a chance I won't get some messages because he has his computer set up that way? (He downloads it 1st, then it gets deleted off serv...

upload form problem / server question
www.icingpictures.co.uk / win xp / frontpage 2003 Want to create a form with upload file form field - i read on this forum that the server type i use is important - it should be a windows type server with frontpage extensions - i currently use a linux server with front page extensions - do i need to change to a windows server? Thanks for taking a looka t my question. Joyce Yes, you must have a Windows Server, just like you stated you read. -- Tom [Pepper] Willett Microsoft MVP - FrontPage Since 1997 --------------------------- "threademporium" <threademporiu...

One front-end server multiple back-end servers
Hi, I was wondering if someone could help with the following scenerio and make some suggestions as to an answer. We have 3 exchange AG groups. 1 AG group has 3 exchange servers in it, each located in it's own AD domain. 1 AG group has one exchange server in it, it's in its own AD domain. Thirdly, the last AG group has 2 exchange servers in it, both are in the same AD domain. 1 of these 2 exchange servers in the final AG mentioned is a front-end server, that should be supporting all the exchange back-end servers. The problem we are facing is that when a user from any of the ...

Exchange server and POP3 access
Hi All, I am using Outlook 2003 and have to access an exchange server for work. I also have several POP3 accounts that I access. It all works pretty well, with one aggravation. When I want to send email through one of the POP3 accounts, I select it from the accounts button when composing the message. The problem is that it sends it through the exchange server account, though the return address is correct. I would like it to send the email through the account specified in the configuration for the POP3 account. Why this is an issue, is that the copy of the sent mail is stored in the s...

Re: limit numbers of connections to one server
hi there :-) my pop3 server is limited to 10 query per sec. and per ip. i have abou 16 mail-accounts on this server. the last 6 allways error with timeou or something. is there a way to limit the number of connections to one server i outlook 2002 on windows xp pro? thanks a lo - jazzy_ ----------------------------------------------------------------------- Posted via http://www.mcse.m ----------------------------------------------------------------------- View this thread: http://www.mcse.ms/message674073.htm Set your send/receive settings to consecutive mail checks, rather than conc...