Hello,

I am a newbie with respect to how mail servers work, so go easy on me here!

I am using the built-in SMTP Service (in IIS) that comes with Windows Server
2003 on a computer in my home.  I do NOT have MS Exchange or any other mail
server software installed.  I have been using the SMTP service successfully
in conjunction with the POP3 service for quite some time, but apparently I
have had "Anonymous" authentication enabled, as turning it off seems to
prevent anyone from sending me email.  This surprises me, since I thought
authentication was only necessary when connecting to the server to send
outgoing mail.

Since I have my own server, I decided to offer email service to my elderly
grandfather, who is having more and more trouble with his computer,
especially when trying to use MSN mail.  It was while attempting to set up
his account that I realized Anonymous access was turned on.

What I would like is to have the ability to send/receive mail not only while
here at home, but also when I am away from home outside of my internal
network (which is the same as what I need to give my grandfather access to
my email server).  Obviously, my server must allow other external mail
servers to transmit incoming mail so that I can receive it, yet I do not
want to open up access such that my server could be used as a relay for
spammers, or for any other malicious intent.

Is it possible to do what I want with the built-in SMTP service?  If not,
what is the most economical way to get what I want?  I surely do not want to
use MS Exchange for what I perceive to be a small, and farily simple
configuration.

If it makes any difference at all, every mail client that will be connecting
to my server will either be Outlook Express (version 5 or 6), or MS Outlook.

Thanks,

- Dennis

[ Post a follow-up to this message ]

"Dennis Jones" <nospam@nospam.com> wrote in message
news:uOH$5KlpHHA.5092@TK2MSFTNGP04.phx.gbl...
> Hello,
>
> I am a newbie with respect to how mail servers work, so go easy on me
> here!
>
> I am using the built-in SMTP Service (in IIS) that comes with Windows
> Server 2003 on a computer in my home.  I do NOT have MS Exchange or any
> other mail server software installed.  I have been using the SMTP service
> successfully in conjunction with the POP3 service for quite some time, but
> apparently I have had "Anonymous" authentication enabled, as turning it
> off seems to prevent anyone from sending me email.  This surprises me,
> since I thought authentication was only necessary when connecting to the
> server to send outgoing mail.
>
> Since I have my own server, I decided to offer email service to my elderly
> grandfather, who is having more and more trouble with his computer,
> especially when trying to use MSN mail.  It was while attempting to set up
> his account that I realized Anonymous access was turned on.
>
> What I would like is to have the ability to send/receive mail not only
> while here at home, but also when I am away from home outside of my
> internal network (which is the same as what I need to give my grandfather
> access to my email server).  Obviously, my server must allow other
> external mail servers to transmit incoming mail so that I can receive it,
> yet I do not want to open up access such that my server could be used as a
> relay for spammers, or for any other malicious intent.
>
> Is it possible to do what I want with the built-in SMTP service?  If not,
> what is the most economical way to get what I want?  I surely do not want
> to use MS Exchange for what I perceive to be a small, and farily simple
> configuration.

A little help?

- Dennis

[ Post a follow-up to this message ]

> This surprises me, since I thought authentication was only necessary
> when connecting to the server to send outgoing mail.

In  standard  public  setups, it is true that mail submission to local
addresses  does  not  require  login credentials. Submission to remote
addresses typically requires either credentials or an IP in a specific
range(s).  There  are  exceptions to both rules, but you are generally
right.

Anonymous  access  allowed  =3D authenticated logins are not required to=

submit  _all_ mail. That doesn't mean that you can send to any address
you  want  with  an unauthenticated session, it just means that _some_
mail can be submitted that way.

> bviously,  my  server  must  allow  other  external  mail servers to
> transmit  incoming  mail so that I can receive it, yet I do not want
> to  open  up access such that my server could be used as a relay for
> spammers,  or  for  any other malicious intent. Is it possible to do
> what I want with the built-in SMTP service?

Of course.

Unless  you  allow  *relaying* in all sessions, both authenticated and
unauthenticated (`Access` tab - `Relay`), you are not an open relay.

