Problem w/Second SMTPVS for Secure relaying from remote clients

Problem w/Second SMTPVS for Secure relaying from remote clients

Post by Paul MacFarlan » Sun, 17 Nov 2002 18:20:58



I have users in the field using laptops and OE w/IMAP connections to our
exchange server...  That works fine.

We were recently hit hard by spammers relaying so we've locked down our
system.
I've added a second SMTPVS to handle these remote users.  It requires Basic
authentication and uses an alternate port number for getting in to the
server.

I created an SMTP connector that allows relaying but only via the VS that
requires authentication.

It appears to connect and authenticate fine, but we are getting the
following messages.

The message could not be sent because the server rejected the sender's

Subject 'testing', Account: 'arsc - Paul', Server: 'amerisoftcorp.com',
Protocol: SMTP, Server Response: '454 5.7.3 Client does not have permission
to Send As this sender.', Port: xxxx, Secure(SSL): No, Server Error: 454,
Error Number: 0x800CCC78

I've seen the article about policies and DNS issues (although I'm not
totally clear in the DNS issues) but the article isn't exactly what I'm
getting here...

Any ideas?  Where are Send As permissions set?  AD?  What can't I send as
myself?<g>

The e-mail will send fine from with our office....

Any suggestions appreciated.

--
Paul MacFarlane

 
 
 

Problem w/Second SMTPVS for Secure relaying from remote clients

Post by Don Tan [MS » Wed, 20 Nov 2002 03:41:31


Hello,

It looks to me that you're able to receive SMTP messages but not able to
send SMTP messages as well.

What happes if you try to telnet from the client workstation, does the
telnet work? if it works then the client workstation is not configured
correctly to send smtp messages.

XFOR: Telnet to Port 25 of IMC to Test IMC Communication
http://support.microsoft.com/default.aspx?scid=kb;en-us;153119

The other thing that I could think of is if the new SMTP virtual server is
not configured correctly.

For this see the following whitepaper:

Troubleshooting Message Flow in Microsoft Exchange 2000: A Step-by-Step
Approach
http://www.microsoft.com/Exchange/techinfo/administration/2000/Messag...
sp

Also, take a look at the applicaiton logs and see if you're getting any
error messages there.

Thank you and have a nice day.

Sincerely,

Don Tan, MCSE/MCSA
Microsoft Online Support Professional

Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.

 
 
 

Problem w/Second SMTPVS for Secure relaying from remote clients

Post by Paul MacFarlan » Wed, 20 Nov 2002 06:49:41


Thanks for your response Don....

As far as the telnet is concern I can telnet my regular Virtual Server and
that works fine.  The alternate (for secure relay) gives me a message "454
5.7.3 Client not authenticated." So I suspect this is the problem... but
don't know where to look...

The client is OutLook Express 6.  I have the Outgoing mail confirgured to
login, and I think it does.

I don't know if there are any issues related to using an alternate port for
smtp either.

My actual message received in the error log on OE is " no permission to Send
As"...  So, for some reason it's not corelating the login with the e-mail
address?
I did run the receipient update service and the addresses are part of the
default policy.....

I've read through the trouble shooting message flow document and haven't
seen anything that stands out - but I will have to review it later when I
have access to the server.

Thanks,
Paul



Quote:> Hello,

> It looks to me that you're able to receive SMTP messages but not able to
> send SMTP messages as well.

> What happes if you try to telnet from the client workstation, does the
> telnet work? if it works then the client workstation is not configured
> correctly to send smtp messages.

> XFOR: Telnet to Port 25 of IMC to Test IMC Communication
> http://support.microsoft.com/default.aspx?scid=kb;en-us;153119

> The other thing that I could think of is if the new SMTP virtual server is
> not configured correctly.

> For this see the following whitepaper:

> Troubleshooting Message Flow in Microsoft Exchange 2000: A Step-by-Step
> Approach

http://www.microsoft.com/Exchange/techinfo/administration/2000/Messag...

- Show quoted text -

Quote:> sp

> Also, take a look at the applicaiton logs and see if you're getting any
> error messages there.

> Thank you and have a nice day.

