|
|
You're in the
iis smtp nntp
group:Properly configuring SMTP Service
iis smtp nntp:
I am a newbie with respect to how mail servers work, so go easy on me here! I am using the built-in SMTP Service (in IIS) that comes with Windows Server 2003 on a computer in my home. I do NOT have MS Exchange or any other mail server software installed. I have been using the SMTP service successfully in conjunction with the POP3 service for quite some time, but apparently I have had "Anonymous" authentication enabled, as turning it off seems to prevent anyone from sending me email. This surprises me, since I thought authentication was only necessary when connecting to the server to send outgoing mail. Since I have my own server, I decided to offer email service to my elderly grandfather, who is having more and more trouble with his computer, especially when trying to use MSN mail. It was while attempting to set up his account that I realized Anonymous access was turned on. What I would like is to have the ability to send/receive mail not only while here at home, but also when I am away from home outside of my internal network (which is the same as what I need to give my grandfather access to my email server). Obviously, my server must allow other external mail servers to transmit incoming mail so that I can receive it, yet I do not want to open up access such that my server could be used as a relay for spammers, or for any other malicious intent. Is it possible to do what I want with the built-in SMTP service? If not, what is the most economical way to get what I want? I surely do not want to use MS Exchange for what I perceive to be a small, and farily simple configuration. If it makes any difference at all, every mail client that will be connecting to my server will either be Outlook Express (version 5 or 6), or MS Outlook. Thanks, - Dennis
[quoted text, click to view] "Dennis Jones" <nospam@nospam.com> wrote in message news:uOH$5KlpHHA.5092@TK2MSFTNGP04.phx.gbl... > Hello, > > I am a newbie with respect to how mail servers work, so go easy on me > here! > > I am using the built-in SMTP Service (in IIS) that comes with Windows > Server 2003 on a computer in my home. I do NOT have MS Exchange or any > other mail server software installed. I have been using the SMTP service > successfully in conjunction with the POP3 service for quite some time, but > apparently I have had "Anonymous" authentication enabled, as turning it > off seems to prevent anyone from sending me email. This surprises me, > since I thought authentication was only necessary when connecting to the > server to send outgoing mail. > > Since I have my own server, I decided to offer email service to my elderly > grandfather, who is having more and more trouble with his computer, > especially when trying to use MSN mail. It was while attempting to set up > his account that I realized Anonymous access was turned on. > > What I would like is to have the ability to send/receive mail not only > while here at home, but also when I am away from home outside of my > internal network (which is the same as what I need to give my grandfather > access to my email server). Obviously, my server must allow other > external mail servers to transmit incoming mail so that I can receive it, > yet I do not want to open up access such that my server could be used as a > relay for spammers, or for any other malicious intent. > > Is it possible to do what I want with the built-in SMTP service? If not, > what is the most economical way to get what I want? I surely do not want > to use MS Exchange for what I perceive to be a small, and farily simple > configuration. A little help? - Dennis
[quoted text, click to view]
> This surprises me, since I thought authentication was only necessary > when connecting to the server to send outgoing mail. In standard public setups, it is true that mail submission to local addresses does not require login credentials. Submission to remote addresses typically requires either credentials or an IP in a specific range(s). There are exceptions to both rules, but you are generally right. Anonymous access allowed =3D authenticated logins are not required to= submit _all_ mail. That doesn't mean that you can send to any address you want with an unauthenticated session, it just means that _some_ mail can be submitted that way. [quoted text, click to view] > bviously, my server must allow other external mail servers to > transmit incoming mail so that I can receive it, yet I do not want > to open up access such that my server could be used as a relay for > spammers, or for any other malicious intent. Is it possible to do > what I want with the built-in SMTP service? Of course. Unless you allow *relaying* in all sessions, both authenticated and unauthenticated (`Access` tab - `Relay`), you are not an open relay. Set up your server to allow both anonymous and authenticated sessions (`Access` tab - `Auth`) and use your relay permissions to determine what people can do in each type of session.
