| Author | Messages | |
tkern
Posts:8
 | | 09/21/2005 1:03 AM |
| He states Exchange servers relay with each other in an Org all the time and unchecking this will break exchange.
Jim McBee has stated this in both Exchange 2k and 2k3 verisons of the book.
However in "Exchange Server Cookbook", recipe 7.19, they state to uncheck this value for security reasons and seem to imply that this is only for pop3/imap clients.
Tony redmond in "MS Exchange Server 2003 with sp1" seems to agree as well.
who's right?
Also, I know the setting for relaying on an smtp connector over rides the virtual server connection setting, so say i create a connector with "acme.com" address space. If i uncheck the relay button on the connector, will users(mapi or pop3) be able to send mail to
acme.com?
or do i have to enable relaying for this to work on that connector?
Finally, how does exchange view mapi users?
are they lumped in with auth users like pop3/imap?
what mechanism allows mapi users to relay? is there a setting that can disallow mapi clients from relaying like for pop3/imap clients?
Thanks.
alot of questions, i know.
Exchange in some ways confuses the heck outta me.
I find the sendmail.cf file easier than exchange sometimes.
Thanks again! | | | |
| bdesmond
Posts:996
| | 09/21/2005 1:59 AM |
| Let me answer what I can authoritatively.
MAPI clients are totally different than pop3/imap. There is no virtual
server or none of that. They submit their messages to the server over MAPI just
like all their other traffic, and the then server handles the routing
internally. You cannot disable mapi users from sending mail. They™re not
relaying anything off an SMTP server. If you create an acme.com connector and
uncheck the relay box, users will continue to be able to email to acme.com
I™m not sure you understand what relaying means in the context of
SMTP. Sending mail to the SMTP server™s native domain is not relaying. It™s
what the SMTP server is there for. Submitting mail to the SMTP server for
delivery to a remote smtp server is relaying. Usually you don™t think of
your internal users sending outbound mail as relaying though I guess
technically it is.
A quick peek at the SMTP settings on a couple of the severs here
indicates that they all have that allow computers which authenticate to relay
box checked. Our outbound SMTP is locked down at the perimeter and inbound
comes through a couple of iplanet boxes.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Tom Kern
Sent: Tuesday, September 20, 2005
9:01 PM
To: activedirectory
Subject: [ActiveDir] Exchange
relay(OT)
I'm confused about relaying on virtual servers and smtp connectors.
I keep reading conflicting reports-
In "Microsoft Exchange Server 2003 24seven" from Sybex,
JMcBee writes in chapter 14 on page 584 that unchecking "Allow All
Computers WHich Sucessfully Authenticate To Relay..", Exchange servers
will not be able to send mail to one another.
He states Exchange servers relay with each other in an Org all the time
and unchecking this will break exchange.
Jim McBee has stated this in both Exchange 2k and 2k3 verisons of the
book.
However in "Exchange Server Cookbook", recipe 7.19, they
state to uncheck this value for security reasons and seem to imply that this is
only for pop3/imap clients.
Tony redmond in "MS Exchange Server 2003 with sp1" seems to
agree as well.
who's right?
Also, I know the setting for relaying on an smtp connector over rides
the virtual server connection setting, so say i create a connector with "acme.com" address space. If i uncheck the relay
button on the connector, will users(mapi or pop3) be able to send mail to acme.com?
or do i have to enable relaying for this to work on that connector?
Finally, how does exchange view mapi users?
are they lumped in with auth users like pop3/imap?
what mechanism allows mapi users to relay? is there a setting that can
disallow mapi clients from relaying like for pop3/imap clients?
Thanks.
alot of questions, i know.
Exchange in some ways confuses the heck outta me.
I find the sendmail.cf file easier
than exchange sometimes.
Thanks again! | | | |
| deji
Posts:262
| | 09/21/2005 3:26 AM |
| Tom, a while back, I sent you the link to the Exchange Server Technical
Reference. All this is explained in that document.
Go fish, man.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Tom Kern
Sent: Wed 9/21/2005 4:31 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Exchange relay(OT)
Thanks!
so it doesn't apply to servers relaying internally to each other across an
org?
correct?
alos, why does checking off that box on a connector going to *, make you an
open relay? doesn't that take into account authentication or does that really
mean relay to and from any domain(well i assume just "to", because its only
outbound).
