Allowing Relay For Authenticated Users

Discussions on webmail and the Professional version.
Post Reply
danthomas
Posts: 4
Joined: Thu Jun 03, 2004 10:23 am
Location: Swansea

Allowing Relay For Authenticated Users

Post by danthomas »

Hi Everyone,

I wonder if anyone can offer me some help and advice, I have mail enable pro server and find it fantastic. We are a medium sized company and find that it is just perfect for what we need as we simply cant afford something as expensive as MS Exchange. Only problem we have is that it appears to be open relay and I need to lock this down as we are protected by Message labs and they have picked up on this and have given us a week to sort it out or they will freeze our account. Messagelabs have suggested locking down the firewall so that the email servers IP address only accepts connections from message labs, now this will work but I have external users who need to collect their mail using outlook express or outlook 2000 and as they don’t have a static IP this would lock them out of the system, now I know they could use webmail but these external users are home workers and as they are very heavy users of email then the webmail system isn’t suitable plus I don’t have the storage capacity on the server to store everyone’s emails. I could get them all static IP addresses but this will take too long, I have changed the settings on the ME server so that relay is only allowed for authenticated users using a username and password I have set up, now this works fine internally but the external users still cant send email even though they have the "my server requires authentication" set up on their email accounts. I am pulling my hair out trying to work out why it wont work externally, do I need to open a certain port on the firewall for the mail servers IP address or am I missing something else. At the minute our ME server is allowing relay for local sender addresses which is why its open relay as anyone can pretend to be sending from an address on our domain. Until Messagelabs brought this to my attention I had no idea it was open relay as I have only been with the company for a few months and the mail server was set up by my predecessor, I’m not in any way trying to pass the buck as I should have picked up on this problem but as with any new job my attention has been on so many different things it just went unnoticed.

Any help would be greatly appreciated as I have so much to do before the New Year and this problem is something I could do without.

Many Thanks
Dan

Mother
Posts: 56
Joined: Thu Sep 16, 2004 11:02 pm

Post by Mother »

Adjusting your relay & authentication securities is your simpilist solution.

Setting your Relay Settings to;

Allow Mail Relay = True (so your user can actually use email :) )
Allow relay fro authenticated senders = True
Authentication Method = MailEnable/Intergrated authentication
* Using Intergrated authentication will potentially solve your clients sending issue, they simply need to check the "my server requires authentication" and use their own credentials. You could even use AD intergration here.
Allow relay for privileged IP rages = False (use cautiously, although it wont technically make you an open relay)
Allow relay for local sender addresses = False (very bad, this is how someone spams through you!)

These settings will close you down as an open relay source and still allow your end users the ability to send and recieve email.

If that doesn't satisfy Messagelabs, you may never win :roll:

dreniarb
Posts: 319
Joined: Mon Jan 19, 2004 5:00 pm
Location: Marion, IN

Post by dreniarb »

i have mine setup exactly as mother suggested, and it works great (i get about 75% more relay denied's than i do legit relays, freak'n spam!).

so you've said you've already set it for relay for authenticated users only, but outside people can't send? i'd be curious what your smtp logs say when someone errors out. can you post of bit of it for us? also, if you don't mind, post your domain name so we can run some tests for you.

danthomas
Posts: 4
Joined: Thu Jun 03, 2004 10:23 am
Location: Swansea

Post by danthomas »

Hi Mother & dreniarb,

Many thanks for your reply to my post, I still haven’t managed to close the relay so your advice is much appreciated. I have set the email server set for authentication which works fine internally but the outside users cant send email, when they try they get the error message "unable to send your message as this server requires authentication" I have set up the authentication on their machines but it still wont work.

When the server is locked down and someone tries to send a message the SMTP log shows this data only:

12/03/04 12:18:38 ME-E0109: Relay Denied: Failed to meet all relay criteria.
12/03/04 12:18:38 ME-I0074: (Debug) [372] end of conversation

If they try to send a message to an internal address then that’s fine but any external address just wont work.

I'd rather not post the details of our mail server here as it can be viewed by anyone who would then know about our open relay problem and may use that to their advantage, what sort of tests would you want to run as I may have run them already. I have run an open relay test when the server is unlocked and it relays quite happily (very bad) but when it’s locked down it simply says no (relay rejected).

Many Thanks
Dan

Mother
Posts: 56
Joined: Thu Sep 16, 2004 11:02 pm

Post by Mother »

Not good!

Couple of questions first, please forgive me if they sound ignorant. I just want to get a grasp on the situation :D

1. what are your exact relay settings?
2. when you said you turned on authentication on the client did you mean with in their Email application or somewhere else?

3. Can you telnet to your smtp and pop ports from those clients experiencing the problems?

and when you tested your relay was it here ? http://www.mailenable.com/Tools/memaillookup.asp

Post Reply