Hi.

I've been fighting with this problem for quite a while. It is about proper s
ettings for MS SMTP Virtual Server
in IIS6.0 - Windows 2003 Server. My goal is to set it up the way that only a
uthenticated users from outside
can use my outgoing mail server while server can accept unlimited incoming m
ail.
I tried to set Outbound Security to Basic Authentication and turned Relay on
 for all computers BUT no matter
if there's authentication set or not, the users still can use outgoing serve
r (mydomain.com) to send mail without
authenticating. If I set Access to Basic Authentication it rejects all incom
ing emails.
So the question is - How do I make my SMTP server accept anonymous mail and 
allow to send mail
only from users that either have mail accounts or supply name/password?
My MX records are mydomain.com and mail.mydomain.com.
Thank you for help.

Eric

[ Post a follow-up to this message ]

> I've been fighting with this problem for quite a in IIS6.0 - Windows
> 2003 Server. My goal is to set it up the way that only authenticated
> users  from outside can use my outgoing mail server while server can
> accept unlimited incoming mail.

A  very  typical  setup,  and  supported  out-of-the-box  with minimal
config. You're somehow making this harder on yourself.

> I  tried to set Outbound Security to Basic Authentication and turned
> Relay  on  for all computers BUT no matter if there's authentication
> set  or  not, the users still can use outgoing server (mydomain.com)
> to send mail without authenticating.

If you set `Relay for all`, you are an open relay by definition.

If  you  are  acting as the MX for internal domains, define a *Remote*
domain for each of these that allows relaying.

Do  not  open  your relaying options at the uppermost (virtual server)
level.  Leave  that to `Only the list below`, while leaving `Allow all
computers which successfully authenticate to relay` checked.

Leave `Access Control`-`Authentication` at 'Anonymous'.

> My MX records are mydomain.com and mail.mydomain.com.

No  offense,  but  that's pretty useless information, considering that
you  obfuscated  your real domain. Such a setup does indicate that you
have two different MXs -- which one are we talking about here?

--Sandy

[ Post a follow-up to this message ]

Thanks. I'm still confused. My MX record set up on domain is mail.mydomain.c
om.
But I dont know if there should be a subdomain with the same name defined an
d pointing to my
mail server. And if 'mail' should be maybe substituted for my server host na
me
fex. myserver.mydomain.com. Also what should be entered in Advanced Delivery
Fully qualified domain name field?? I guess mail.mydomain.com.
This seems simple but it is very hard to configure.
What exactly the MX record should be then?
Thank you.

Eric

[ Post a follow-up to this message ]

> Thanks.  I'm  still  confused.  My  MX  record  set  up on domain is
> mail.mydomain.com.  But  I  dont know if there should be a subdomain
> with  the  same  name defined and pointing to my mail server.

MX records relate domains -- a.k.a. right-hand-side (RHS) data, a.k.a.
data  after  the '@' symbol in e-mail addresses -- to the servers that
are  responsible for initial receipt of messages sent to those domains
from the public Internet.

DNS   MX   records  point  to  hostnames  that  must  themselves  have
corresponding  DNS  A  records. The hostname(s) in the MX record for a
domain   need   not  have  any  textual  relationship  to  the  domain
(otherwise, everyone would need to host their own mail); regardless of
the  hostname(s)  published, the physical box(es), by definition of an
MX,  needs  to have an underlying awareness of all serviced domains so
that it can accept and deliver mail to end users.

While  not  mandatory  in  all  cases,  it is best practice to use the
canonical (primary) FQHN of any server in published MX records, rather
than  any  alternate  names.

For example, say mailserver 10.10.10.1 processes mail for @example.com
and  "knows  itself" by the FQHN mailserver.example.com... the SMTP VS
on  that IP answers incoming connections as mailserver.example.com and
announces   itself  as  mailserver.example.com  when  making  outbound
connections... then mailserver.example.com should be the hostname that
appears in MX records.

Even  if  the  server  doubles  as  a  web server that also sorts HTTP
connections  by host header, and therefore has a number of other A and
CNAME  records published that point to it as well, you *still* use the
most specific, most one-to-one hostname for the SMTP service listening
on 10.10.10.1.

Even  if  you start accepting mail for otherexample.com as well, *even
though*  you could create A record 'mymailserver.otherexample.com IN A
10.10.10.1'  and  corresponding  MX  record 'otherexample.com IN MX 10
mymailserver.otherexample.com'  -- you should not. You *still* publish
the  MX  with  the  most  proper  name,  'otherexample.com  IN  MX  10
mailserver.example.com',  as  long as the listening SMTP service knows
itself best by that FQHN.

--Sandy

[ Post a follow-up to this message ]

So ho wthe settings for outbound mail look like? Is it the connection from
client that tries to send mail using the server or is it incoming mail conne
ction
as well? It still doesnt work. Clients can send mail without any password
unless I set the Access Control to Basic Auth... - and that blocks all incom
ing mail.
FQDN is set to mail.mydomain.com MX record - same, Outbound - Basic....
Relay as you mentioned Only below (empty) Allow....box checked.
I renamed local domain to mydomain.com. Also another problem -
installing POP3 service and adding mydomain.com to it creates ugly looking
duplicate domain with description (Custom). What is that?
Help answering questions that would help me a lot - what settings and where
are responsible for blocking anonymous users from sending mail thru my serve
r
without authentication? Does relay pertain to incoming mail or outgoing or
both? And how to secure the outgoing mail process?
Appreciate your help.

Eric

[ Post a follow-up to this message ]

Wow,  you're  really starting from scratch... you can't expect someone
to  transmit  years  of experience in a few pithy ng posts. I hope you
realize that and will do a lot of your own research from here (combing
the  tons  of  published  materials for your answers instead of asking
questions right off the bat).