Thanks again
On 9/21/05, Peter Johnson wrote:
Hi Tom
In a MAPI client scenario on Exchange no SMTP replaying occurs at
all. The MAPI client submits the mail to the mailstore using the MAPI
protocol and the exchange server's MTA then processes it and hands it off to
the right connector based on target address space or type eg SMTP, Rightfax
etc. In the case of an SMPT address the SMTP virtual server on Exchange
server then performs an normal SMPT transaction to the destination server.
The checkbox on the Connector refers to clients who are using standard
protocols such as IMAP/POP.
Regards
Peter Johnson
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom Kern
Sent: 21 September 2005 12:52
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Exchange relay(OT)
well, technically, most smtp software like sendmail or postfix,
considers your users(pop3/imap) sending email over their MTA to a remote
domain as relaying and its usually specified as such in the config files.
I know exchange is groupware,a different beast, but it is an smtp
routing server and a pop3/imap server, so i was wondering if it treated mapi
clients the same.
i know for a fact, the check box on the virtual server to allow
relaying for auth users applies to pop3/imap users, since they are
techinacally relaying but you are allowing them as they are your users.
I was just wondering if this affected intenal Exchange servers
relaying off each other in your ORG or not.
as to the connector, i'm confused as to what the relaying check box
means there-
if you're address space is a specific domain, you say checking or
unchecking has no affect on users sending email out thry that connector.
yet MS(and everyone else) says if your addy space is * and you allow
relaying, you are an open relay since the connector settings override whats
on the virtual servers on the bridgeheads(assuming your bridgeheads have mx
records and are the one's recieivng incoming mail. if not, then i guess they
are just outgoing internal relays which could be bad if you have some smtp
worm or spam bot on your network).
In all, I don't have much experince with Exchange(about 2 years).
I've mostly worked with Postfix and sendmail so i'm using the traditional rfc
defs of smtp and relays.
I know thats a bad idea when talking about a commercial product.
In reality, a internal mapi client in your domain local.com
, sending an email to someone@xxxxxxxxxxxxx, is relaying.
its just auth'ed or allowed relaying, the way your isp allows you to relay
from outlook express using their smtp server.
just wondering how exchange fit into all this in re: to the
aforementioned settings- the relay check boxes on the virtual server and
connector.
thanks alot!
On 9/20/05, Brian Desmond > wrote:
Let me answer what I can authoritatively.
MAPI clients are totally different than pop3/imap. There is no
virtual server or none of that. They submit their messages to the server over
MAPI just like all their other traffic, and the then server handles the
routing internally. You cannot disable mapi users from sending mail. They're
not relaying anything off an SMTP server. If you create an acme.com
connector and uncheck the relay box, users will continue
to be able to email to acme.com
I'm not sure you understand what relaying means in the context of
SMTP. Sending mail to the SMTP server's native domain is not relaying. It's
what the SMTP server is there for. Submitting mail to the SMTP server for
delivery to a remote smtp server is relaying. Usually you don't think of your
internal users sending outbound mail as relaying though I guess technically
it is.
A quick peek at the SMTP settings on a couple of the severs here
indicates that they all have that allow computers which authenticate to relay
box checked. Our outbound SMTP is locked down at the perimeter and inbound
comes through a couple of iplanet boxes.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c - 312.731.3132
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom Kern
Sent: Tuesday, September 20, 2005 9:01 PM
To: activedirectory
Subject: [ActiveDir] Exchange relay(OT)
I'm confused about relaying on virtual servers and smtp connectors.
I keep reading conflicting reports-
In "Microsoft Exchange Server 2003 24seven" from Sybex, JMcBee writes
in chapter 14 on page 584 that unchecking "Allow All Computers WHich
Sucessfully Authenticate To Relay..", Exchange servers will not be able to
send mail to one another.
He states Exchange servers relay with each other in an Org all the
time and unchecking this will break exchange.
Jim McBee has stated this in both Exchange 2k and 2k3 verisons of the
book.
However in "Exchange Server Cookbook", recipe 7.19, they state to
uncheck this value for security reasons and seem to imply that this is only
for pop3/imap clients.
Tony redmond in "MS Exchange Server 2003 with sp1" seems to agree as
well.
who's right?
Also, I know the setting for relaying on an smtp connector over rides
the virtual server connection setting, so say i create a connector with "
acme.com " address space. If i uncheck the relay button on
the connector, will users(mapi or pop3) be able to send mail to acme.com
?
or do i have to enable relaying for this to work on that connector?