> Sincerely,

> Don Tan, MCSE/MCSA
> Microsoft Online Support Professional

> Get Secure! - www.microsoft.com/security

> This posting is provided "AS IS" with no warranties, and confers no
rights.

 
 
 

Problem w/Second SMTPVS for Secure relaying from remote clients

Post by Don Tan [MS » Fri, 22 Nov 2002 05:28:04


Hello Paul,

Another thought came to my mind.

NDRs that contain the 5.7.3 error code can occur if servers occasionally
authenticate as anonymous, which does not work because these servers
require authentication (to send, as well as to relay); therefore, NDRs are
generated.

An additional cause for this error when using Microsoft ISA Server 2000 is
if the external IP address of the ISA server changes, and the IP address
for the SMTP Publishing rule has not been updated to reflect the new
external IP on the ISA server, and/or if the Isactrl service has not been
restarted after changing the IP address of the SMTP Publishing rule.

Also, the account that's having the problem, verify if he does have send as
rights.

1. Start the Active Directory Users and Computers Microsoft Management
Console (MMC) snap-in.

2. On the View menu, click Advanced Features.

3. Open the properties for the mail-enabled user.

4. Click the Exchange Advanced tab, and then click the Mailbox Rights
button.

5. Make sure the user account has the following permissions:

        -       Read permissions

        -       Full Mailbox Access

6. Select the Security Tab, Make sure the user account has the following
permissions:

        -       Receive as

        -       Send as

Hopefully the send as rights should fix the problem.

I look forward to hearing from you.

Thank you and have a nice day.

Sincerely,

Don Tan, MCSE/MCSA
Microsoft Online Support Professional

Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.

 
 
 

Problem w/Second SMTPVS for Secure relaying from remote clients

Post by Paul MacFarlan » Fri, 22 Nov 2002 07:59:52


Don,

Okay - followed the instructions but the same message occurs.
I restarted the server to make sure everything got a fresh start.  Same
message.

I reviewed the event log there is nothing there.

I am not running ISA...

One of the questions I hard regarding security etc is: Is there a difference
in using SELF or the actual user name when giving rights?  Also is the
creator always the owner?

Also, the message says the "Client" does not have permissions to Send As....
I would have thought it would be "User".  Is there somewhere we can restrict
or enable clients?

Thanks for your help,

Paul



Quote:> Hello Paul,

> Another thought came to my mind.

> NDRs that contain the 5.7.3 error code can occur if servers occasionally
> authenticate as anonymous, which does not work because these servers
> require authentication (to send, as well as to relay); therefore, NDRs are
> generated.

> An additional cause for this error when using Microsoft ISA Server 2000 is
> if the external IP address of the ISA server changes, and the IP address
> for the SMTP Publishing rule has not been updated to reflect the new
> external IP on the ISA server, and/or if the Isactrl service has not been
> restarted after changing the IP address of the SMTP Publishing rule.

> Also, the account that's having the problem, verify if he does have send
as
> rights.

> 1. Start the Active Directory Users and Computers Microsoft Management
> Console (MMC) snap-in.

> 2. On the View menu, click Advanced Features.

> 3. Open the properties for the mail-enabled user.

> 4. Click the Exchange Advanced tab, and then click the Mailbox Rights
> button.

> 5. Make sure the user account has the following permissions:

> - Read permissions

> - Full Mailbox Access

> 6. Select the Security Tab, Make sure the user account has the following
> permissions:

> - Receive as

> - Send as

> Hopefully the send as rights should fix the problem.

> I look forward to hearing from you.

> Thank you and have a nice day.

> Sincerely,

> Don Tan, MCSE/MCSA
> Microsoft Online Support Professional

> Get Secure! - www.microsoft.com/security

> This posting is provided "AS IS" with no warranties, and confers no
rights.

 
 
 

Problem w/Second SMTPVS for Secure relaying from remote clients

Post by Don Tan [MS » Fri, 22 Nov 2002 08:32:19


Hello Paul,

The self account is actually the AD account that has full mailbox rights
for that mailbox.

To answer your question, do you mean the person who created the account and
mailbox be the owner?

The steps that I previously posted is the window you can add additional
clients (AD users) to have access for that mailbox.

