|
Home > Archive > IIS and SMTP > December 2007 > Setting up SMTP for outbound mail only
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Setting up SMTP for outbound mail only
|
|
| Bill Fuller 2007-12-01, 7:21 pm |
| We have installed a TFS server for development which requires a
non-authenticated SMTP server for event notification. We have an external
mail server that requires authentication, so we cannot use that for this
purpose. So I am wondering if the smtp service can be configure do do this
without becoming vulnerable to external attack (I was warned that if it is
used as a relay server our IP addresses could be blacklisted).
Basically, all I want is, for example, new Work Item assignments to be
emailed to the effected developer, etc... they will NOT be receiving mail
from this service but, instead, use our standard mail service for this. It
will only be used to send mail to them.
| |
| Sanford Whiteman 2007-12-01, 7:21 pm |
| > So I am wondering if the smtp service can be configure do do this
> without becoming vulnerable to external attack
Of course.
There are two ways to restrict relaying for unknown remote domains: by
requiring SMTP AUTH credentials or by requiring that sessions come
from a known IP.
In Access-Relay Restrictions-Relay, you select `Only the list below`
and list the allowed IPs. For example, if the SMTP service is running
in the server as your app, just allow relay from 127.0.0.1. Better
yet, only allow _connections_ from 127.0.0.1 as well
(Access-Connection control-Connection).
--Sandy
------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
------------------------------------
| |
| Bill Fuller 2007-12-01, 7:21 pm |
| Thanks. This is helpful.
I forgot to ask. would it be advisable to block inbound traffic on port 25
at the firewall if I am only going to be sending email from this server?
"Sanford Whiteman" <swhitemanlistens-software@cypressintegrated.com> wrote
in message news:op.t2ogcl146c17zw@gw02.broadleaf.local...
>
> Of course.
>
> There are two ways to restrict relaying for unknown remote domains: by
> requiring SMTP AUTH credentials or by requiring that sessions come
> from a known IP.
>
> In Access-Relay Restrictions-Relay, you select `Only the list below`
> and list the allowed IPs. For example, if the SMTP service is running
> in the server as your app, just allow relay from 127.0.0.1. Better
> yet, only allow _connections_ from 127.0.0.1 as well
> (Access-Connection control-Connection).
>
> --Sandy
>
>
>
> ------------------------------------
> Sanford Whiteman, Chief Technologist
> Broadleaf Systems, a division of
> Cypress Integrated Systems, Inc.
> ------------------------------------
| |
| Sanford Whiteman 2007-12-01, 7:21 pm |
| > I forgot to ask. would it be advisable to block inbound traffic on port
> 25 at the firewall if I am only going to be sending email from this
> server?
Of course.
An outbound gateway is under no obligation to accept inbound connections.
It is obliged to pass the PTR-HELO-A roundtrip configuration test, of
course.
--Sandy
------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
------------------------------------
| |
| Bill Fuller 2007-12-01, 7:21 pm |
| "Sanford Whiteman" <swhitemanlistens-software@cypressintegrated.com> wrote
in message news:op.t2ojehsb6c17zw@gw02.broadleaf.local...
>
> Of course.
>
> An outbound gateway is under no obligation to accept inbound connections.
>
> It is obliged to pass the PTR-HELO-A roundtrip configuration test, of
> course.
>
> --Sandy
Sorry, You're over my head with this one (I have never configured SMTP
services before). Is there something I need to do to assure PTR-HELO-A is
being passed?
I am also seeing the following smptsvc error events which I haven't got a
clue abou (and wondering if this may be related to why none of my email is
being delivered)t:
Event Type: Warning
Event Source: smtpsvc
Event Category: None
Event ID: 4000
Date: 12/1/2007
Time: 1:34:30 PM
User: N/A
Computer: ATHENA
Description:
Message delivery to the remote domain 'live.com' failed for the following
reason: Unable to bind to the destination server in DNS.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: d5 02 04 c0 Õ..À
| |
| Sanford Whiteman 2007-12-01, 7:21 pm |
| > Is there something I need to do assure PTR-HELO-A is being passed?
Several things. Please search the archives of this list and read my
past posts on this topic.
> I am also seeing the following smptsvc error events...
Is this server's DNS resolver capable of resolving remote domains?
