none
Exchnage 2010 setting up Receive connector settings on Exchange - how to force remote email clients to send email using SSL on SMTP port 465 and deny their attmep if they try using sending wihtout SSL

    Question

  • I'm setting up a new Exchange 2010 server.  All of my 300 plus clients are remote users around the world.  None are on the internal network of my Exchange server.

    Below is what I want to accomplished, but haven't been able to because I think I haven't setup my recieve connector properly OR am missing something.

    1)      Allow all standard incoming SMTP port 25 email traffic to come into my exchange server from outside email systems (example: gmail, yahoo, hotmail, etc. etc.) and deliver to my recipent mailboxes.   There is NO edge server, all incoming port 25 messages are forwarded to my Exchange server through the firewall.  (I’m assuming the DEFAULT receive connector that was automatically setup when I installed Exchange is the connectors handling that traffic).      

    2)      Setup a second receive connector to listen on port 465 for all my remote Exchange clients to send through.  That connector HAS TO FORCE SSL.  Not acceptable for anything other than a FORCE of SSL.  I do not want our remote clients sending clear text email messages!!  Security is very important here.

    3)      As an administrator, I HAVE to insure none of our Exchange clients cannot mistakenly setup their Outlook client to use the standard port 25 SMTP.  Want to force them to authenticate on port 465 and force them to use SSL.  Need the Exchange server to REJECT them or have them receive a bounce message if they mistakenly set up their Outlook client using a non-ssl non secure SMTP port.

     

    I've already installed my SSL certificate and have assigned it to POP, IMAP, and SMTP services on Exchange.  Have setup POP3 and IMAP which work perfect.  Can someone advise me regarding the settings I need on both the Authentication tab and Permissions Group tab of my customized recieve connector for port 465?  I seemed to be gettting it wrong (i.e. my remote clients can send on SMTP port 25 and are not forced to use SSL,  also on Port 465 when they set Outlook to use force SSL, they get a message saying the Exchange server doesn't suppport the encryption type.

    Any help would be greatly appreciated!

    Thanks

    Terry 

    Friday, August 13, 2010 4:08 PM

Answers

  • You cannot stop clients from sending email to internal users on port 25.
    That is because internal email from a client is the same as email coming in from an external email host. It doesn't require authentication or anything like that.

    You can disable the authentication settings that allow an email to be relayed through the Default Receive Connector. That is done by turning off Exchange Users on the Permissions Group Tab.

    To force users to connect via TLS, simply enable the option on the client connector to Offer Basic Authentication only after starting TLS, and turn off the other options - so basic is the only option available. Do make sure that you do it on the right one, otherwise you will cause problems with the server operation.

    However if you care about security you wouldn't be using SMTP/POP3/IMAP anyway. Outlook Anywhere will give you a secure connection throughout.

    Simon.


    Simon Butler, Exchange MVP. http://blog.sembee.co.uk , http://exbpa.com/
    • Marked as answer by Gen Lin Friday, August 27, 2010 1:13 AM
    Saturday, August 14, 2010 11:18 PM
  • On Mon, 16 Aug 2010 13:03:22 +0000, tbrewerdog wrote:
     
    >Thanks for your reply! Unfortunately in my senerio, all my clients are spread out all over the world. There could be any number of Public IP addresses they will be connecting from. IF I could somehow enable the same type of restrictions on domain name (example my email server domain name = constoso.com , userXYZ@contoso.com tries sending on port 25 and the connector could somehow see the "contoso.com" within the header and reject the message, this would be exactly what I'd be looking for).
    >
    >I'm sure this is probably way outside the bounds of what the conenctors are designed to do, but I thought I'd ask the question anyway. Any thoughts on how to accomplish this would be greatly appreciated!!
     
    You can use the Sender Filtering to refuse any e-mail from your own
    domain.
     
    I'd substitute port 587 for 465 and make the users authenticate on the
    receive connector you use for employees. Authenticated connections
    aren't subject to the anti-spam agents.
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by Gen Lin Friday, August 27, 2010 1:14 AM
    Monday, August 16, 2010 11:59 PM

All replies

  • Hi,

    I think you need to see these articles.

    http://www.netometer.com/video/tutorials/Exchange-2010-initial-configuration-how-to-send-receive-emails-from-internet/

    And this

    http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010

    I hope you will get your answers if there is any query please let me know.

     

    Regards.

    Shafaquat Ali.

     


    M.C.I.T.P Exchange 2007/2010, M.C.I.T.P Windows Server 2008, M.C.T.S OCS Server 2007 R2, URL: http://blog.WhatDoUC.net Phone: +923008210320
    Friday, August 13, 2010 6:34 PM
  • You cannot stop clients from sending email to internal users on port 25.
    That is because internal email from a client is the same as email coming in from an external email host. It doesn't require authentication or anything like that.

    You can disable the authentication settings that allow an email to be relayed through the Default Receive Connector. That is done by turning off Exchange Users on the Permissions Group Tab.

