RE: [ActiveDir] Exchange relay(OT)

[Peter Johnson]

IIRC the fact that your exchange servers are explicitly members of the Exchange Enterprise and Exchange Domain Servers groups means that they have specific rights across the org. As long as you don’t mess around with the SMTP virtual server settings, outside of what the connector gives you, you should be fine as these rights are explicitly given to the members of these two groups.   Plus the exchange server SMTP extensions don’t treat, I believe, SMTP connections and e-mail delivery from other servers in the ORG as relay attempts since this isn’t controlled by MX records as normal SMTP delivery is. Exchange actually has some extended SMTP verbs to process this sort of e-mail. So an e-mail from [EMAIL PROTECTED] to [EMAIL PROTECTED] where these two mailboxes are on different servers within the org is not treated as a Relay attempt plus the mailbox is not located by an MX record but rather by some sort of LDAP query performed by the Routing/Categorisation engine. Take a look at the Exchange Technical Reference Guide for all the gory details.     Regards Peter Johnson   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: 21 September 2005 13:32 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange relay(OT)   Thanks! so it doesn't apply to servers relaying internally to each other across an org? correct?   alos, why does checking off that box on a connector going to *, make you an open relay? doesn't that take into account authentication or does that really mean relay to and from any domain(well i assume just "to", because its only outbound).   Thanks again   On 9/21/05, Peter Johnson <[EMAIL PROTECTED]> wrote: Hi Tom   In a MAPI client scenario on Exchange no SMTP replaying occurs at all. The MAPI client submits the mail to the mailstore using the MAPI protocol and the exchange server's MTA then processes it and hands it off to the right connector based on target address space or type eg SMTP, Rightfax etc. In the case of an SMPT address the SMTP virtual server on Exchange server then performs an normal SMPT transaction to the destination server. The checkbox on the Connector refers to clients who are using standard protocols such as IMAP/POP.   Regards Peter Johnson   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: 21 September 2005 12:52 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange relay(OT)   well, technically, most smtp software like sendmail or postfix, considers your users(pop3/imap) sending email over their MTA to a remote domain as relaying and its usually specified as such in the config files. I know exchange is groupware,a different beast, but it is an smtp routing server and a pop3/imap server, so i was wondering if it treated mapi clients the same. i know for a fact, the check box on the virtual server to allow relaying for auth users applies to pop3/imap users, since they are techinacally relaying but you are allowing them as they are your users. I was just wondering if this affected intenal Exchange servers relaying off each other in your ORG or not.   as to the connector, i'm confused as to what the relaying check box means there- if you're address space is a specific domain, you say checking or unchecking has no affect on users sending email out thry that connector. yet MS(and everyone else) says if your addy space is * and you allow relaying, you are an open relay since the connector settings override whats on the virtual servers on the bridgeheads(assuming your bridgeheads have mx records and are the one's recieivng incoming mail. if not, then i guess they are just outgoing internal relays which could be bad if you have some smtp worm or spam bot on your network).   In all, I don't have much experince with Exchange(about 2 years). I've mostly worked with Postfix and sendmail so i'm using the traditional rfc defs of smtp and relays. I know thats a bad idea when talking about a commercial product.   In reality, a internal mapi client in  your domain local.com, sending an email to [EMAIL PROTECTED], is relaying. its just auth'ed or allowed relaying, the way your isp allows you to relay from outlook express using their smtp server.   just wondering how exchange fit into all this in re: to the aforementioned settings- the relay check boxes on the virtual server and connector.   thanks alot!   On 9/20/05, Brian Desmond < [EMAIL PROTECTED]> wrote: Let me answer what I can authoritatively.   MAPI clients are totally different than pop3/imap. There is no virtual server or none of that. They submit their messages to the server over MAPI just like all their other traffic, and the then server handles the routing internally. You cannot disable mapi users from sending mail. They're not relaying anything off an SMTP server. If you create an acme.com connector and uncheck the relay box, users will continue to be able to email to acme.com   I'm not sure you understand what relaying means in the context of SMTP. Sending mail to the SMTP server's native domain is not relaying. It's what the SMTP server is there for. Submitting mail to the SMTP server for delivery to a remote smtp server is relaying. Usually you don't think of your internal users sending outbound mail as relaying though I guess technically it is.   A quick peek at the SMTP settings on a couple of the severs here indicates that they all have that allow computers which authenticate to relay box checked. Our outbound SMTP is locked down at the perimeter and inbound comes through a couple of iplanet boxes.     Thanks, Brian Desmond [EMAIL PROTECTED]   c - 312.731.3132     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Tuesday, September 20, 2005 9:01 PM To: activedirectory Subject: [ActiveDir] Exchange relay(OT)   I'm confused about relaying on virtual servers and smtp connectors. I keep reading conflicting reports-   In "Microsoft Exchange Server 2003 24seven" from Sybex, JMcBee writes in chapter 14 on page 584 that unchecking "Allow All Computers WHich Sucessfully Authenticate To Relay..", Exchange servers will not be able to send mail to one another. He states Exchange servers relay with each other in an Org all the time and unchecking this will break exchange. Jim McBee has stated this in both Exchange 2k and 2k3 verisons of the book.   However in "Exchange Server Cookbook", recipe 7.19, they state to uncheck this value for security reasons and seem to imply that this is only for pop3/imap clients.   Tony redmond in "MS Exchange Server 2003 with sp1" seems to agree as well. who's right?   Also, I know the setting for relaying on an smtp connector over rides the virtual server connection setting, so say i create a connector with " acme.com" address space. If i uncheck the relay button on the connector, will users(mapi or pop3) be able to send mail to acme.com? or do i have to enable relaying for this to work on that connector?     Finally, how does exchange view mapi users? are they lumped in with auth users like pop3/imap?   what mechanism allows mapi users to relay? is there a setting that can disallow mapi clients from relaying like  for pop3/imap clients?   Thanks. alot of questions, i know. Exchange in some ways confuses the heck outta me. I find the sendmail.cf file easier than exchange sometimes.     Thanks again!