|
Home > Archive > IIS and SMTP > August 2004 > Authentication Problems
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Authentication Problems
|
|
|
| Ok, I finally got everything set up just how I want it...
except the authentication. It is requiring me to
authenticate before sending mail both outside of my
network and inside of my network. I don't want to require
authentication inside my network though. How can I fix
this? I have only 'Integrated Windows Authentication'
checked for the acceptable authentication types. I also
have 'Only the list below' selected for Relay Restritions,
and I have granted 192.168.0.0/255.255.255.0,
10.10.0.0/255.255.255.128, and just in case 127.0.0.1.
Also, I have the option checked to allow computers that
successfully authenticate to send. What am I doing wrong?
Thanks for your help.
| |
| Ken Schaefer 2004-08-20, 2:50 am |
| a) You need to enable anonymous auth (otherwise no one is going to be able
to send you mail from outside)
b) The next question is - what are the IP addresses of your internal
networks?
Cheers
Ken
"Evan" <grime@forbiddenninja.com> wrote in message
news:998701c48636$afb04fa0$a601280a@phx.gbl...
> Ok, I finally got everything set up just how I want it...
> except the authentication. It is requiring me to
> authenticate before sending mail both outside of my
> network and inside of my network. I don't want to require
> authentication inside my network though. How can I fix
> this? I have only 'Integrated Windows Authentication'
> checked for the acceptable authentication types. I also
> have 'Only the list below' selected for Relay Restritions,
> and I have granted 192.168.0.0/255.255.255.0,
> 10.10.0.0/255.255.255.128, and just in case 127.0.0.1.
> Also, I have the option checked to allow computers that
> successfully authenticate to send. What am I doing wrong?
> Thanks for your help.
| |
|
| the IP addresses of my internal networks are 192.168.0.0
and 10.10.0.0. I tried with and without the anonymous
auth. With it enabled sending and receiving all worked
fine, but it made the server not require authorization to
send from both inside the network and outside the network,
which means I get a lot of spam mail sent through my
server. With it disabled everything works correctly
(sending/receiving) except it required authorization to
send, but both outside AND inside the network. That
stopped the spam, but I want it to not require the
authorization for inside the network. Thanks again.
>-----Original Message-----
>a) You need to enable anonymous auth (otherwise no one is
going to be able
>to send you mail from outside)
>
>b) The next question is - what are the IP addresses of
your internal
>networks?
>
>Cheers
>Ken
>
>"Evan" <grime@forbiddenninja.com> wrote in message
>news:998701c48636$afb04fa0$a601280a@phx.gbl...
it...[vbcol=seagreen]
require[vbcol=seagreen]
Restritions,[vbcol=seagreen]
wrong?[vbcol=seagreen]
>
>
>.
>
| |
| Ken Schaefer 2004-08-20, 2:50 am |
| Hi,
What do you mean "spam sent through your network"? Do you mean people where
delivering spam to your users? If so, then simply edit the connection
properties of the SMTP server so that only users in your IP addresses can
connect to the server at all. This will stop anyone out on the internet from
being able to connect to your SMTP server. Users on your internal network
can connect, and send mail out without authenticating.
However, if you want to receive mail from outside, you will need to have
anonymous authentication enabled, otherwise how is anyone supposed to send
your email? :-)
Cheers
Ken
"Evan" <grime@forbiddenninja.com> wrote in message
news:991001c4866d$582abe50$a401280a@phx.gbl...[vbcol=seagreen]
> the IP addresses of my internal networks are 192.168.0.0
> and 10.10.0.0. I tried with and without the anonymous
> auth. With it enabled sending and receiving all worked
> fine, but it made the server not require authorization to
> send from both inside the network and outside the network,
> which means I get a lot of spam mail sent through my
> server. With it disabled everything works correctly
> (sending/receiving) except it required authorization to
> send, but both outside AND inside the network. That
> stopped the spam, but I want it to not require the
> authorization for inside the network. Thanks again.
>
>
> going to be able
> your internal
> it...