What happens when, from the mailserver, you run
nslookup -q=3Dmx live.com
--Sandy
------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
------------------------------------
| |
| Bill Fuller 2007-12-02, 1:35 am |
| Lines: 26
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
X-RFC2646: Format=Flowed; Response
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
NNTP-Posting-Host: adsl-216-101-221-60.dsl.lsan03.pacbell.net 216.101.221.60
Xref: leafnode.mcse.ms microsoft.public.inetserver.iis.smtp_nntp:934
>Is this server's DNS resolver capable of resolving remote domains?
>What happens when, from the mailserver, you run
>
> nslookup -q=mx live.com
C:\Documents and Settings\Bill>nslookup -q=mx live.com
*** Can't find server name for address 172.30.10.1: Non-existent domain
Server: UnKnown
Address: 172.30.10.1
Non-authoritative answer:
live.com MX preference = 5, mail exchanger = mx1.hotmail.com
live.com MX preference = 5, mail exchanger = mx2.hotmail.com
live.com MX preference = 5, mail exchanger = mx3.hotmail.com
live.com MX preference = 5, mail exchanger = mx4.hotmail.com
| |
| Bill Fuller 2007-12-02, 1:28 pm |
| Lines: 45
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
X-RFC2646: Format=Flowed; Response
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
NNTP-Posting-Host: adsl-216-101-221-60.dsl.lsan03.pacbell.net 216.101.221.60
Xref: leafnode.mcse.ms microsoft.public.inetserver.iis.smtp_nntp:935
>Is this server's DNS resolver capable of resolving remote domains?
>What happens when, from the mailserver, you run
>
> nslookup -q=mx live.com
Interesting. I added another DNS server that is in a different domain and
ran the above command twice, with two different results:
C:\Documents and Settings\Bill>nslookup -q=mx live.com
Server: hermes.exch.local
Address: 192.168.254.242
Non-authoritative answer:
live.com MX preference = 5, mail exchanger = mx1.hotmail.com
live.com MX preference = 5, mail exchanger = mx2.hotmail.com
live.com MX preference = 5, mail exchanger = mx3.hotmail.com
live.com MX preference = 5, mail exchanger = mx4.hotmail.com
C:\Documents and Settings\Bill>nslookup -q=mx live.com
Server: hermes.exch.local
Address: 192.168.254.242
Non-authoritative answer:
live.com MX preference = 5, mail exchanger = mx1.hotmail.com
live.com MX preference = 5, mail exchanger = mx2.hotmail.com
live.com MX preference = 5, mail exchanger = mx3.hotmail.com
live.com MX preference = 5, mail exchanger = mx4.hotmail.com
mx1.hotmail.com internet address = 65.54.245.8
mx1.hotmail.com internet address = 65.54.244.8
mx1.hotmail.com internet address = 65.54.244.136
mx2.hotmail.com internet address = 65.54.245.40
mx2.hotmail.com internet address = 65.54.244.40
mx2.hotmail.com internet address = 65.54.244.168
mx3.hotmail.com internet address = 65.54.244.200
mx3.hotmail.com internet address = 65.54.245.72
mx3.hotmail.com internet address = 65.54.244.72
mx4.hotmail.com internet address = 65.54.244.232
mx4.hotmail.com internet address = 65.54.245.104
mx4.hotmail.com internet address = 65.54.244.104
| |
| Bill Fuller 2007-12-02, 1:28 pm |
| Lines: 26
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
X-RFC2646: Format=Flowed; Response
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
NNTP-Posting-Host: adsl-216-101-221-60.dsl.lsan03.pacbell.net 216.101.221.60
Xref: leafnode.mcse.ms microsoft.public.inetserver.iis.smtp_nntp:936
Ok... I tried it again, this time getting rid of the alternate DNS that is
not part of this development domain. I got the following, however it doesn't
seem to know the DC server name for some reason. Is that a problem?:
C:\Documents and Settings\Bill>nslookup -q=mx live.com
*** Can't find server name for address 172.30.10.1: Non-existent domain
Server: UnKnown
Address: 172.30.10.1
Non-authoritative answer:
live.com MX preference = 5, mail exchanger = mx3.hotmail.com
live.com MX preference = 5, mail exchanger = mx4.hotmail.com
live.com MX preference = 5, mail exchanger = mx1.hotmail.com
live.com MX preference = 5, mail exchanger = mx2.hotmail.com
mx3.hotmail.com internet address = 65.54.244.200
mx3.hotmail.com internet address = 65.54.245.72
mx3.hotmail.com internet address = 65.54.244.72
mx1.hotmail.com internet address = 65.54.244.136
mx1.hotmail.com internet address = 65.54.245.8
mx1.hotmail.com internet address = 65.54.244.8
mx2.hotmail.com internet address = 65.54.245.40
mx2.hotmail.com internet address = 65.54.244.40
mx2.hotmail.com internet address = 65.54.244.168
| |
| Sanford Whiteman 2007-12-02, 1:28 pm |
| > I got the following, however it doesn't seem to know the DC server
> name for some reason. Is that a problem?:
It's a problem for nslookup itself, but should not otherwise cause
direct problems with DNS resolution. However, it usually points to
other flaws in your DNS configuration. Why is 172.30.10.1 unable to
resolve reverse DNS (PTR) records for its IP?