Set  up your server to allow both anonymous and authenticated sessions
(`Access`  tab  -  `Auth`) and use your relay permissions to determine
what people can do in each type of session.

--Sandy

[ Post a follow-up to this message ]

"Sanford Whiteman" <swhitemanlistens-software@cypressintegrated.com> wrote
in message news:op.ttjgtvbp6c17zw@gw02.broadleaf.local...

Sandy,

Thank you so very much for your reply.  Maybe I will finally get the help I
need to get this server configured correctly!


>Anonymous  access  allowed  = authenticated logins are not required to
>submit  _all_ mail. That doesn't mean that you can send to any address
>you  want  with  an unauthenticated session, it just means that _some_
>mail can be submitted that way.

Okay, that is kind of what I thought.  So what are the rules for which
destination addresses that are allowed and which are not?  It seems (through
my limited experimentation) that the only allowed destinations are those
that happen to be being hosted by my local server.  That is, I can only send
to someone who has an account on my server (family members), but no one
else.  Is that right?


>Unless  you  allow  *relaying* in all sessions, both authenticated and
>unauthenticated (`Access` tab - `Relay`), you are not an open relay.

I do not allow (wide open) relaying.  I only allow relaying for one (local)
computer which sends mail nightly using a command line email program
(blat.exe).  I have enabled the option, "Allow all computers which
successfully authenticate to relay, regardless of the list above".  I
believe this is the correct configuration for safety's sake (to prevent
spammers from using my server).


>Set  up your server to allow both anonymous and authenticated sessions
>(`Access`  tab  -  `Auth`) and use your relay permissions to determine
>what people can do in each type of session.

Okay, on the 'Authentication' page, I have checked "Anonymous" and
"Integrated Windows Authentication."  My understanding is weak, at best,
regarding the 'Anonymous' authentication, so please correct me if I am
wrong.  It seems that "Anonymous' authentication is *required* in order to
allow other mail servers to deliver mail to accounts that exist on my
server.  My concern was that 'Anonymous' authentication would allow spammers
to use my server.  Apparently, the 'relay' settings prevent that, even if
they can authenticate.  So they can spam me (and anyone with an account on
my server), but cannot use my server to do mass mailing (via relay).  Is
that correct?

So it would seem that I already have my server (mostly) configured
correctly.  The only remaining problem is allowing me to send mail through
my server when I am away from home (when I have Internet access from a
hotel, for instance), or to allow my grandfather to send mail, both of which
presumably require relaying.  I *thought* that using "Integrated Windows
Authentication" and creating a user account on the server (which is then
specified somewhere in the mail client) would give me that ability, but that
does not appear to be the case, or else I am missing some other crucial
piece of information.

In my grandfather's case, I cannot simply add his IP address to the list of
computers allowed to relay, because he is on Comcast cable internet, which
forces him to use DHCP.  Therefore, even if I add his address to the list,
he will be calling me the next time his DHCP lease causes his address to
change.  The same is true for when I am away from home -- I have *no idea*
what address I will be connecting from.  Assuming there is a solution to
this problem, what is it?

Thanks again for your help.  I am excited at the prospect of getting this
working!

- Dennis

[ Post a follow-up to this message ]

"Dennis Jones" <nospam@nospam.com> wrote in message
news:ujqMxlSqHHA.4716@TK2MSFTNGP04.phx.gbl...

> I do not allow (wide open) relaying.  I only allow relaying for one
> (local) computer which sends mail nightly using a command line email
> program (blat.exe).  I have enabled the option, "Allow all computers which
> successfully authenticate to relay, regardless of the list above".  I
> believe this is the correct configuration for safety's sake (to prevent
> spammers from using my server).

Now that I think about it, why isn't "Anonymous" authentication considered
authenitcation for the purposes of relaying?  If a spammer authenticates via
"Anonymous", doesn't that also give them the ability to relay (via the
"allow all computers which authenticate..." option)?