> require
> Restritions,
> wrong?
| |
|
| What I mean by spam is people outside my network are using
my server as a relay for spam if I leave the anonymous
auth enabled. I want my users to be able to send mail
through this server when they are outside of the network
(at home or wherever), but I want it to require
authentication for that so only people with a username and
password can. However if someone is trying to send mail
from inside the network I want them to be able to do it
without having to give a username and password. Is this
not possible?
With the anonymous auth disabled I can still send mail
from outside the network using my server. All I have to do
is set the option in my email client that says 'Outgoing
Server Requires Authentication'. That is exactly how I
want it to work outside the network. But it does the same
thing inside the network, and I don't want users to have
to set that option on their email clients inside the
network.
However, if I enable the anonymous auth it takes away the
need for clients outside the network to set that 'Outgoing
Server Requires Authentication' option, and thus anyone
can use my server to send mail (including spammers). And,
with anonymous auth enabled it does the same thing inside
the network as it does outside the network (not ask for
authentication), which I DO want. Am I making any sense? :P
>-----Original Message-----
>Hi,
>
>What do you mean "spam sent through your network"? Do you
mean people where
>delivering spam to your users? If so, then simply edit
the connection
>properties of the SMTP server so that only users in your
IP addresses can
>connect to the server at all. This will stop anyone out
on the internet from
>being able to connect to your SMTP server. Users on your
internal network
>can connect, and send mail out without authenticating.
>
>However, if you want to receive mail from outside, you
will need to have
>anonymous authentication enabled, otherwise how is anyone
supposed to send
>your email? :-)
>
>Cheers
>Ken
>
>"Evan" <grime@forbiddenninja.com> wrote in message
>news:991001c4866d$582abe50$a401280a@phx.gbl...
to[vbcol=seagreen]
network,[vbcol=seagreen]
is[vbcol=seagreen]
also[vbcol=seagreen]
that[vbcol=seagreen]
>
>
>.
>
| |
| Ken Schaefer 2004-08-20, 2:50 am |
| OK,
This is what you should do:
a) Enable Anonymous + <some other authentication>
b) Allow relay only to your internal network IP addresses
c) Allow computers who authenticate to relay
d) Make sure you do not have any weak or blank passwords
e) Make sure Windows accounts like "Guest" are not enabled
If you have set this up then:
a) users inside your network will be able to relay without needing to
authenticate
b) users outside your network will need to authenticate to relay
c) anyone outside your network can send mail to users insider your network
Just be aware that some spammers look for servers that have weak passwords
for known accounts (eg Administrator, Guest etc). If they can guess the
password for one of these accounts, they will be able to send spam through
your server because they can authenticate just like anyone else.
*If* you are still being used as a spam relay in this case, then you have
something else setup incorrectly.
Cheers
Ken
"Evan" <grime@forbiddenninja.com> wrote in message
news:973401c48675$02f1e780$a501280a@phx.gbl...[vbcol=seagreen]
> What I mean by spam is people outside my network are using
> my server as a relay for spam if I leave the anonymous
> auth enabled. I want my users to be able to send mail
> through this server when they are outside of the network
> (at home or wherever), but I want it to require
> authentication for that so only people with a username and
> password can. However if someone is trying to send mail
> from inside the network I want them to be able to do it
> without having to give a username and password. Is this
> not possible?
> With the anonymous auth disabled I can still send mail
> from outside the network using my server. All I have to do
> is set the option in my email client that says 'Outgoing
> Server Requires Authentication'. That is exactly how I
> want it to work outside the network. But it does the same
> thing inside the network, and I don't want users to have
> to set that option on their email clients inside the
> network.
> However, if I enable the anonymous auth it takes away the
> need for clients outside the network to set that 'Outgoing
> Server Requires Authentication' option, and thus anyone
> can use my server to send mail (including spammers). And,
> with anonymous auth enabled it does the same thing inside
> the network as it does outside the network (not ask for
> authentication), which I DO want. Am I making any sense? :P
>
> mean people where
> the connection
> IP addresses can
> on the internet from
> internal network
> will need to have
> supposed to send
> to
> network,
> is
> also
> that
| |
| Ken Schaefer 2004-08-20, 2:50 am |
| That setup should be correct if this machine is exposed directly to the
internet.
When you say "gateway" are you talking about an SMTP gateway? If so, I think
that is where you should be preventing 3rd party relay, not on the internal
machine.