Anyway, from your previous results, it appears that both of your DNS
servers are having sporadic errors. Does your firewall allow both TCP
and UDP 53 communications? Do you have EDNS0 turned off on your DNS
server?
--Sandy
------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
------------------------------------
| |
| Bill Fuller 2007-12-03, 1:45 am |
| > Does your firewall allow both TCP and UDP 53 communications?
Good question. I have no control over the firewall so can't say how it is
configured. I will ask tomorrow. Is that required for outbound, inbound, or
both?
> Do you have EDNS0 turned off on your DNS server?
Where do I check for this?.
| |
| Bill Fuller 2007-12-03, 1:45 am |
| > Do you have EDNS0 turned off on your DNS
k... i shut if off using the dnscmd.exe utility. I am assuming by the
question that it should be off, correct?
| |
| Sanford Whiteman 2007-12-03, 1:45 am |
| > k... i shut if off using the dnscmd.exe utility. I am assuming by the
> question that it should be off, correct?
For these troubleshooting purposes, yes.
--Sandy
------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
------------------------------------
| |
| Sanford Whiteman 2007-12-03, 1:45 am |
| > Good question. I have no control over the firewall so can't say how it is
> configured. I will ask tomorrow. Is that required for outbound, inbound,
> or both?
Both.
--Sandy
------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
------------------------------------
| |
| Bill Fuller 2007-12-03, 1:27 pm |
| >> Good question. I have no control over the firewall so can't say how it is
>
> Both.
I found the following regarding UDP 53 and am wondering what your thoughts
are on this. Namely, if I open it will it be a security risk?
http://www.auditmypc.com/port/udp-port-53.asp
EXCERPT:
Domain Name Server (DNS).DNS servers offer different services on TCP and
UDP. TCP is used for "zone transfers" of full name record databases, while
UDP is used for individual lookups. Security Concerns: Zone Transfers give
away entire network maps; high value to attackers. - DNS (BIND) is a popular
target, since DNS servers must exist, must be reachable, and exploits
usually result DOS or root. Keep BIND version/patches current (refer to
www.isca.org). Use "split-DNS"
| |
| Bill Fuller 2007-12-03, 7:24 pm |
| > Both.
Sandy,
My request to the firewall tech to open tcp/udp 53 elicited the following
question:
"Are you forwarding the DNS requests out to internet based DNS servers?"
To be honest, I have no idea as I am not a network guy but, of necissity,
have inherited responsibility to configure this. Is there some way for me to
tell if this is the case, or does it matter?
| |
| Sanford Whiteman 2007-12-04, 1:37 am |
| > My request to the firewall tech to open tcp/udp 53 elicited the
> following question:
>
> "Are you forwarding the DNS requests out to internet based DNS servers?"
>
>
> To be honest, I have no idea as I am not a network guy but, of
> necissity, have inherited responsibility to configure this. Is there
> some way for me to tell if this is the case, or does it matter?
Your mailserver requires a DNS server that can perform recursion, that
is, lookups for non-local domains. This means that outbound DNS
queries must be allowed from the DNS server's IP.
--Sandy
------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
------------------------------------
| |
| Sanford Whiteman 2007-12-04, 1:37 am |
| > I found the following regarding UDP 53 and am wondering what your
> thoughts are on this. Namely, if I open it will it be a security
> risk?