- Dennis

[ Post a follow-up to this message ]

> Now that I think about it, why isn't "Anonymous" authentication  =

> considered
> authenitcation for the purposes of relaying?  If a spammer authenticat=
es  =

> via
> "Anonymous", doesn't that also give them the ability to relay (via the=

> "allow all computers which authenticate..." option)?

An anonymous session is not considered an authenticated session.

In some non-SMTP security contexts, any allowed connection can be  =

considered to be authenticated, even those with no username and password=
=

provided -- from whence one gets the name "anonymous authentication" -- =
=

with authorization the next level of security.  Where (E)SMTP AUTH is  =

under discussion, anonymous !=3D authenticated.

--Sandy

[ Post a follow-up to this message ]

> Okay,  that  is  kind  of  what I thought. So what are the rules for
> which  destination  addresses that are allowed and which are not? It
> seems  (through  my  limited  experimentation) that the only allowed
> destinations  are  those  that happen to be being hosted by my local
> server. That is, I can only send to someone who has an account on my
> server (family members), but no one else. Is that right?

Yes,  your  POP3  domains  are  hooked  as  local  domains by the SMTP
service,  and  as  long  as a given session does not have any elevated
authorization  (through  SMTP  AUTH  credentials or being on a list of
source IP addresses), it can only send mail to those local domains.

> I  do  not allow (wide open) relaying. I only allow relaying for one
> (local) computer which sends mail nightly using a command line email
> program  (blat.exe). I have enabled the option, "Allow all computers
> which  successfully  authenticate  to  relay, regardless of the list
> above".  I  believe  this  is the correct configuration for safety's
> sake (to prevent spammers from using my server).

Yes, that is correct.

> Apparently,  the  'relay'  settings  prevent  that, even if they can
> authenticate.  So they can spam me (and anyone with an account on my
> server), but cannot use my server to do mass mailing (via relay). Is
> that  correct?

Yes;  see  my  earlier  message. It's a misnomer to refer (not blaming
you)  to  "anonymous"  as  an  SMTP  authentication  method, since the
(E)SMTP  protocol is very specific about where and what authentication
methods  may be used, and "no authentication" is not an authentication
method!

> So  it  would seem that I already have my server (mostly) configured
> correctly.

Yes.

> The  only  remaining  problem is allowing me to send mail through my
> server  when I am away from home (when I have Internet access from a
> hotel,  for instance), or to allow my grandfather to send mail, both
> of  which  presumably  require  relaying.  I  *thought*  that  using
> "Integrated  Windows  Authentication" and creating a user account on
> the  server  (which  is then specified somewhere in the mail client)
> would give me that ability, but that does not appear to be the case,
> or  else I am missing some other crucial piece of information.

No,  you are on the right trail. That's SMTP AUTH. The settings *other
than*  'Anonymous  Access' under `Access Control - Authentication` are
the  SMTP  AUTH mechanisms that your server will support.

'Basic Auth' is the AUTH LOGIN mechanism, which should be supported by
all mail clients; it's not encrypted, which means your credentials can
be  sniffed, but it is by far the more portable of the auth mechanisms
supported  by  IIS  SMTP.  Set  the  mail  client  to use your Windows
username  +  password to log in to the SMTP server, and make sure that
you *are* logging in -- some mail clients assume you don't need to log
to send mail.

'Integrated  Windows  Auth'  is  the secure auth mechanism AUTH GSSAPI
NTLM,  but  it  isn't  even  supported  by  all *Microsoft*-brand mail
clients, so I'd leave it alone for your purposes.

--Sandy

[ Post a follow-up to this message ]

"Sanford Whiteman" <swhitemanlistens-software@cypressintegrated.com> wrote
in message news:op.ttkihtoq6c17zw@gw02.broadleaf.local...

Sandy,

Thank you very much for all of your answers.
 