On the new SMTP virtual server that you created and under Authentication,
which are selected? Anonymous, Basic, or Windows Intergrated?

If basic and windows integrated is selected, on the client side using
Outlook express, how is the credentials for the client setup?

Usually under usersname, you should put <domainname>\<username> then the
password.

Also, here's another option, on the new SMTP virtual server, check
ANONYMOUS access, restart the SMTP service and see if the client can send
messages.

If he can send messages and that was the problem, the SMTP virtual server
is not setup correctly.

The next thing you need to worry about is relaying. After enabling
anonymous access on smtp virtual server, you need to make sure that
relaying is setup correctly so that other users won't be able to relay to
your server.

Here's a whitepaper that will help you with that.

Controlling SMTP Relaying with Microsoft Exchange
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/se...
prodtech/mailexch/excrelay.asp

Thank you and have a nice day.

Sincerely,

Don Tan, MCSE/MCSA
Microsoft Online Support Professional

Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.

 
 
 

Problem w/Second SMTPVS for Secure relaying from remote clients

Post by Paul MacFarlan » Fri, 22 Nov 2002 09:48:22


Don,

Okay - I was using Basic Authentication. I was using DOMAIN\USER in the
login too.

All my error messages were displayed in OE - they were not NDRs.

I've now modified it to allow Anonymous connection.  It appear to go out
fine but bounced with an NDR that says:
    <amerisoftcorp.com #5.7.1 smtp;550 5.7.1 Unable to relay for

Article 274638 says to enable relay on the server (which it is), then
discusses issues with the DNS MX records.
It says to properly configure DNS records - my main SMTPVS works fine.  How
do I change DNS to work with the other one (alt port#)?
Is says to "allow computers that succ auth to relay" which is under the
RELAY button on the VS - which is done.
Ensure proxy addresses match at least one recipient policy. - The default
policy contains all my domains names....

So, it looks to me like it's DNS related.....  Any thoughts?

Thanks,
Paul



Quote:> Hello Paul,

> The self account is actually the AD account that has full mailbox rights
> for that mailbox.

> To answer your question, do you mean the person who created the account
and
> mailbox be the owner?

> The steps that I previously posted is the window you can add additional
> clients (AD users) to have access for that mailbox.

> On the new SMTP virtual server that you created and under Authentication,
> which are selected? Anonymous, Basic, or Windows Intergrated?

> If basic and windows integrated is selected, on the client side using
> Outlook express, how is the credentials for the client setup?

> Usually under usersname, you should put <domainname>\<username> then the
> password.

> Also, here's another option, on the new SMTP virtual server, check
> ANONYMOUS access, restart the SMTP service and see if the client can send
> messages.

> If he can send messages and that was the problem, the SMTP virtual server
> is not setup correctly.

> The next thing you need to worry about is relaying. After enabling
> anonymous access on smtp virtual server, you need to make sure that
> relaying is setup correctly so that other users won't be able to relay to
> your server.

> Here's a whitepaper that will help you with that.

> Controlling SMTP Relaying with Microsoft Exchange

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/se...

- Show quoted text -

Quote:> prodtech/mailexch/excrelay.asp

> Thank you and have a nice day.

> Sincerely,

> Don Tan, MCSE/MCSA
> Microsoft Online Support Professional

> Get Secure! - www.microsoft.com/security

> This posting is provided "AS IS" with no warranties, and confers no
rights.

 
 
 

Problem w/Second SMTPVS for Secure relaying from remote clients

Post by Don Tan [MS » Sat, 23 Nov 2002 05:10:26


Hello Paul,

How did you create the second SMTP virtual server, did you added another
nic and have a different Ip address or just added another ip address on the
server?

Post back with the steps.

I look forward to hearing from you.

Thank you and have a nice day.

Sincerely,

Don Tan, MCSE/MCSA
Microsoft Online Support Professional

Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.

 
 
 

Problem w/Second SMTPVS for Secure relaying from remote clients

Post by Paul MacFarlan » Sat, 23 Nov 2002 06:14:34


Don,

It's the SAME IP but using an alternate port number.