No.
UDP 53 must be open to receive DNS responses. As UDP is
connectionless, there is no way to open only outbound UDP 53
connections. (Anything you think of as a UDP "connection" is a fake
state maintained by some firewalls across packets with reflexive
source and destination info.)
And, as is typical of newbie-sponsored sites like "AuditMyPC," their
assessment of TCP 53 is wrong. TCP 53 is used for normal DNS recursion
when responses are over UDP packet capacity, _not_ only for zone
transfer. However, outbound + stateful TCP 53 is all that is necessary.
Their assessment has the mild ring of truth in that you must ensure
that zone transfer is not possible from the Net at large. But [a]
opening outbound TCP 53 connections for DNS recursion does not mean
that inbound TCP 53 is open; and [b] even opening inbound TCP 53 does
not mean that you are opening zone transfers. All of these are
separate configuration areas in modern DNS servers.
--Sandy
------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
------------------------------------
| |
| Bill Fuller 2007-12-04, 1:24 pm |
| > And, as is typical of newbie-sponsored sites like "AuditMyPC," their
> assessment of TCP 53 is wrong. TCP 53 is used for normal DNS recursion
> when responses are over UDP packet capacity, _not_ only for zone
> transfer. However, outbound + stateful TCP 53 is all that is necessary.
>
> Their assessment has the mild ring of truth in that you must ensure
> that zone transfer is not possible from the Net at large. But [a]
> opening outbound TCP 53 connections for DNS recursion does not mean
> that inbound TCP 53 is open; and [b] even opening inbound TCP 53 does
> not mean that you are opening zone transfers. All of these are
> separate configuration areas in modern DNS servers.
Wow... this is all very helpful (I may get my SMTP to work, yet).
Just to clarify, it sounds like I need UDP 53 outbound/inbound and TCP 53
outbound. Correct?
Also, configuring the DNS server is turning out to be much more involved
than I anticipated. Do you happen to know of a good source of info on
step-by-step instructions that will walk me through what I am trying to
accomplish? (i.e., allow my internal DNS AD server to send mail via IIS
SMTP)?
In addition, I want to thank you for your patience here.
| |
| Sanford Whiteman 2007-12-04, 7:24 pm |
| > Just to clarify, it sounds like I need UDP 53 outbound/inbound and
> TCP 53 outbound. Correct?
Yes. To a firewall guy, this would be expressed as "outbound recursive
DNS."
> Also, configuring the DNS server is turning out to be much more involved
> than I anticipated.
Yep....
> Do you happen to know of a good source of info on step-by-step
> instructions that will walk me through what I am trying to
> accomplish? (i.e., allow my internal DNS AD server to send mail via
> IIS SMTP)?
Well, you're saying the last part backwards, which isn't going to help
you to find tutorials.  You mean "allow my IIS SMTP server to send
mail using Microsoft DNS server for DNS resolution."
As far as a precise HOWTO, that's going to be difficult, since MS DNS
is at the heart of AD and generally services (as in your case)
authoritative lookups on its local domains as much as it handles
non-authoritative lookups on remote domains.
I have somewhat of a fear that you are, indeed, in over your head. In
a spam-ridden world, it is much complex than in "the old days" to set
up even an _outbound-only_ SMTP server configuration that can
guarantee successful delivery to the overwhelming majority of remote
domains. You need to know DNS (literally!) backward and forward as
well as speaking some SMTP. Why don't you contact me off-list and we
can talk over the best way to get you there?
--Sandy
------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
------------------------------------
| |
| Bill Fuller 2007-12-04, 7:24 pm |
| > Why don't you contact me off-list and we
> can talk over the best way to get you there?
Do you mean call?
| |
| Sanford Whiteman 2007-12-05, 1:40 am |
| > Do you mean call?
Write first.
--Sandy
------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
------------------------------------
| |
| Bill Fuller 2007-12-05, 1:40 am |
| > Write first.
Where? "Reply" in the Microsoft News Group didn't turn up anything.
| |
| Sanford Whiteman 2007-12-05, 1:40 am |
| > Where? "Reply" in the Microsoft News Group didn't turn up anything.
My real, reachable address is shown in the archives of the newsgroup....
--Sandy
------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
------------------------------------
|
|
|
|
|