Finally, how does exchange view mapi users?
are they lumped in with auth users like pop3/imap?
what mechanism allows mapi users to relay? is there a setting that
can disallow mapi clients from relaying like for pop3/imap clients?
Thanks.
alot of questions, i know.
Exchange in some ways confuses the heck outta me.
I find the sendmail.cf file easier than
exchange sometimes.
Thanks again!
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| deji
Posts:262
| | 09/21/2005 3:53 AM |
| Brian,
This is how I explain and OPEN Relay. Although there is a common tendency for
people to assume that they are the same, Relay != Open Relay. Relay is NOT a
bad thing. Your Exchange server is meant to relay, and it does relay, like
all the other servers I'm familiar with.
An Open Relay occurs where neither the sender nor the recipient part belongs
in your org. As long as one part exists within your directory, it is
perfectly legal for the exchange server to relay messages to the other party
(if external) or transfer messages to the other party (if local).
A Relay occur when a message originating within your org is destined for a
recipient that is external to your org. Your servers is expected to relay
that piece of email as long as it's able to verify that the sender is in its
directory. The way your exchange server determines that is primarily by
authentication.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Brian Desmond
Sent: Tue 9/20/2005 6:57 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Exchange relay(OT)
Let me answer what I can authoritatively.
MAPI clients are totally different than pop3/imap. There is no virtual server
or none of that. They submit their messages to the server over MAPI just like
all their other traffic, and the then server handles the routing internally.
You cannot disable mapi users from sending mail. They're not relaying
anything off an SMTP server. If you create an acme.com connector and uncheck
the relay box, users will continue to be able to email to acme.com
I'm not sure you understand what relaying means in the context of SMTP.
Sending mail to the SMTP server's native domain is not relaying. It's what
the SMTP server is there for. Submitting mail to the SMTP server for delivery
to a remote smtp server is relaying. Usually you don't think of your internal
users sending outbound mail as relaying though I guess technically it is.
A quick peek at the SMTP settings on a couple of the severs here indicates
that they all have that allow computers which authenticate to relay box
checked. Our outbound SMTP is locked down at the perimeter and inbound comes
through a couple of iplanet boxes.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c - 312.731.3132
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom Kern
Sent: Tuesday, September 20, 2005 9:01 PM
To: activedirectory
Subject: [ActiveDir] Exchange relay(OT)
I'm confused about relaying on virtual servers and smtp connectors.
I keep reading conflicting reports-
In "Microsoft Exchange Server 2003 24seven" from Sybex, JMcBee writes in
chapter 14 on page 584 that unchecking "Allow All Computers WHich Sucessfully
Authenticate To Relay..", Exchange servers will not be able to send mail to
one another.
He states Exchange servers relay with each other in an Org all the time and
unchecking this will break exchange.
Jim McBee has stated this in both Exchange 2k and 2k3 verisons of the book.
However in "Exchange Server Cookbook", recipe 7.19, they state to uncheck
this value for security reasons and seem to imply that this is only for
pop3/imap clients.
Tony redmond in "MS Exchange Server 2003 with sp1" seems to agree as well.
who's right?
Also, I know the setting for relaying on an smtp connector over rides the
virtual server connection setting, so say i create a connector with
"acme.com" address space. If i uncheck the relay button on the connector,
will users(mapi or pop3) be able to send mail to acme.com?
or do i have to enable relaying for this to work on that connector?
Finally, how does exchange view mapi users?
are they lumped in with auth users like pop3/imap?
what mechanism allows mapi users to relay? is there a setting that can
disallow mapi clients from relaying like for pop3/imap clients?
Thanks.
alot of questions, i know.
Exchange in some ways confuses the heck outta me.
I find the sendmail.cf file easier than exchange sometimes.
Thanks again!
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| JerryWCondra
Posts:0
| | 09/21/2005 4:24 AM |
| Deji
Would it be possible to get the link to the technical reference you mention?
Thanks
Jerry
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of deji@xxxxxxxxxxxxxx
Sent: Wednesday, September 21, 2005 10:04 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Exchange relay(OT)
Tom, a while back, I sent you the link to the Exchange Server Technical
Reference. All this is explained in that document.