Paul



Quote:> Hello Paul,

> How did you create the second SMTP virtual server, did you added another
> nic and have a different Ip address or just added another ip address on
the
> server?

> Post back with the steps.

> I look forward to hearing from you.

> Thank you and have a nice day.

> Sincerely,

> Don Tan, MCSE/MCSA
> Microsoft Online Support Professional

> Get Secure! - www.microsoft.com/security

> This posting is provided "AS IS" with no warranties, and confers no
rights.

 
 
 

Problem w/Second SMTPVS for Secure relaying from remote clients

Post by Don Tan [MS » Sat, 23 Nov 2002 08:12:15


Hello Paul,

I was researching on this issue a little bit more. I think I know what the
problem is. Since Exchange 2000 has 2 smtp virtual servers with the same IP
address there was a problem of to which mail should route. If a mail
message was sent to the ip address then the 2 SMTP virtual server would
respond but wouldn't know on what to respond too.

Here's what you need to do.

1) Remove the second virtual server that you created.

2) Stop and Restart IISAdmin

3) Go the properties of the default smtp virtual server

4) Click on the General tab, then select "All Unassigned" for the IP address

5) Click on the Access tab, then click Authentication, check all boxes
except for Requires TLS authentication. When checking all authentication
for the virtual server, you're actually not exposing the server to the
internet, rather giving it options for other mail servers to connect to.

6) Click on the Connections button (Access tab),  Select "All except the
list below" and the list should be blank. So far you've configured the
server to use 3 authentication methods and to accept connections from
anybody.

7) Click on Relay (Access tab), Select "Only the list below". The list
should be blank. Select "allow all computers which successfully
authentication to relay"

NOTE: This is different from the AUTHENTICATION button.  The relay button
is actually the one that restricts the clients or other people to relay
from your server.
NOTE: The Relay settings is totally different from the Authentication and
Connection buttons. To be more specific mail servers out there, some of
them needs to anonymously connect to your server to send mail, this is
where the Authentication and Connection button comes into place because
most mail servers out there needs to issue telnet commands to your server
for them to send mail to your domain

8) After making the changes stop and restart the IISAdmin service again.

To make sure that clients shouldn't be able to relay to this server, see
the following kb.

HOW TO: Prevent Exchange 2000 from Being Used as a Mail Relay in Windows
2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;310380

HOW TO: Block Open SMTP Relaying and Clean Up Exchange Server SMTP Queues
on SBS 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;324958

NOTE: On the article above DON'T follow all the directions. Just follow the
section "Determine Whether the Exchange Server Is an Open SMTP Relay"

I look forward to hearing from you.

Thank you and have a nice day.

Sincerely,

Don Tan, MCSE/MCSA
Microsoft Online Support Professional

Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.

 
 
 

Problem w/Second SMTPVS for Secure relaying from remote clients

Post by Magnus G?ransso » Wed, 27 Nov 2002 22:11:38


Du you use Cisco Pix Firewall?


> I have users in the field using laptops and OE w/IMAP connections to our
> exchange server...  That works fine.

> We were recently hit hard by spammers relaying so we've locked down our
> system.
> I've added a second SMTPVS to handle these remote users.  It requires
Basic
> authentication and uses an alternate port number for getting in to the
> server.

> I created an SMTP connector that allows relaying but only via the VS that
> requires authentication.

> It appears to connect and authenticate fine, but we are getting the
> following messages.

> The message could not be sent because the server rejected the sender's

> Subject 'testing', Account: 'arsc - Paul', Server: 'amerisoftcorp.com',
> Protocol: SMTP, Server Response: '454 5.7.3 Client does not have
permission
> to Send As this sender.', Port: xxxx, Secure(SSL): No, Server Error: 454,
> Error Number: 0x800CCC78

> I've seen the article about policies and DNS issues (although I'm not
> totally clear in the DNS issues) but the article isn't exactly what I'm
> getting here...

> Any ideas?  Where are Send As permissions set?  AD?  What can't I send as
> myself?<g>

> The e-mail will send fine from with our office....

> Any suggestions appreciated.

