| Gordon Fecyk 2004-11-15, 2:47 am |
| I have an unusual problem where I have clients being blocked at outbound
Port 25 so they're unable to use my mail server as a relay, authenticated or
otherwise. I've had to resort to opening a second port (587, used by a lot
of ISPs already) to allow mail relay.
There are two problems with adding a second port.
TLS doesn't work, period, over port 587. Someone supplied me with a SSL
troubleshooting tool made by Microsoft, and I've used it on my server, and
it indicates SSL is not binding to port 587 (which would be unusual if it
did, given that SMTP doesn't work over SSL itself - rather the client has to
issue STARTTLS to begin using it).
Also, I subscribe to a managed e-mail providership that requires me to block
all inbound port 25 except for their servers. If I don't do this, I find
that spammers ignore the MX records for my domain and start pounding their
spam directly at my server.
So I want to restrict access to port 25 but want to allow unrestricted but
authenticated (and secured) access to port 587.
I can't do this with just a single virtual SMTP server, because the IP
access lists (connection settings in the SMTP server properties) cover all
ports used by the virtual server. Normally I'd just go ahead and create a
second virtual server, though it's been recommended here: "You only need one
virtual SMTP server. Period." Well, if you want to restrict access by IP to
one port but not to another, you need a second virtual server.
If I create a second virtual server on port 587 and deny anonymous access to
it, that works. But then, TLS doesn't work on it, just like before.
Yes I could selectively port-forward at the router, if I had the capability.
The router's pretty old. And that doesn't solve my TLS problem.
So, here's the arrangement and here's my desired results. How do I get
there from here?
I want to:
* Allow inbound access on port 25 only to a specific set of networks and IP
addresses - these are the relay servers of my managed e-mail provider.
* Allow relay access (and inbound access if local domain delivery) on port
587 to authenticated users only, through TLS (or SSL if they insist on
calling it SSL). No cleartext usernames and passwords, and no NTLM
authentication - some clients don't use Outlook Express, believe it or not!
I currently have:
* Windows 2000 Server SP4, IIS5.
* Exchange Server 2000, though I understand it shouldn't matter wether I use
Exchange or not.
* Working Certificate Server, private root CA, all customers using my relay
have a copy of the root CA and can relay over port 25 TLS (if their ISP
isn't blocking port 25) with basic authentication.
* one Virtual SMTP server operating on port 25, which allows access only to
the relays belonging to the managed e-mail provider.
* one Virtual SMTP server operating on port 587, which requires basic
authentication but otherwise allows access from anywhere. It works only if
I don't require TLS.
--
PGP key (0x0AFA039E): <http://www.pan-am.ca/consulting@pan-am.ca.asc>
What's a PGP Key? See <http://www.pan-am.ca/free.html>
GOD BLESS AMER, er, THE INTERNET. <http://vmyths.com/rant.cfm?id=401&page=4>
|