Go fish, man.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Tom Kern
Sent: Wed 9/21/2005 4:31 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Exchange relay(OT)
Thanks!
so it doesn't apply to servers relaying internally to each other across an
org?
correct?
alos, why does checking off that box on a connector going to *, make you an
open relay? doesn't that take into account authentication or does that really
mean relay to and from any domain(well i assume just "to", because its only
outbound).
Thanks again
On 9/21/05, Peter Johnson wrote:
Hi Tom
In a MAPI client scenario on Exchange no SMTP replaying occurs at
all. The MAPI client submits the mail to the mailstore using the MAPI
protocol and the exchange server's MTA then processes it and hands it off to
the right connector based on target address space or type eg SMTP, Rightfax
etc. In the case of an SMPT address the SMTP virtual server on Exchange
server then performs an normal SMPT transaction to the destination server.
The checkbox on the Connector refers to clients who are using standard
protocols such as IMAP/POP.
Regards
Peter Johnson
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom Kern
Sent: 21 September 2005 12:52
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Exchange relay(OT)
well, technically, most smtp software like sendmail or postfix,
considers your users(pop3/imap) sending email over their MTA to a remote
domain as relaying and its usually specified as such in the config files.
I know exchange is groupware,a different beast, but it is an smtp
routing server and a pop3/imap server, so i was wondering if it treated mapi
clients the same.
i know for a fact, the check box on the virtual server to allow
relaying for auth users applies to pop3/imap users, since they are
techinacally relaying but you are allowing them as they are your users.
I was just wondering if this affected intenal Exchange servers
relaying off each other in your ORG or not.
as to the connector, i'm confused as to what the relaying check box
means there-
if you're address space is a specific domain, you say checking or
unchecking has no affect on users sending email out thry that connector.
yet MS(and everyone else) says if your addy space is * and you allow
relaying, you are an open relay since the connector settings override whats
on the virtual servers on the bridgeheads(assuming your bridgeheads have mx
records and are the one's recieivng incoming mail. if not, then i guess they
are just outgoing internal relays which could be bad if you have some smtp
worm or spam bot on your network).
In all, I don't have much experince with Exchange(about 2 years).
I've mostly worked with Postfix and sendmail so i'm using the traditional rfc
defs of smtp and relays.
I know thats a bad idea when talking about a commercial product.
In reality, a internal mapi client in your domain local.com
, sending an email to someone@xxxxxxxxxxxxx, is relaying.
its just auth'ed or allowed relaying, the way your isp allows you to relay
from outlook express using their smtp server.
just wondering how exchange fit into all this in re: to the
aforementioned settings- the relay check boxes on the virtual server and
connector.
thanks alot!
On 9/20/05, Brian Desmond > wrote:
Let me answer what I can authoritatively.
MAPI clients are totally different than pop3/imap. There is no
virtual server or none of that. They submit their messages to the server over
MAPI just like all their other traffic, and the then server handles the
routing internally. You cannot disable mapi users from sending mail. They're
not relaying anything off an SMTP server. If you create an acme.com
connector and uncheck the relay box, users will continue
to be able to email to acme.com
I'm not sure you understand what relaying means in the context of
SMTP. Sending mail to the SMTP server's native domain is not relaying. It's
what the SMTP server is there for. Submitting mail to the SMTP server for
delivery to a remote smtp server is relaying. Usually you don't think of your
internal users sending outbound mail as relaying though I guess technically
it is.
A quick peek at the SMTP settings on a couple of the severs here
indicates that they all have that allow computers which authenticate to relay
box checked. Our outbound SMTP is locked down at the perimeter and inbound
comes through a couple of iplanet boxes.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c - 312.731.3132
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom Kern
Sent: Tuesday, September 20, 2005 9:01 PM
To: activedirectory
Subject: [ActiveDir] Exchange relay(OT)
I'm confused about relaying on virtual servers and smtp connectors.
I keep reading conflicting reports-
In "Microsoft Exchange Server 2003 24seven" from Sybex, JMcBee writes
in chapter 14 on page 584 that unchecking "Allow All Computers WHich
Sucessfully Authenticate To Relay..", Exchange servers will not be able to
send mail to one another.
He states Exchange servers relay with each other in an Org all the
time and unchecking this will break exchange.
Jim McBee has stated this in both Exchange 2k and 2k3 verisons of the
book.
However in "Exchange Server Cookbook", recipe 7.19, they state to
uncheck this value for security reasons and seem to imply that this is only
for pop3/imap clients.