[quoted text, click to view] "Sanford Whiteman" <swhitemanlistens-software@cypressintegrated.com> wrote in message news:op.ttjgtvbp6c17zw@gw02.broadleaf.local...Sandy, Thank you so very much for your reply. Maybe I will finally get the help I need to get this server configured correctly! [quoted text, click to view] >Anonymous access allowed = authenticated logins are not required to >submit _all_ mail. That doesn't mean that you can send to any address >you want with an unauthenticated session, it just means that _some_ >mail can be submitted that way. Okay, that is kind of what I thought. So what are the rules for which destination addresses that are allowed and which are not? It seems (through my limited experimentation) that the only allowed destinations are those that happen to be being hosted by my local server. That is, I can only send to someone who has an account on my server (family members), but no one else. Is that right? [quoted text, click to view] >Unless you allow *relaying* in all sessions, both authenticated and >unauthenticated (`Access` tab - `Relay`), you are not an open relay. I do not allow (wide open) relaying. I only allow relaying for one (local) computer which sends mail nightly using a command line email program (blat.exe). I have enabled the option, "Allow all computers which successfully authenticate to relay, regardless of the list above". I believe this is the correct configuration for safety's sake (to prevent spammers from using my server). [quoted text, click to view] >Set up your server to allow both anonymous and authenticated sessions >(`Access` tab - `Auth`) and use your relay permissions to determine >what people can do in each type of session. Okay, on the 'Authentication' page, I have checked "Anonymous" and "Integrated Windows Authentication." My understanding is weak, at best, regarding the 'Anonymous' authentication, so please correct me if I am wrong. It seems that "Anonymous' authentication is *required* in order to allow other mail servers to deliver mail to accounts that exist on my server. My concern was that 'Anonymous' authentication would allow spammers to use my server. Apparently, the 'relay' settings prevent that, even if they can authenticate. So they can spam me (and anyone with an account on my server), but cannot use my server to do mass mailing (via relay). Is that correct? So it would seem that I already have my server (mostly) configured correctly. The only remaining problem is allowing me to send mail through my server when I am away from home (when I have Internet access from a hotel, for instance), or to allow my grandfather to send mail, both of which presumably require relaying. I *thought* that using "Integrated Windows Authentication" and creating a user account on the server (which is then specified somewhere in the mail client) would give me that ability, but that does not appear to be the case, or else I am missing some other crucial piece of information. In my grandfather's case, I cannot simply add his IP address to the list of computers allowed to relay, because he is on Comcast cable internet, which forces him to use DHCP. Therefore, even if I add his address to the list, he will be calling me the next time his DHCP lease causes his address to change. The same is true for when I am away from home -- I have *no idea* what address I will be connecting from. Assuming there is a solution to this problem, what is it? Thanks again for your help. I am excited at the prospect of getting this working! - Dennis
[quoted text, click to view] "Dennis Jones" <nospam@nospam.com> wrote in message news:ujqMxlSqHHA.4716@TK2MSFTNGP04.phx.gbl... > I do not allow (wide open) relaying. I only allow relaying for one > (local) computer which sends mail nightly using a command line email > program (blat.exe). I have enabled the option, "Allow all computers which > successfully authenticate to relay, regardless of the list above". I > believe this is the correct configuration for safety's sake (to prevent > spammers from using my server). Now that I think about it, why isn't "Anonymous" authentication considered authenitcation for the purposes of relaying? If a spammer authenticates via "Anonymous", doesn't that also give them the ability to relay (via the "allow all computers which authenticate..." option)? - Dennis
[quoted text, click to view]
> Now that I think about it, why isn't "Anonymous" authentication = es => considered > authenitcation for the purposes of relaying? If a spammer authenticat= [quoted text, click to view] > via > "Anonymous", doesn't that also give them the ability to relay (via the= > "allow all computers which authenticate..." option)? An anonymous session is not considered an authenticated session. In some non-SMTP security contexts, any allowed connection can be = considered to be authenticated, even those with no username and password= = provided -- from whence one gets the name "anonymous authentication" -- = = with authorization the next level of security. Where (E)SMTP AUTH is = under discussion, anonymous !=3D authenticated.
[quoted text, click to view]
> Okay, that is kind of what I thought. So what are the rules for > which destination addresses that are allowed and which are not? It > seems (through my limited experimentation) that the only allowed > destinations are those that happen to be being hosted by my local > server. That is, I can only send to someone who has an account on my > server (family members), but no one else. Is that right? Yes, your POP3 domains are hooked as local domains by the SMTP service, and as long as a given session does not have any elevated authorization (through SMTP AUTH credentials or being on a list of source IP addresses), it can only send mail to those local domains. [quoted text, click to view] > I do not allow (wide open) relaying. I only allow relaying for one > (local) computer which sends mail nightly using a command line email > program (blat.exe). I have enabled the option, "Allow all computers > which successfully authenticate to relay, regardless of the list > above". I believe this is the correct configuration for safety's > sake (to prevent spammers from using my server). Yes, that is correct. [quoted text, click to view] > Apparently, the 'relay' settings prevent that, even if they can > authenticate. So they can spam me (and anyone with an account on my > server), but cannot use my server to do mass mailing (via relay). Is > that correct? Yes; see my earlier message. It's a misnomer to refer (not blaming you) to "anonymous" as an SMTP authentication method, since the (E)SMTP protocol is very specific about where and what authentication methods may be used, and "no authentication" is not an authentication method! [quoted text, click to view] > So it would seem that I already have my server (mostly) configured > correctly. Yes. [quoted text, click to view] > The only remaining problem is allowing me to send mail through my > server when I am away from home (when I have Internet access from a > hotel, for instance), or to allow my grandfather to send mail, both > of which presumably require relaying. I *thought* that using > "Integrated Windows Authentication" and creating a user account on > the server (which is then specified somewhere in the mail client) > would give me that ability, but that does not appear to be the case, > or else I am missing some other crucial piece of information. No, you are on the right trail. That's SMTP AUTH. The settings *other than* 'Anonymous Access' under `Access Control - Authentication` are the SMTP AUTH mechanisms that your server will support. 'Basic Auth' is the AUTH LOGIN mechanism, which should be supported by all mail clients; it's not encrypted, which means your credentials can be sniffed, but it is by far the more portable of the auth mechanisms supported by IIS SMTP. Set the mail client to use your Windows username + password to log in to the SMTP server, and make sure that you *are* logging in -- some mail clients assume you don't need to log to send mail. 'Integrated Windows Auth' is the secure auth mechanism AUTH GSSAPI NTLM, but it isn't even supported by all *Microsoft*-brand mail clients, so I'd leave it alone for your purposes.