> --
> Paul MacFarlane

 
 
 

Problem w/Second SMTPVS for Secure relaying from remote clients

Post by Don Tan [MS » Thu, 28 Nov 2002 03:22:01


Hello,

Not sure If asked that question yet. But If you're using a Cisco Pix
Firewall, check out the following kb's:

XCON: SMTP Clients Receive Relaying Prohibited Error Message When
Authenticated Relay Is Enabled
http://support.microsoft.com/default.aspx?scid=kb;en-us;295164

XCON: Client SMTP Authentication Is Enabled, But Relay Does Not Work, Error
Message: 550 No Relay Allowed
http://support.microsoft.com/default.aspx?scid=kb;en-us;275575

XCON: Cannot Receive E-mail Messages Behind a Cisco PIX Firewall
http://support.microsoft.com/default.aspx?scid=kb;en-us;320027

Thank you and have a nice day.

Sincerely,

Don Tan, MCSE/MCSA
Microsoft Online Support Professional

Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.

 
 
 

Problem w/Second SMTPVS for Secure relaying from remote clients

Post by Paul MacFarlan » Thu, 28 Nov 2002 04:41:24


No - Using a LinkSys router though.  Have it set to pass through the
alternate port.....



Quote:> Hello,

> Not sure If asked that question yet. But If you're using a Cisco Pix
> Firewall, check out the following kb's:

> XCON: SMTP Clients Receive Relaying Prohibited Error Message When
> Authenticated Relay Is Enabled
> http://support.microsoft.com/default.aspx?scid=kb;en-us;295164

> XCON: Client SMTP Authentication Is Enabled, But Relay Does Not Work,
Error
> Message: 550 No Relay Allowed
> http://support.microsoft.com/default.aspx?scid=kb;en-us;275575

> XCON: Cannot Receive E-mail Messages Behind a Cisco PIX Firewall
> http://support.microsoft.com/default.aspx?scid=kb;en-us;320027

> Thank you and have a nice day.

> Sincerely,

> Don Tan, MCSE/MCSA
> Microsoft Online Support Professional

> Get Secure! - www.microsoft.com/security

> This posting is provided "AS IS" with no warranties, and confers no
rights.

 
 
 

Problem w/Second SMTPVS for Secure relaying from remote clients

Post by Don Tan [MS » Thu, 28 Nov 2002 09:55:15


Did the recommendations that I posted about removing the 2nd SMTP virtual
server fixed the problem?

Thank you and have a nice day.

Sincerely,

Don Tan, MCSE/MCSA
Microsoft Online Support Professional

Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties, and confers no rights.

 
 
 

1. Problem w/Second SMTPVS for Secure relaying from remote clients

I have users in the field using laptops and OE w/IMAP connections to our
exchange server...  That works fine.

We were recently hit hard by spammers relaying so we've locked down our
system.
I've added a second SMTPVS to handle these remote users.  It requires Basic
authentication and uses an alternate port number for getting in to the
server.

I created an SMTP connector that allows relaying but only via the VS that
requires authentication.

It appears to connect and authenticate fine, but we are getting the
following messages.

The message could not be sent because the server rejected the sender's

Subject 'testing', Account: 'arsc - Paul', Server: 'amerisoftcorp.com',
Protocol: SMTP, Server Response: '454 5.7.3 Client does not have permission
to Send As this sender.', Port: xxxx, Secure(SSL): No, Server Error: 454,
Error Number: 0x800CCC78

I've seen the article about policies and DNS issues (although I'm not
totally clear in the DNS issues) but the article isn't exactly what I'm
getting here...

Any ideas?  Where are Send As permissions set?  AD?  What can't I send as
myself?<g>

The e-mail will send fine from with our office....

Any suggestions appreciated.

--
Paul MacFarlane

2. Recovery

3. System Attendant unable to start

4. Relay Problem! - Exchange 5.5 w/Remote Clients

5. Searching Calendar Folders with WebDAV

6. help securing port 25 relay but supporting POP clients

7. offline folder synchronization

8. Upgrade to XP Home and Secure Remote Problem

9. Secure Relay Problem on Exchange 2000

10. Problems using a second profile on the same client

11. Public folder (secure file folder) database on remote server

12. Securing access to remote mail