>
> No,  you are on the right trail. That's SMTP AUTH. The settings *other
> than*  'Anonymous  Access' under `Access Control - Authentication` are
> the  SMTP  AUTH mechanisms that your server will support.
>
> 'Basic Auth' is the AUTH LOGIN mechanism, which should be supported by
> all mail clients; it's not encrypted, which means your credentials can
> be  sniffed, but it is by far the more portable of the auth mechanisms
> supported  by  IIS  SMTP.  Set  the  mail  client  to use your Windows
> username  +  password to log in to the SMTP server, and make sure that
> you *are* logging in -- some mail clients assume you don't need to log
> to send mail.

In Outlook Express, on the 'Server' tab of Account Properties, there is a
checkbox item, "My server requires authentication" with a 'Settings' dialog
that lets you specify the username and password information (labeled, 'Logon
Information').  Is this where one specifies the AUTH LOGIN details in
Outlook Express?  It seems to me the last time I tried this for my
Grandfather's email, it either caused problems for local accounts, or didn't
allow him to relay, or something (I've tried so many different
configurations now, I don't remember which problems were associated with
which configuration!).

However, using this method concerns me because everything I've read says
*not* to use it due to the fact that usernames and passwords are transmitted
in clear text, so I am not sure this is the way I want to go.


> 'Integrated  Windows  Auth'  is  the secure auth mechanism AUTH GSSAPI
> NTLM,  but  it  isn't  even  supported  by  all *Microsoft*-brand mail
> clients, so I'd leave it alone for your purposes.

Is it your recommendation then to *disable* 'Integrated Windows Auth' and
*enable* only 'Basic Auth'?  Is this the way most ISP's provide email to
their customers?  If so, how do they deal with concerns of security
(sniffing clear text passwords, etc.)?

Thanks,

- Dennis

[ Post a follow-up to this message ]

> In Outlook Express, on the 'Server' tab of Account Properties, there
> is  a  checkbox  item,  "My  server  requires authentication" with a
> 'Settings'  dialog  that  lets you specify the username and password
> information  (labeled,  'Logon  Information').  Is  this  where  one
> specifies  the AUTH LOGIN details in Outlook Express?

If  'Use  SPA'  is  unchecked, you'll use AUTH LOGIN. If it's checked,
you'll use AUTH GSSAPI NTLM.

> It  seems  to  me  the  last  time I tried this for my Grandfather's
> email, it either caused problems for local accounts, or didn't allow
> him   to   relay,   or  something  (I've  tried  so  many  different
> configurations  now, I don't remember which problems were associated
> with  which  configuration!). However, using this method concerns me
> because  everything  I've  read says *not* to use it due to the fact
> that  usernames and passwords are transmitted in clear text, so I am
> not sure this is the way I want to go.

AUTH  LOGIN  does  not  encrypt credentials and passes message data in
plain text.

AUTH GSSAPI NTLM encrypts credentials and passes message data in plain
text.

Obviously,  preventing the compromise of usernames + passwords is very
important.  But  remember  that  message  data  can  be  just as vital
(especially when that data _contains_ usernames and passwords) and the
only  way  to avoid that exposure is to use SMTP + STARTTLS, SMTPS, or
client  PKI  certificates.  When  you  use  one  of  the  full-session
encryption methods, this can cover authentication as well (even if the
auth  exchange  is  LOGIN  or  PLAIN, there's a protective SSL session
around it).

If  SPA  is  working  for  you,  keep  it  working! But in most ad hoc
scenarios  it  will  not  function, because it is designed for MS mail
clients with machines + users in the same domain as the mailserver.

> Is  it  your  recommendation  then  to *disable* 'Integrated Windows
> Auth'  and  *enable*  only  'Basic Auth'? Is this the way most ISP's
> provide  email  to  their  customers?  If  so, how do they deal with
> concerns of security (sniffing clear text passwords, etc.)?

Most  ISPs  don't use vanilla IIS SMTP on their mail submission boxes.
And  other  SMTP  servers  support non-proprietary SMTP authentication
mechanisms such as AUTH CRAM-MD5, so ISPs don't have to choose between
supporting plain-text or supporting only Microsoft clients.

--Sandy

[ Post a follow-up to this message ]