Tony redmond in "MS Exchange Server 2003 with sp1" seems to agree as
well.
who's right?
Also, I know the setting for relaying on an smtp connector over rides
the virtual server connection setting, so say i create a connector with "
acme.com " address space. If i uncheck the relay button on
the connector, will users(mapi or pop3) be able to send mail to acme.com
?
or do i have to enable relaying for this to work on that connector?
Finally, how does exchange view mapi users?
are they lumped in with auth users like pop3/imap?
what mechanism allows mapi users to relay? is there a setting that
can disallow mapi clients from relaying like for pop3/imap clients?
Thanks.
alot of questions, i know.
Exchange in some ways confuses the heck outta me.
I find the sendmail.cf file easier than
exchange sometimes.
Thanks again!
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| bdesmond
Posts:996
| | 09/21/2005 5:44 AM |
| I was trying to say something along those lines . You're better at
explaining it than I am.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c - 312.731.3132
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of deji@xxxxxxxxxxxxxx
Sent: Wednesday, September 21, 2005 11:20 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Exchange relay(OT)
Brian,
This is how I explain and OPEN Relay. Although there is a common tendency
for
people to assume that they are the same, Relay != Open Relay. Relay is NOT a
bad thing. Your Exchange server is meant to relay, and it does relay, like
all the other servers I'm familiar with.
An Open Relay occurs where neither the sender nor the recipient part belongs
in your org. As long as one part exists within your directory, it is
perfectly legal for the exchange server to relay messages to the other party
(if external) or transfer messages to the other party (if local).
A Relay occur when a message originating within your org is destined for a
recipient that is external to your org. Your servers is expected to relay
that piece of email as long as it's able to verify that the sender is in its
directory. The way your exchange server determines that is primarily by
authentication.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Brian Desmond
Sent: Tue 9/20/2005 6:57 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Exchange relay(OT)
Let me answer what I can authoritatively.
MAPI clients are totally different than pop3/imap. There is no virtual
server
or none of that. They submit their messages to the server over MAPI just
like
all their other traffic, and the then server handles the routing internally.
You cannot disable mapi users from sending mail. They're not relaying
anything off an SMTP server. If you create an acme.com connector and uncheck
the relay box, users will continue to be able to email to acme.com
I'm not sure you understand what relaying means in the context of SMTP.
Sending mail to the SMTP server's native domain is not relaying. It's what
the SMTP server is there for. Submitting mail to the SMTP server for
delivery
to a remote smtp server is relaying. Usually you don't think of your
internal
users sending outbound mail as relaying though I guess technically it is.
A quick peek at the SMTP settings on a couple of the severs here indicates
that they all have that allow computers which authenticate to relay box
checked. Our outbound SMTP is locked down at the perimeter and inbound comes
through a couple of iplanet boxes.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c - 312.731.3132
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom Kern
Sent: Tuesday, September 20, 2005 9:01 PM
To: activedirectory
Subject: [ActiveDir] Exchange relay(OT)
I'm confused about relaying on virtual servers and smtp connectors.
I keep reading conflicting reports-
In "Microsoft Exchange Server 2003 24seven" from Sybex, JMcBee writes in
chapter 14 on page 584 that unchecking "Allow All Computers WHich
Sucessfully
Authenticate To Relay..", Exchange servers will not be able to send mail to
one another.
He states Exchange servers relay with each other in an Org all the time and
unchecking this will break exchange.
Jim McBee has stated this in both Exchange 2k and 2k3 verisons of the book.
However in "Exchange Server Cookbook", recipe 7.19, they state to uncheck
this value for security reasons and seem to imply that this is only for
pop3/imap clients.
Tony redmond in "MS Exchange Server 2003 with sp1" seems to agree as well.
who's right?
Also, I know the setting for relaying on an smtp connector over rides the
virtual server connection setting, so say i create a connector with
"acme.com" address space. If i uncheck the relay button on the connector,
will users(mapi or pop3) be able to send mail to acme.com?
or do i have to enable relaying for this to work on that connector?
Finally, how does exchange view mapi users?
are they lumped in with auth users like pop3/imap?
what mechanism allows mapi users to relay? is there a setting that can
disallow mapi clients from relaying like for pop3/imap clients?
Thanks.
alot of questions, i know.
Exchange in some ways confuses the heck outta me.
I find the sendmail.cf file easier than exchange sometimes.
