SMTP Relay Question?

SMTP Relay Question?

Post by Paul Hutching » Mon, 08 Jul 2002 02:02:23



This is a mix of ISA and IIS, not sure which is more relevent so..

I want to make our ISA server our SMTP relay for inbound and outbound email
using the IIS SMTP Service.

AIUI I can do it one of two ways after disabling socket pooling:

Have a single IIS virtual SMTP server listen on the internal IP of ISA, and
use the secure mail wizard to publish an external IP on ISA to this
internal virtual server.  Inbound mail is routed to our internal servers
using remote domains.

I can then set our internal servers to use this SMTP virtual server as
their outbound relay as it's on a private internal IP, and create the
appropriate outbound packet filter on ISA, this is pretty much what we do
at present, and it works fine.

Alternatively, I can use packet filters to allow inbound and outbound SMTP
on ISAs external IP address, and have one SMTP virtual server listen on
that external address and use remote domains to forward inbound mail to our
internal Exchange servers, and then create a second virtual server that
listens on a private internal IP to receive and relay outbound mail.

AIUI either method would work, but I'm unsure of the real world benefit of
doding one over the other.

TIA
Paul
--
Paul Hutchings
****Remove NOSPAM when replying****

 
 
 

SMTP Relay Question?

Post by Jim Harriso » Mon, 08 Jul 2002 09:06:00


Using server publishing to the single VServer on the internal IP would be
the most useful.
This would allow you to use the VServer as the required W2K SMTP server for
SMTP filtering.

Tom has some good discussions on this at www.isaserver.org; you should check
them out.

--
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the books!

This is a mix of ISA and IIS, not sure which is more relevent so..

I want to make our ISA server our SMTP relay for inbound and outbound email
using the IIS SMTP Service.

AIUI I can do it one of two ways after disabling socket pooling:

Have a single IIS virtual SMTP server listen on the internal IP of ISA, and
use the secure mail wizard to publish an external IP on ISA to this
internal virtual server.  Inbound mail is routed to our internal servers
using remote domains.

I can then set our internal servers to use this SMTP virtual server as
their outbound relay as it's on a private internal IP, and create the
appropriate outbound packet filter on ISA, this is pretty much what we do
at present, and it works fine.

Alternatively, I can use packet filters to allow inbound and outbound SMTP
on ISAs external IP address, and have one SMTP virtual server listen on
that external address and use remote domains to forward inbound mail to our
internal Exchange servers, and then create a second virtual server that
listens on a private internal IP to receive and relay outbound mail.

AIUI either method would work, but I'm unsure of the real world benefit of
doding one over the other.

TIA
Paul
--
Paul Hutchings
****Remove NOSPAM when replying****

 
 
 

SMTP Relay Question?

Post by Paul Hutching » Mon, 08 Jul 2002 18:23:21




Quote:> Using server publishing to the single VServer on the internal IP would
> be the most useful.
> This would allow you to use the VServer as the required W2K SMTP
> server for SMTP filtering.

> Tom has some good discussions on this at www.isaserver.org; you should
> check them out.

Yeah, I did take a look, most of the stuff about relays and smtp filtering
(which we do) seems to center on using a separate machine to be the relay
box - we don't have one, and given the volume of mail we receive, the spec
of our new ISA box, and that it's behind a Chekpoint firewall I'm not too
concerned about sticking SMTP on it.

Sorry to sound pedantic, but any ideas what doing it this way is *better*
than the other, I see it's simpler but I'm just curious if there's a
technical benefit other than just needing the 1 Vserver?

rgds
Paul
--
Paul Hutchings
****Remove NOSPAM when replying****

 
 
 

SMTP Relay Question?

Post by Jim Harriso » Mon, 08 Jul 2002 23:30:13


The Packet Filter method is ISA's "dumbest" mechanism for passing traffic.
There's no stateful inspection or L4+ capability; just simple protocol/port
validation.
Consequently, the SMTP filter is no good to you in that scenario.

--
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the books!



Quote:> Using server publishing to the single VServer on the internal IP would
> be the most useful.
> This would allow you to use the VServer as the required W2K SMTP
> server for SMTP filtering.

> Tom has some good discussions on this at www.isaserver.org; you should
> check them out.

Yeah, I did take a look, most of the stuff about relays and smtp filtering
(which we do) seems to center on using a separate machine to be the relay
box - we don't have one, and given the volume of mail we receive, the spec
of our new ISA box, and that it's behind a Chekpoint firewall I'm not too
concerned about sticking SMTP on it.

Sorry to sound pedantic, but any ideas what doing it this way is *better*
than the other, I see it's simpler but I'm just curious if there's a
technical benefit other than just needing the 1 Vserver?

rgds
Paul
--
Paul Hutchings
****Remove NOSPAM when replying****

 
 
 

SMTP Relay Question?

Post by Paul Hutching » Mon, 08 Jul 2002 23:55:10




Quote:> The Packet Filter method is ISA's "dumbest" mechanism for passing
> traffic. There's no stateful inspection or L4+ capability; just simple
> protocol/port validation.
> Consequently, the SMTP filter is no good to you in that scenario.

That makes it clearer, basically packet filtering just opens that port and
doesn't much care what goes in or out through it.

From what you've suggested I'll obviously go with the published server on
the internal interface of ISA, I guess I still need an outbound packet
filter, but with strict relaying controls that's less of a worry.

Thanks very much for the advice and information

Paul

--
Paul Hutchings
****Remove NOSPAM when replying****

 
 
 

1. SMTP Relay Question

Under the SMTP virtual server I set the "Only the list
below" with my subnet listed.  Okay, no problem.

However, I have about 20 people out in the field who are
at a client and use our exchange server as their SMTP
server.  Now they can't becuase of the settings.

What's a way around this?  I need to have these people in
the field send their mail through our server.  They are
all using outlook express, they cannot use OWA or an
Outlook with Exchange setup.

TIA,

Scott

2. Removing OWA server from site/org

3. SMTP relay question

4. Multiple Mails

5. Yet another SMTP relay question...

6. Enabling Out Of Office assistant

7. SMTP Relaying Question

8. Exchange Advanced Tab

9. SMTP Relay Question

10. Exchange 2000 and SMTP Relay question

11. SMTP Relay question

12. IIS5 SMTP relay question

13. SMTP Relay Question