iis smtp nntp: We have installed a TFS server for development which requires a
non-authenticated SMTP server for event notification. We have an external
mail server that requires authentication, so we cannot use that for this
purpose. So I am wondering if the smtp service can be configure do do this
without becoming vulnerable to external attack (I was warned that if it is
used as a relay server our IP addresses could be blacklisted).

Basically, all I want is, for example, new Work Item assignments to be
emailed to the effected developer, etc... they will NOT be receiving mail
from this service but, instead, use our standard mail service for this. It
will only be used to send mail to them.

Thanks. This is helpful.

I forgot to ask. would it be advisable to block inbound traffic on port 25
at the firewall if I am only going to be sending email from this server?

[quoted text, click to view]

[quoted text, click to view]

Sorry, You're over my head with this one (I have never configured SMTP
services before). Is there something I need to do to assure PTR-HELO-A is
being passed?

I am also seeing the following smptsvc error events which I haven't got a
clue abou (and wondering if this may be related to why none of my email is
being delivered)t:

Event Type: Warning
Event Source: smtpsvc
Event Category: None
Event ID: 4000
Date: 12/1/2007
Time: 1:34:30 PM
User: N/A
Computer: ATHENA
Description:
Message delivery to the remote domain 'live.com' failed for the following
reason: Unable to bind to the destination server in DNS.


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: d5 02 04 c0 Õ..À

[quoted text, click to view]

Of course.

There are two ways to restrict relaying for unknown remote domains: by
requiring SMTP AUTH credentials or by requiring that sessions come
from a known IP.

In Access-Relay Restrictions-Relay, you select `Only the list below`
and list the allowed IPs. For example, if the SMTP service is running
in the server as your app, just allow relay from 127.0.0.1. Better
yet, only allow _connections_ from 127.0.0.1 as well
(Access-Connection control-Connection).

--Sandy



------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.

[quoted text, click to view]

Of course.

An outbound gateway is under no obligation to accept inbound connections.

It is obliged to pass the PTR-HELO-A roundtrip configuration test, of
course.

--Sandy



------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.

[quoted text, click to view]

C:\Documents and Settings\Bill>nslookup -q=mx live.com

*** Can't find server name for address 172.30.10.1: Non-existent domain

Server: UnKnown

Address: 172.30.10.1



Non-authoritative answer:

live.com MX preference = 5, mail exchanger = mx1.hotmail.com

live.com MX preference = 5, mail exchanger = mx2.hotmail.com

live.com MX preference = 5, mail exchanger = mx3.hotmail.com

live.com MX preference = 5, mail exchanger = mx4.hotmail.com

[quoted text, click to view]

Several things. Please search the archives of this list and read my
past posts on this topic.

[quoted text, click to view]

Is this server's DNS resolver capable of resolving remote domains?
What happens when, from the mailserver, you run

nslookup -q=3Dmx live.com

--Sandy


------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.

[quoted text, click to view]

Interesting. I added another DNS server that is in a different domain and
ran the above command twice, with two different results:

C:\Documents and Settings\Bill>nslookup -q=mx live.com

Server: hermes.exch.local
Address: 192.168.254.242

Non-authoritative answer:
live.com MX preference = 5, mail exchanger = mx1.hotmail.com
live.com MX preference = 5, mail exchanger = mx2.hotmail.com
live.com MX preference = 5, mail exchanger = mx3.hotmail.com
live.com MX preference = 5, mail exchanger = mx4.hotmail.com


C:\Documents and Settings\Bill>nslookup -q=mx live.com

Server: hermes.exch.local
Address: 192.168.254.242

Non-authoritative answer:
live.com MX preference = 5, mail exchanger = mx1.hotmail.com
live.com MX preference = 5, mail exchanger = mx2.hotmail.com
live.com MX preference = 5, mail exchanger = mx3.hotmail.com
live.com MX preference = 5, mail exchanger = mx4.hotmail.com

mx1.hotmail.com internet address = 65.54.245.8
mx1.hotmail.com internet address = 65.54.244.8
mx1.hotmail.com internet address = 65.54.244.136
mx2.hotmail.com internet address = 65.54.245.40
mx2.hotmail.com internet address = 65.54.244.40
mx2.hotmail.com internet address = 65.54.244.168
mx3.hotmail.com internet address = 65.54.244.200
mx3.hotmail.com internet address = 65.54.245.72
mx3.hotmail.com internet address = 65.54.244.72
mx4.hotmail.com internet address = 65.54.244.232
mx4.hotmail.com internet address = 65.54.245.104
mx4.hotmail.com internet address = 65.54.244.104

Ok... I tried it again, this time getting rid of the alternate DNS that is
not part of this development domain. I got the following, however it doesn't
seem to know the DC server name for some reason. Is that a problem?:

C:\Documents and Settings\Bill>nslookup -q=mx live.com
*** Can't find server name for address 172.30.10.1: Non-existent domain
Server: UnKnown
Address: 172.30.10.1

Non-authoritative answer:
live.com MX preference = 5, mail exchanger = mx3.hotmail.com
live.com MX preference = 5, mail exchanger = mx4.hotmail.com
live.com MX preference = 5, mail exchanger = mx1.hotmail.com
live.com MX preference = 5, mail exchanger = mx2.hotmail.com

mx3.hotmail.com internet address = 65.54.244.200
mx3.hotmail.com internet address = 65.54.245.72
mx3.hotmail.com internet address = 65.54.244.72
mx1.hotmail.com internet address = 65.54.244.136
mx1.hotmail.com internet address = 65.54.245.8
mx1.hotmail.com internet address = 65.54.244.8
mx2.hotmail.com internet address = 65.54.245.40
mx2.hotmail.com internet address = 65.54.244.40
mx2.hotmail.com internet address = 65.54.244.168

[quoted text, click to view]

It's a problem for nslookup itself, but should not otherwise cause
direct problems with DNS resolution. However, it usually points to
other flaws in your DNS configuration. Why is 172.30.10.1 unable to
resolve reverse DNS (PTR) records for its IP?

Anyway, from your previous results, it appears that both of your DNS
servers are having sporadic errors. Does your firewall allow both TCP
and UDP 53 communications? Do you have EDNS0 turned off on your DNS
server?

--Sandy


------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.

[quoted text, click to view]

Good question. I have no control over the firewall so can't say how it is
configured. I will ask tomorrow. Is that required for outbound, inbound, or
both?

[quoted text, click to view]

Where do I check for this?.

[quoted text, click to view]

k... i shut if off using the dnscmd.exe utility. I am assuming by the
question that it should be off, correct?

[quoted text, click to view]

For these troubleshooting purposes, yes.

--Sandy



------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.

[quoted text, click to view]

Both.

--Sandy


------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.

[quoted text, click to view]

I found the following regarding UDP 53 and am wondering what your thoughts
are on this. Namely, if I open it will it be a security risk?

http://www.auditmypc.com/port/udp-port-53.asp

EXCERPT:

Domain Name Server (DNS).DNS servers offer different services on TCP and
UDP. TCP is used for "zone transfers" of full name record databases, while
UDP is used for individual lookups. Security Concerns: Zone Transfers give
away entire network maps; high value to attackers. - DNS (BIND) is a popular
target, since DNS servers must exist, must be reachable, and exploits
usually result DOS or root. Keep BIND version/patches current (refer to
www.isca.org). Use "split-DNS"

[quoted text, click to view]

Sandy,

My request to the firewall tech to open tcp/udp 53 elicited the following
question:

"Are you forwarding the DNS requests out to internet based DNS servers?"


To be honest, I have no idea as I am not a network guy but, of necissity,
have inherited responsibility to configure this. Is there some way for me to
tell if this is the case, or does it matter?

[quoted text, click to view]

Your mailserver requires a DNS server that can perform recursion, that
is, lookups for non-local domains. This means that outbound DNS
queries must be allowed from the DNS server's IP.

--Sandy




------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.

[quoted text, click to view]

No.

UDP 53 must be open to receive DNS responses. As UDP is
connectionless, there is no way to open only outbound UDP 53
connections. (Anything you think of as a UDP "connection" is a fake
state maintained by some firewalls across packets with reflexive
source and destination info.)

And, as is typical of newbie-sponsored sites like "AuditMyPC," their
assessment of TCP 53 is wrong. TCP 53 is used for normal DNS recursion
when responses are over UDP packet capacity, _not_ only for zone
transfer. However, outbound + stateful TCP 53 is all that is necessary.

Their assessment has the mild ring of truth in that you must ensure
that zone transfer is not possible from the Net at large. But [a]
opening outbound TCP 53 connections for DNS recursion does not mean
that inbound TCP 53 is open; and [b] even opening inbound TCP 53 does
not mean that you are opening zone transfers. All of these are
separate configuration areas in modern DNS servers.

--Sandy



------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.

[quoted text, click to view]

Wow... this is all very helpful (I may get my SMTP to work, yet).

Just to clarify, it sounds like I need UDP 53 outbound/inbound and TCP 53
outbound. Correct?

Also, configuring the DNS server is turning out to be much more involved
than I anticipated. Do you happen to know of a good source of info on
step-by-step instructions that will walk me through what I am trying to
accomplish? (i.e., allow my internal DNS AD server to send mail via IIS
SMTP)?

In addition, I want to thank you for your patience here.

[quoted text, click to view]

Do you mean call?

[quoted text, click to view]

Yes. To a firewall guy, this would be expressed as "outbound recursive
DNS."

[quoted text, click to view]

Yep....

[quoted text, click to view]

Well, you're saying the last part backwards, which isn't going to help
you to find tutorials. :) You mean "allow my IIS SMTP server to send
mail using Microsoft DNS server for DNS resolution."

As far as a precise HOWTO, that's going to be difficult, since MS DNS
is at the heart of AD and generally services (as in your case)
authoritative lookups on its local domains as much as it handles
non-authoritative lookups on remote domains.

I have somewhat of a fear that you are, indeed, in over your head. In
a spam-ridden world, it is much complex than in "the old days" to set
up even an _outbound-only_ SMTP server configuration that can
guarantee successful delivery to the overwhelming majority of remote
domains. You need to know DNS (literally!) backward and forward as
well as speaking some SMTP. Why don't you contact me off-list and we
can talk over the best way to get you there?

--Sandy


------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.

[quoted text, click to view]

Where? "Reply" in the Microsoft News Group didn't turn up anything.

[quoted text, click to view]

Write first. :)

--Sandy


------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.

[quoted text, click to view]

My real, reachable address is shown in the archives of the newsgroup....

--Sandy


------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.