> So  ho  wthe  settings  for  outbound  mail  look  like?  Is  it the
> connection  from  client that tries to send mail using the server or
> is  it  incoming  mail  connection  as  well?

Your  Q doesn't really make sense: "Are the settings for outbound mail
the connections for outbound mail or inbound mail?" Um, outbound mail?

I'm assuming from the context that you're wondering what the `Outbound
Security`  tab is. It's for password-protected connections to wildcard
domains. You don't want that. Leave at 'Anonymous'.

But   don't  get  distracted  by  that  factoid.  Something  extremely
important  for  new  mail admins: stop thinking in simplistic terms of
"outbound" and "inbound" and be more flexible.

Think about :

[1a]  local domains, whose mailboxes are on the the MX server itself (
served up by a POP3 or webmail service right on the box, and for which
the  SMTP  service  performs  local delivery right into the mail store
instead of to another SMTP server)

vs.

[1b]  gatewayed  remote  domains,  whose  mailboxes are accessed via a
separate  SMTP  server,  but  for  which you have agreed to provide MX
services for mail from the public Internet (note said separate mailbox
server  could  be  behind your firewall or at a client site many miles
away)

vs.

[1c]  custom remote domains, for whom you don't provide MX turnaround,
but  which  have  some special delivery requirements; for example, you
may  have  agreed  to  encrypt  and/or authenticate outbound mail with
certain  business  partners,  so those connections will need a special
definition  in  your SMTP VS -- but you do *not* offer access to those
domains to unauthenticated senders on the public Internet

vs.

[1d]  wildcard  domains  --  all  domains  not  fitting into the above
categories  --  which  you  know  nothing  else about except for their
public MX record

And think about :

[2a] mail that is _submitted_ to your server directly from users' mail
clients (which may destined for one of your local domains, a gatewayed
domain, a custom remote domain, or an unknown wildcard domain)

vs.

[2b]  mail  that  is  _delivered_  to  your server from remote servers
(which may only be destined for local or gatewayed domains)

Key  to  understanding  mail  flow is that mail submission ([2a]) must
require  some kind of authentication -- which should be ESMTP AUTH but
may  in  certain  cases  have  to  be done by IP address -- while mail
delivery  ([2b])  typically  is authorized from anyone who connects to
your MX (barring additional anti-abuse/anti-spam measures, of course).

> Clients  can  send mail without any password unless I set the Access
> Control  to  Basic Auth... - and that blocks all incoming mail.

Of  course it does: that's requiring basic auth *to use the mailserver
on any level*, regardless of the destination of mail messages. You are
no  longer  running  a  valid  MX, because mail delivery ([2b]) is not
authorized to the general public.

Be SURE that `Access`-`Relay` is set to 'Only the list below' and that
there  are  no  entries  in  the list, as I said before. Stop thinking
about `Access`-`Access Control`, which should be left at Anonymous.

> FQDN  is  set  to  mail.mydomain.com  MX  record  - same,

OK.

> Outbound  -  Basic....

Huh? Outbound Security should be set to Anonymous in your config.

> Allow....box  checked.  I renamed local domain to mydomain.com.

You  should  stop renaming stuff unless you know what you're doing. 
That's  not  going  to  make  it easier for people to know what you're
looking at.

> Also   another   problem   -  installing  POP3  service  and  adding
> mydomain.com  to  it  creates  ugly  looking  duplicate  domain with
> description  (Custom).  What  is that?

See [1a] above.

--Sandy

[ Post a follow-up to this message ]

Lines: 8
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-15";
reply-type=response
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.3028
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
NNTP-Posting-Host: rrcs-74-218-126-238.central.biz.rr.com 74.218.126.238
Xref: leafnode.mcse.ms microsoft.public.inetserver.iis.smtp_nntp:614

Well, thanks for so much explanation which actually didn't help me much.
Fortunately I found the solution myself. I needed to assign 2 IPs for the se
rver
and run 2 virtual SMTP servers with different FDQNs not allowing one Anonymo
us
access. That's all. Interesting fact is that servers with same pop3 and inco
ming domain
names have to be placed on different machines or they use realy sophisticate
d software.
Thanks

Eric

[ Post a follow-up to this message ]

> Fortunately  I  found  the solution myself.

Actually,  you  found a *workaround* because you had hosed your box in
some way!

> I  needed  to  assign  2  IPs  for the server and run 2 virtual SMTP
> servers  with  different  FDQNs  not  allowing one Anonymous access.

Not  true.  There  was no reason for you to have two VSs to accomplish
the  incredibly standard setup you originally described. Authenticated
submission  and MX service on the same IP and port is a standard setup
for  *any*  MTA.

If  you  have  changed your requirements from your original post, more
complex setup could be made necessary. Yet a standard Exchange install
requires  only one VS, so it is unlikely that you have leapfrogged the
complexity of Exchange with the low-end POP3 service.

> Interesting  fact is that servers with same pop3 and incoming domain
> names  have  to  be  placed  on different machines or they use realy
> sophisticated software.

Not  true  (though what you've said isn't clear, there's no reasonable
permutation  of  your  phrasing that is correct on its face). An (IIS)
server  as a whole doesn't have a "POP3 domain name," nor an "incoming
domain name". It has VSs, each with a set of local and remote domains;
locals  may  be  default,  alias,  or  of  numerous  custom  types. In
addition,  Event  Sinks/SEO API hooks can further blur the distinction
between MTA + mailbox server and MTA-only server.

If  you  can rephrase or expand on your claim to some interoperability
problem,  I  would  be  happy to clear up your confusion. Bear in mind
that  this  is the SMTP/NNTP newsgroup and a lengthy discussion of the
vagaries of the POP3 service is unlikely.

--Sandy

[ Post a follow-up to this message ]