    To force users to connect via TLS, simply enable the option on the client connector to Offer Basic Authentication only after starting TLS, and turn off the other options - so basic is the only option available. Do make sure that you do it on the right one, otherwise you will cause problems with the server operation.

    However if you care about security you wouldn't be using SMTP/POP3/IMAP anyway. Outlook Anywhere will give you a secure connection throughout.

    Simon.


    Simon Butler, Exchange MVP. http://blog.sembee.co.uk , http://exbpa.com/
    • Marked as answer by Gen Lin Friday, August 27, 2010 1:13 AM
    Saturday, August 14, 2010 11:18 PM
  • On Sat, 14 Aug 2010 23:18:51 +0000, Sembee wrote:
     
    >You cannot stop clients from sending email to internal users on port 25.
     
    Sure you can. Just restrict which IP addresses are permitted to
    connect to the receive connector.
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Sunday, August 15, 2010 12:19 AM
  • On Sat, 14 Aug 2010 23:18:51 +0000, Sembee wrote:
     
    >You cannot stop clients from sending email to internal users on port 25.
     
    Sure you can. Just restrict which IP addresses are permitted to
    connect to the receive connector.
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP


    That is only going to help if you are receiving all external email from another server, such as an antispam host. The OP has stated that they are receiving email directly, so an IP address restriction isn't going to work.

    Simon.


    Simon Butler, Exchange MVP. http://blog.sembee.co.uk , http://exbpa.com/
    Sunday, August 15, 2010 1:04 PM
  • On Sun, 15 Aug 2010 13:04:13 +0000, Sembee wrote:
     
    >On Sat, 14 Aug 2010 23:18:51 +0000, Sembee wrote: >You cannot stop clients from sending email to internal users on port 25. Sure you can. Just restrict which IP addresses are permitted to connect to the receive connector. --- Rich Matheisen MCSE+I, Exchange MVP
    >--- Rich Matheisen MCSE+I, Exchange MVP
    >
    >That is only going to help if you are receiving all external email from another server, such as an antispam host. The OP has stated that they are receiving email directly, so an IP address restriction isn't going to work.
     
    True. I misread your answer to be ABOUT internal clients sending
    e-mail, not SENDING to internal addresses.
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Sunday, August 15, 2010 5:21 PM
  • Rich,

    Thanks for your reply!  Unfortunately in my senerio, all my clients are spread out all over the world.  There could be any number of Public IP addresses they will be connecting from.  IF I could somehow enable the same type of restrictions on domain name (example my email server domain name = constoso.com , userXYZ@contoso.com tries sending on port 25 and the connector could somehow see the "contoso.com" within the header and reject the message, this would be exactly what I'd be looking for). 

    I'm sure this is probably way outside the bounds of what the conenctors are designed to do, but I thought I'd ask the question anyway.  Any thoughts on how to accomplish this would be greatly appreciated!!

    Thanks Rich!

    Terry

    Monday, August 16, 2010 1:03 PM
  • Simon,

    Thanks so much for your response!  Thansk also for the explanation of port 25 traffic.  This was my assumption going into it, but needed to have it verified by someone.  Our current setup is using a linux sendmail email server to scan port 25 traffic and reject any client that headers = the domain name of our server (i.e. server domain contoso.com, user@contoso .com tries sending port 25 gets a customized rejection response telling them to setup their client on Port 465 w/ SSL).  Port 25 traffic from all other domains not equal to contoso.com are allowed through.  Port 465 on the email server is setup to only accept SSL connections.  This is the way we are currently forcing them.  However, this server setup is 8 years old and we want to migragte to Exchnage 2010 as seemless as possible, but not sure if we can accomplish this without some work on the end users part.

    Once we have our users moved to Exchange 2010, I'll begin to educate them on the process of moving to Outlook Anywhere. 

    Would be a HUGE help if anyone can tell me a way to setup the connector on Exchange 2010 to do the same thing OR had any other ideas on how to accomplish this.  I may have to continue using my Linux box as a relay to Exchange until I have all my clients using Outlook anywhere.

    Thanks!

    Terry

     

     

    Monday, August 16, 2010 1:24 PM
  • On Mon, 16 Aug 2010 13:03:22 +0000, tbrewerdog wrote:
     
    >Thanks for your reply! Unfortunately in my senerio, all my clients are spread out all over the world. There could be any number of Public IP addresses they will be connecting from. IF I could somehow enable the same type of restrictions on domain name (example my email server domain name = constoso.com , userXYZ@contoso.com tries sending on port 25 and the connector could somehow see the "contoso.com" within the header and reject the message, this would be exactly what I'd be looking for).
    >
    >I'm sure this is probably way outside the bounds of what the conenctors are designed to do, but I thought I'd ask the question anyway. Any thoughts on how to accomplish this would be greatly appreciated!!
     
    You can use the Sender Filtering to refuse any e-mail from your own
    domain.
     
    I'd substitute port 587 for 465 and make the users authenticate on the
    receive connector you use for employees. Authenticated connections
    aren't subject to the anti-spam agents.
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by Gen Lin Friday, August 27, 2010 1:14 AM
    Monday, August 16, 2010 11:59 PM