locked
block inbound SMTP while still allowing authenticated relay RRS feed

  • Question

  • Now that I've finally purchased a spam filtering appliance as a front end to my Exchange 2003 I want to block inbound SMTP from all IPs other than the address that my appliance sends from. I've gone into my Default SMTP Virtual Server, Access, Connection, "Select which computers may access this virtual server" and told it to only accept from the IP of my spam device. The problem is that after doing that I can't access the server from other IPs to relay authenticated outbound mail. Is there a way to allow authenticated outbound SMTP while blocking all inbound SMTP from all IPs other than desired?
    Saturday, December 3, 2011 12:13 AM

Answers

  • On Sat, 3 Dec 2011 13:19:48 +0000, Don Powell wrote:
     
    >But the outbound authenticated smtp traffic is coming from Smartphones.
     
    Use ActiveSync.
     
    >I have no way of knowing what IP they will be using at any given time. I assume I could create a second SMTP Virtual Server on a port other than 25 and use that for the other SMTP needs but I was hoping there was a way to configure Exchange to block SMTP traffic except for user authenticated stuff?
     
    Not if you're going to deny access by using IP addresses. Your
    requirements conflict.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Proposed as answer by Rowen-Xu Friday, December 16, 2011 7:41 AM
    • Marked as answer by Rowen-Xu Thursday, January 5, 2012 8:13 AM
    Saturday, December 3, 2011 4:12 PM

All replies

  • On Sat, 3 Dec 2011 00:13:12 +0000, Don Powell wrote:
     
    >Now that I've finally purchased a spam filtering appliance as a front end to my Exchange 2003 I want to block inbound SMTP from all IPs other than the address that my appliance sends from. I've gone into my Default SMTP Virtual Server, Access, Connection, "Select which computers may access this virtual server" and told it to only accept from the IP of my spam device. The problem is that after doing that I can't access the server from other IPs to relay authenticated outbound mail. Is there a way to allow authenticated outbound SMTP while blocking all inbound SMTP from all IPs other than desired?
     
    Add the other IP addresses (or networks) to the list.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Saturday, December 3, 2011 3:46 AM
  • But the outbound authenticated smtp traffic is coming from Smartphones. I have no way of knowing what IP they will be using at any given time. I assume I could create a second SMTP Virtual Server on a port other than 25 and use that for the other SMTP needs but I was hoping there was a way to configure Exchange to block SMTP traffic except for user authenticated stuff?
    Saturday, December 3, 2011 1:19 PM
  • On Sat, 3 Dec 2011 13:19:48 +0000, Don Powell wrote:
     
    >But the outbound authenticated smtp traffic is coming from Smartphones.
     
    Use ActiveSync.
     
    >I have no way of knowing what IP they will be using at any given time. I assume I could create a second SMTP Virtual Server on a port other than 25 and use that for the other SMTP needs but I was hoping there was a way to configure Exchange to block SMTP traffic except for user authenticated stuff?
     
    Not if you're going to deny access by using IP addresses. Your
    requirements conflict.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Proposed as answer by Rowen-Xu Friday, December 16, 2011 7:41 AM
    • Marked as answer by Rowen-Xu Thursday, January 5, 2012 8:13 AM
    Saturday, December 3, 2011 4:12 PM
  • Actually, this is becoming a quite common scenario, alot of spam engines are moving off server and into virtual appliances, I also need this as well, did you manage a solution?
    Sunday, July 8, 2012 6:01 AM