RE: [ActiveDir] Exchange relay(OT)

[Al Mulnick]

Exchange servers have credentials.  I haven't worked with that check box lately, Tom, but I would not expect the servers to break just because you expect to require credentials.

 

MAPI clients aren't relaying in the same context.  They don't submit a SMTP message but rather a local message that then gets routed. An internet protocol MUA on the other hand, will have to act as a SMTP client and send the message via SMTP.  Technically, they would relay the message off  the Exchange server to it's destination (internal, external, whatever.) To be allowed to have that conversation, you're saying that the client (this is client-server, so a "server" can be a client as well) must present credentials and be authorized to send mail via SMTP conversation.

 

does that help?

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Wednesday, September 21, 2005 6:52 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Exchange relay(OT)

well, technically, most smtp software like sendmail or postfix, considers your users(pop3/imap) sending email over their MTA to a remote domain as relaying and its usually specified as such in the config files.

I know exchange is groupware,a different beast, but it is an smtp routing server and a pop3/imap server, so i was wondering if it treated mapi clients the same.

i know for a fact, the check box on the virtual server to allow relaying for auth users applies to pop3/imap users, since they are techinacally relaying but you are allowing them as they are your users.

I was just wondering if this affected intenal Exchange servers relaying off each other in your ORG or not.

 

as to the connector, i'm confused as to what the relaying check box means there-

if you're address space is a specific domain, you say checking or unchecking has no affect on users sending email out thry that connector.

yet MS(and everyone else) says if your addy space is * and you allow relaying, you are an open relay since the connector settings override whats on the virtual servers on the bridgeheads(assuming your bridgeheads have mx records and are the one's recieivng incoming mail. if not, then i guess they are just outgoing internal relays which could be bad if you have some smtp worm or spam bot on your network).

 

In all, I don't have much experince with Exchange(about 2 years). I've mostly worked with Postfix and sendmail so i'm using the traditional rfc defs of smtp and relays.

I know thats a bad idea when talking about a commercial product.

 

In reality, a internal mapi client in  your domain local.com, sending an email to [EMAIL PROTECTED], is relaying. its just auth'ed or allowed relaying, the way your isp allows you to relay from outlook express using their smtp server.

 

just wondering how exchange fit into all this in re: to the aforementioned settings- the relay check boxes on the virtual server and connector.

 

thanks alot!

 

On 9/20/05, Brian Desmond <[EMAIL PROTECTED]> wrote:

Let me answer what I can authoritatively.

 

MAPI clients are totally different than pop3/imap. There is no virtual server or none of that. They submit their messages to the server over MAPI just like all their other traffic, and the then server handles the routing internally. You cannot disable mapi users from sending mail. They're not relaying anything off an SMTP server. If you create an acme.com connector and uncheck the relay box, users will continue to be able to email to acme.com

 

I'm not sure you understand what relaying means in the context of SMTP. Sending mail to the SMTP server's native domain is not relaying. It's what the SMTP server is there for. Submitting mail to the SMTP server for delivery to a remote smtp server is relaying. Usually you don't think of your internal users sending outbound mail as relaying though I guess technically it is.

 

A quick peek at the SMTP settings on a couple of the severs here indicates that they all have that allow computers which authenticate to relay box checked. Our outbound SMTP is locked down at the perimeter and inbound comes through a couple of iplanet boxes.  

 

Thanks,
Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: Tuesday, September 20, 2005 9:01 PM
To: activedirectory
Subject: [ActiveDir] Exchange relay(OT)

 

I'm confused about relaying on virtual servers and smtp connectors.

I keep reading conflicting reports-

 

In "Microsoft Exchange Server 2003 24seven" from Sybex, JMcBee writes in chapter 14 on page 584 that unchecking "Allow All Computers WHich Sucessfully Authenticate To Relay..", Exchange servers will not be able to send mail to one another.

He states Exchange servers relay with each other in an Org all the time and unchecking this will break exchange.

Jim McBee has stated this in both Exchange 2k and 2k3 verisons of the book.

 

However in "Exchange Server Cookbook", recipe 7.19, they state to uncheck this value for security reasons and seem to imply that this is only for pop3/imap clients.

 

Tony redmond in "MS Exchange Server 2003 with sp1" seems to agree as well.

who's right?

 

Also, I know the setting for relaying on an smtp connector over rides the virtual server connection setting, so say i create a connector with " acme.com" address space. If i uncheck the relay button on the connector, will users(mapi or pop3) be able to send mail to acme.com?

or do i have to enable relaying for this to work on that connector?

 

 

Finally, how does exchange view mapi users?

are they lumped in with auth users like pop3/imap?

 

what mechanism allows mapi users to relay? is there a setting that can disallow mapi clients from relaying like  for pop3/imap clients?

 

Thanks.

alot of questions, i know.

Exchange in some ways confuses the heck outta me.

I find the sendmail.cf file easier than exchange sometimes.

 

 

Thanks again!