[quoted text, click to view] "Sanford Whiteman" <swhitemanlistens-software@cypressintegrated.com> wrote in message news:op.ttkihtoq6c17zw@gw02.broadleaf.local...Sandy, Thank you very much for all of your answers. [quoted text, click to view] >> The only remaining problem is allowing me to send mail through my >> server when I am away from home (when I have Internet access from a >> hotel, for instance), or to allow my grandfather to send mail, both >> of which presumably require relaying. I *thought* that using >> "Integrated Windows Authentication" and creating a user account on >> the server (which is then specified somewhere in the mail client) >> would give me that ability, but that does not appear to be the case, >> or else I am missing some other crucial piece of information. > > No, you are on the right trail. That's SMTP AUTH. The settings *other > than* 'Anonymous Access' under `Access Control - Authentication` are > the SMTP AUTH mechanisms that your server will support. > > 'Basic Auth' is the AUTH LOGIN mechanism, which should be supported by > all mail clients; it's not encrypted, which means your credentials can > be sniffed, but it is by far the more portable of the auth mechanisms > supported by IIS SMTP. Set the mail client to use your Windows > username + password to log in to the SMTP server, and make sure that > you *are* logging in -- some mail clients assume you don't need to log > to send mail. In Outlook Express, on the 'Server' tab of Account Properties, there is a checkbox item, "My server requires authentication" with a 'Settings' dialog that lets you specify the username and password information (labeled, 'Logon Information'). Is this where one specifies the AUTH LOGIN details in Outlook Express? It seems to me the last time I tried this for my Grandfather's email, it either caused problems for local accounts, or didn't allow him to relay, or something (I've tried so many different configurations now, I don't remember which problems were associated with which configuration!). However, using this method concerns me because everything I've read says *not* to use it due to the fact that usernames and passwords are transmitted in clear text, so I am not sure this is the way I want to go. [quoted text, click to view] > 'Integrated Windows Auth' is the secure auth mechanism AUTH GSSAPI > NTLM, but it isn't even supported by all *Microsoft*-brand mail > clients, so I'd leave it alone for your purposes. Is it your recommendation then to *disable* 'Integrated Windows Auth' and *enable* only 'Basic Auth'? Is this the way most ISP's provide email to their customers? If so, how do they deal with concerns of security (sniffing clear text passwords, etc.)? Thanks, - Dennis
[quoted text, click to view]
> In Outlook Express, on the 'Server' tab of Account Properties, there > is a checkbox item, "My server requires authentication" with a > 'Settings' dialog that lets you specify the username and password > information (labeled, 'Logon Information'). Is this where one > specifies the AUTH LOGIN details in Outlook Express? If 'Use SPA' is unchecked, you'll use AUTH LOGIN. If it's checked, you'll use AUTH GSSAPI NTLM. [quoted text, click to view] > It seems to me the last time I tried this for my Grandfather's > email, it either caused problems for local accounts, or didn't allow > him to relay, or something (I've tried so many different > configurations now, I don't remember which problems were associated > with which configuration!). However, using this method concerns me > because everything I've read says *not* to use it due to the fact > that usernames and passwords are transmitted in clear text, so I am > not sure this is the way I want to go. AUTH LOGIN does not encrypt credentials and passes message data in plain text. AUTH GSSAPI NTLM encrypts credentials and passes message data in plain text. Obviously, preventing the compromise of usernames + passwords is very important. But remember that message data can be just as vital (especially when that data _contains_ usernames and passwords) and the only way to avoid that exposure is to use SMTP + STARTTLS, SMTPS, or client PKI certificates. When you use one of the full-session encryption methods, this can cover authentication as well (even if the auth exchange is LOGIN or PLAIN, there's a protective SSL session around it). If SPA is working for you, keep it working! But in most ad hoc scenarios it will not function, because it is designed for MS mail clients with machines + users in the same domain as the mailserver. [quoted text, click to view] > Is it your recommendation then to *disable* 'Integrated Windows > Auth' and *enable* only 'Basic Auth'? Is this the way most ISP's > provide email to their customers? If so, how do they deal with > concerns of security (sniffing clear text passwords, etc.)? Most ISPs don't use vanilla IIS SMTP on their mail submission boxes. And other SMTP servers support non-proprietary SMTP authentication mechanisms such as AUTH CRAM-MD5, so ISPs don't have to choose between supporting plain-text or supporting only Microsoft clients. --Sandy
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |