How to Configure Trusted SMTP Relay in Exchange on SBS 2008

[Today's post comes to us courtesy of Shawn Sullivan]

Today we will discuss the steps necessary to allow trusted internal servers and external authenticated users to relay email through your SBS 2008 server. You would do this for scenarios in which external POP3 or IMAP4 clients or an internal application server needs to send email through your Exchange server. This is not to be confused with external anonymous relay, where your server is open to any connecting IP address for abuse.

The key to making this secure is restricting access through either authentication or connection control (filtering by IP address). You will also see how SBS 2008 configures TLS in Exchange to encrypt your traffic to protect against eavesdropping.

Application Server Relay

SBS 2008 Setup creates a Default receive connector in Exchange to allow internal machines using Basic over TLS, Exchange Server, or Windows Integrated Authentication to relay. It listens on port 25 and allows connections from any IP address in the internal LAN. You may need to perform some extra configuration on your application servers to meet the authentication requirements of the connector.

You can tone down the security requirements in favor of an easier deployment by creating a new receive connector that allows anonymous relay, but only from specific IP addresses.

The Exchange blog already has a nice walkthrough on how to configure this. The requirements for SBS are no different. You can reach it through the following link: https://msexchangeteam.com/archive/2006/12/28/432013.aspx

External Client Relay

Exchange 2007 makes it easy to properly configure an external client receive connector. The first option you choose when creating a new connector is its intended use. When you select “client”, the connector is automatically configured with the proper port, authentication settings and permissions. All you need to choose is the name and remote IP ranges for the connector.

In the Exchange Management Console, expand Server Configuration > Hub Transport and under Actions choose New Receive Connector

clip_image002

On the introduction screen you choose the name and intended use. Choose Client

After this, you will select what remote IP address ranges that will be allowed to connect. The default includes all IPs.

clip_image004

At the completion screen, you can view the powershell command that has been applied behind the scenes:

New-ReceiveConnector –Name ‘Client’ –Usage ‘Client’ –RemoteIPRanges ‘0.0.0.0-255.255.255.255’ –Server ‘SERVER’

Now we can verify the network, authentication, and permission groups settings to see how a Client receive connector has been configured. If you go to the properties, you will see that it’s listening on port 587, that it has enabled Basic authentication over TLS, and that it is only allowing Exchange Users (Authenticated Users) to connect.

NOTE: Make sure that port 587 is open in your firewall

Further inspection of the AD permissions on the receive connector show that authenticated users have the ms-Exch-SMTP-Accept-Any-Recipient right. This is the relay permission and should never be owned by anonymous users. You can view this either through ADSIEDIT or by running the following powershell command:

Get-ADPermission “Client Receive Connector Name” | where {$_.ExtendedRights –match “ms-Exch-SMTP-Accept-Any-Recipient“} | fl

If you have successfully run the Internet Address Management Wizard from the SBS Console, then your Exchange certificate for TLS has already been installed and configured. You can verify this by running the Get-ExchangeCertificate commandlet and find the certificate with your external DNS domain name. The certificate will have IPWS listed under Services, which stands for IMAP, POP, Web and SMTP respectively.

clip_image005

At this point, make sure that your Client receive connector is configured with the same FQDN that is listed in the subject of your Exchange certificate. This will be displayed in the banner:

clip_image007

Once all of this is done, you are ready to setup Outlook, Outlook Express, Windows Mail, etc. Important points here are:

  • The client machine must trust both the Exchange certificate and the Root CA in which it was created from. A good test is to open IE on the client and browse OWA to see if you get the certificate warning(s).
  • You must configure the mail client to connect on port 587 and to send the proper credentials for authentication.
  • The server requires a TLS connection, you must specify this in the mail client

NOTE: SBS 2008 includes a certificate installation package for non domain-joined clients and mobile devices. It is available on a UNC share and you can save it to a thumb drive, floppy-disk, CD, or as an email attachment. For more information, please see https://technet.microsoft.com/en-us/library/cc766572.aspx.