Otherwise, you can manually add the other addresses in the 192.168.0.0
subnet, excluding 192.168.0.1 (but that's a hassle)
Cheers
Ken
<anonymous@discussions.microsoft.com> wrote in message
news:282201c4867e$3c87a3a0$a301280a@phx.gbl...[vbcol=seagreen]
>I think that is exactly how I had it. Here are some images
> that might simplify things:
> http://home.centurytel.net/grime/auth.jpg
> http://home.centurytel.net/grime/relay.jpg
>
> With those settings I am able to send and receive mail
> both inside and outside the network, but it doesn't
> require authentication for any sending (inside or
> outside). Now if I remove the check from the anonymous
> auth, it makes me authenticate both inside AND outside the
> network. Seems to me that it's not processing my relay
> restrictions list, or I have something typed in there
> incorrectly. Could it be handling all external mail like
> internal mail because all external mail is being routed
> through my gateway (192.168.0.1), which is included in the
> access granted list? If so, how can I remove my gateway
> from that list and still keep the network range?
>
> without needing to
> to relay
> insider your network
> have weak passwords
> can guess the
> send spam through
> anyone else.
> case, then you have
> using
> and
> do
> same
> the
> that 'Outgoing
> And,
> inside
> sense? :P
> you
> anyone
> 192.168.0.0
> to
> fix
> Authentication'
> 127.0.0.1.
| |
|
| No, it's not an SMTP gateway. It's just a
gateway/firewall. It runs a version of FreeBSD called
m0n0wall. Will this not work unless my email server is in
the dmz?
>-----Original Message-----
>That setup should be correct if this machine is exposed
directly to the
>internet.
>
>When you say "gateway" are you talking about an SMTP
gateway? If so, I think
>that is where you should be preventing 3rd party relay,
not on the internal
>machine.
>
>Otherwise, you can manually add the other addresses in
the 192.168.0.0
>subnet, excluding 192.168.0.1 (but that's a hassle)
>
>Cheers
>Ken
>
>
><anonymous@discussions.microsoft.com> wrote in message
>news:282201c4867e$3c87a3a0$a301280a@phx.gbl...
images[vbcol=seagreen]
the[vbcol=seagreen]
the[vbcol=seagreen]
addresses[vbcol=seagreen]
enabled[vbcol=seagreen]
they[vbcol=seagreen]
network[vbcol=seagreen]
mail[vbcol=seagreen]
it[vbcol=seagreen]
this[vbcol=seagreen]
to[vbcol=seagreen]
says 'Outgoing[vbcol=seagreen]
have[vbcol=seagreen]
anyone[vbcol=seagreen]
for[vbcol=seagreen]
your[vbcol=seagreen]
out[vbcol=seagreen]
your[vbcol=seagreen]
anonymous[vbcol=seagreen]
worked[vbcol=seagreen]
authorization[vbcol=seagreen]
one[vbcol=seagreen]
of[vbcol=seagreen]
want[vbcol=seagreen]
my[vbcol=seagreen]
>
>
>.
>
| |
| Ken Schaefer 2004-08-22, 8:47 pm |
| If it's not proxying mail, then it should not matter. Check in your mail
server logs to see what IP address MS SMTP server thinks the mail is coming
from. If your FreeBSD box is just a firewall, then it doesn't proxy SMTP
messages (it operates at a lower layer in the TCP/IP model). MS SMTP server
should see mail as coming from the original IP address (outside your
network).
Cheers
Ken
"Evan" <grime@forbiddenninja.com> wrote in message
news:a07701c486b2$34f10d50$a601280a@phx.gbl...[vbcol=seagreen]
> No, it's not an SMTP gateway. It's just a
> gateway/firewall. It runs a version of FreeBSD called
> m0n0wall. Will this not work unless my email server is in
> the dmz?
>
> directly to the
> gateway? If so, I think
> not on the internal
> the 192.168.0.0
> images
> the
> the
> addresses
> enabled
> they
> network
> mail
> it
> this
> to
> says 'Outgoing
> have
> anyone
> for
> your
> out
> your
> anonymous
> worked
> authorization
> one
> of
> want
> my
|
|
|
|
|