Thanks again!
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| tkern
Posts:8
| | 09/21/2005 10:54 AM |
| In all, I don't have much experince with Exchange(about 2 years). I've mostly worked with Postfix and sendmail so i'm using the traditional rfc defs of smtp and relays.
I know thats a bad idea when talking about a commercial product.
In reality, a internal mapi client in your domain local.com, sending an email to someone@xxxxxxxxxxxxx, is relaying. its just auth'ed or allowed relaying, the way your isp allows you to relay from outlook express using their smtp server.
just wondering how exchange fit into all this in re: to the aforementioned settings- the relay check boxes on the virtual server and connector.
thanks alot!
On 9/20/05, Brian Desmond wrote:
Let me answer what I can authoritatively.
MAPI clients are totally different than pop3/imap. There is no virtual server or none of that. They submit their messages to the server over MAPI just like all their other traffic, and the then server handles the routing internally. You cannot disable mapi users from sending mail. They're not relaying anything off an SMTP server. If you create an
acme.com connector and uncheck the relay box, users will continue to be able to email to
acme.com
I'm not sure you understand what relaying means in the context of SMTP. Sending mail to the SMTP server's native domain is not relaying. It's what the SMTP server is there for. Submitting mail to the SMTP server for delivery to a remote smtp server is relaying. Usually you don't think of your internal users sending outbound mail as relaying though I guess technically it is.
A quick peek at the SMTP settings on a couple of the severs here indicates that they all have that allow computers which authenticate to relay box checked. Our outbound SMTP is locked down at the perimeter and inbound comes through a couple of iplanet boxes.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c - 312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Tom KernSent: Tuesday, September 20, 2005 9:01 PMTo: activedirectory
Subject: [ActiveDir] Exchange relay(OT)
I'm confused about relaying on virtual servers and smtp connectors.
I keep reading conflicting reports-
In "Microsoft Exchange Server 2003 24seven" from Sybex, JMcBee writes in chapter 14 on page 584 that unchecking "Allow All Computers WHich Sucessfully Authenticate To Relay..", Exchange servers will not be able to send mail to one another.
He states Exchange servers relay with each other in an Org all the time and unchecking this will break exchange.
Jim McBee has stated this in both Exchange 2k and 2k3 verisons of the book.
However in "Exchange Server Cookbook", recipe 7.19, they state to uncheck this value for security reasons and seem to imply that this is only for pop3/imap clients.
Tony redmond in "MS Exchange Server 2003 with sp1" seems to agree as well.
who's right?
Also, I know the setting for relaying on an smtp connector over rides the virtual server connection setting, so say i create a connector with "
acme.com" address space. If i uncheck the relay button on the connector, will users(mapi or pop3) be able to send mail to
acme.com?
or do i have to enable relaying for this to work on that connector?
Finally, how does exchange view mapi users?
are they lumped in with auth users like pop3/imap?
what mechanism allows mapi users to relay? is there a setting that can disallow mapi clients from relaying like for pop3/imap clients?
Thanks.
alot of questions, i know.
Exchange in some ways confuses the heck outta me.
I find the sendmail.cf file easier than exchange sometimes.
Thanks again! | | | |
| PeterJ
Posts:5
| | 09/21/2005 11:18 AM |
| Hi Tom
In a MAPI client scenario on Exchange no
SMTP replaying occurs at all. The MAPI client submits the mail to the mailstore
using the MAPI protocol and the exchange server™s MTA then processes it
and hands it off to the right connector based on target address space or type
eg SMTP, Rightfax etc. In the case of an SMPT address the SMTP virtual server
on Exchange server then performs an normal SMPT transaction to the destination
server. The checkbox on the Connector refers to clients who are using standard
protocols such as IMAP/POP.
Regards
Peter Johnson
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Tom Kern
Sent: 21 September 2005 12:52
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Exchange
relay(OT)
well, technically, most smtp software like sendmail or postfix,
considers your users(pop3/imap) sending email over their MTA to a remote domain
as relaying and its usually specified as such in the config files.
I know exchange is groupware,a different beast, but it is an smtp
routing server and a pop3/imap server, so i was wondering if it treated mapi
clients the same.
i know for a fact, the check box on the virtual server to allow
relaying for auth users applies to pop3/imap users, since they are techinacally
relaying but you are allowing them as they are your users.
