[Today's post comes to us courtesy of Shawn Sullivan]
Today we will discuss the steps necessary to allow trusted internal servers and external authenticated users to relay email through your SBS 2008 server. You would do this for scenarios in which external POP3 or IMAP4 clients or an internal application server needs to send email through your Exchange server. This is not to be confused with external anonymous relay, where your server is open to any connecting IP address for abuse.
The key to making this secure is restricting access through either authentication or connection control (filtering by IP address). You will also see how SBS 2008 configures TLS in Exchange to encrypt your traffic to protect against eavesdropping.
Application Server Relay
SBS 2008 Setup creates a Default receive connector in Exchange to allow internal machines using Basic over TLS, Exchange Server, or Windows Integrated Authentication to relay. It listens on port 25 and allows connections from any IP address in the
. You may need to perform some extra configuration on your application servers to meet the authentication requirements of the connector.
You can tone down the security requirements in favor of an easier deployment by creating a new receive connector that allows anonymous relay, but only from specific IP addresses.
Exchange 2007 makes it easy to properly configure an external client receive connector. The first option you choose when creating a new connector is its intended use. When you select “client”, the connector is automatically configured with the proper port, authentication settings and permissions. All you need to choose is the name and remote IP ranges for the connector.
In the Exchange Management Console, expand
Server Configuration > Hub Transport
and under Actions choose
New Receive Connector
On the introduction screen you choose the name and intended use. Choose
After this, you will select what remote IP address ranges that will be allowed to connect. The default includes all IPs.
At the completion screen, you can view the powershell command that has been applied behind the scenes:
Now we can verify the network, authentication, and permission groups settings to see how a
receive connector has been configured. If you go to the properties, you will see that it’s listening on port
, that it has enabled Basic authentication over TLS, and that it is only allowing Exchange Users (Authenticated Users) to connect.
Make sure that port 587 is open in your firewall
Further inspection of the AD permissions on the receive connector show that authenticated users have the
right. This is the relay permission and should never be owned by anonymous users. You can view this either through ADSIEDIT or by running the following powershell command:
If you have successfully run the
Internet Address Management Wizard
from the SBS Console, then your Exchange certificate for TLS has already been installed and configured. You can verify this by running the
commandlet and find the certificate with your external DNS domain name. The certificate will have
listed under Services, which stands for IMAP, POP, Web and SMTP respectively.
At this point, make sure that your Client receive connector is configured with the same FQDN that is listed in the subject of your Exchange certificate. This will be displayed in the banner:
Once all of this is done, you are ready to setup Outlook, Outlook Express, Windows Mail, etc. Important points here are:
The client machine must trust both the Exchange certificate and the Root CA in which it was created from. A good test is to open IE on the client and browse OWA to see if you get the certificate warning(s).
You must configure the mail client to connect on port 587 and to send the proper credentials for authentication.
The server requires a TLS connection, you must specify this in the mail client
SBS 2008 includes a certificate installation package for non domain-joined clients and mobile devices. It is available on a UNC share and you can save it to a thumb drive, floppy-disk, CD, or as an email attachment. For more information, please see