I was just wondering if this affected intenal Exchange servers relaying
off each other in your ORG or not.
as to the connector, i'm confused as to what the relaying check box
means there-
if you're address space is a specific domain, you say checking or
unchecking has no affect on users sending email out thry that connector.
yet MS(and everyone else) says if your addy space is * and you allow
relaying, you are an open relay since the connector settings override whats on
the virtual servers on the bridgeheads(assuming your bridgeheads have mx
records and are the one's recieivng incoming mail. if not, then i guess they
are just outgoing internal relays which could be bad if you have some smtp worm
or spam bot on your network).
In all, I don't have much experince with Exchange(about 2 years). I've
mostly worked with Postfix and sendmail so i'm using the traditional rfc defs
of smtp and relays.
I know thats a bad idea when talking about a commercial product.
In reality, a internal mapi client in your domain local.com, sending an email to someone@xxxxxxxxxxxxx, is relaying. its
just auth'ed or allowed relaying, the way your isp allows you to relay from
outlook express using their smtp server.
just wondering how exchange fit into all this in re: to the
aforementioned settings- the relay check boxes on the virtual server and
connector.
thanks alot!
On 9/20/05, Brian
Desmond
wrote:
Let me answer
what I can authoritatively.
MAPI clients
are totally different than pop3/imap. There is no virtual server or none of
that. They submit their messages to the server over MAPI just like all their
other traffic, and the then server handles the routing internally. You cannot
disable mapi users from sending mail. They're not relaying anything off an SMTP
server. If you create an acme.com
connector and uncheck the relay box, users will continue to be able to email to
acme.com
I'm not sure
you understand what relaying means in the context of SMTP. Sending mail to the
SMTP server's native domain is not relaying. It's what the SMTP server is there
for. Submitting mail to the SMTP server for delivery to a remote smtp server is
relaying. Usually you don't think of your internal users sending outbound mail
as relaying though I guess technically it is.
A quick peek
at the SMTP settings on a couple of the severs here indicates that they all
have that allow computers which authenticate to relay box checked. Our outbound
SMTP is locked down at the perimeter and inbound comes through a couple of
iplanet boxes.
Thanks,
Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Tom Kern
Sent: Tuesday, September 20, 2005
9:01 PM
To: activedirectory
Subject: [ActiveDir] Exchange
relay(OT)
I'm
confused about relaying on virtual servers and smtp connectors.
I keep
reading conflicting reports-
In
"Microsoft Exchange Server 2003 24seven" from Sybex, JMcBee writes in
chapter 14 on page 584 that unchecking "Allow All Computers WHich
Sucessfully Authenticate To Relay..", Exchange servers will not be able to
send mail to one another.
He states
Exchange servers relay with each other in an Org all the time and unchecking
this will break exchange.
Jim McBee
has stated this in both Exchange 2k and 2k3 verisons of the book.
However
in "Exchange Server Cookbook", recipe 7.19, they state to uncheck
this value for security reasons and seem to imply that this is only for
pop3/imap clients.
Tony
redmond in "MS Exchange Server 2003 with sp1" seems to agree as well.
who's
right?
Also, I
know the setting for relaying on an smtp connector over rides the virtual
server connection setting, so say i create a connector with " acme.com" address space. If i
uncheck the relay button on the connector, will users(mapi or pop3) be
able to send mail to acme.com?
or do i
have to enable relaying for this to work on that connector?
Finally,
how does exchange view mapi users?
are they
lumped in with auth users like pop3/imap?
what
mechanism allows mapi users to relay? is there a setting that can disallow mapi
clients from relaying like for pop3/imap clients?
Thanks.
alot of
questions, i know.
Exchange
in some ways confuses the heck outta me.
I find
the sendmail.cf file easier
than exchange sometimes.
Thanks
again! | | | |
| tkern
Posts:8
| | 09/21/2005 11:33 AM |
| Thanks again
On 9/21/05, Peter Johnson wrote:
Hi Tom
In a MAPI client scenario on Exchange no SMTP replaying occurs at all. The MAPI client submits the mail to the mailstore using the MAPI protocol and the exchange server's MTA then processes it and hands it off to the right connector based on target address space or type eg SMTP, Rightfax etc. In the case of an SMPT address the SMTP virtual server on Exchange server then performs an normal SMPT transaction to the destination server. The checkbox on the Connector refers to clients who are using standard protocols such as IMAP/POP.
Regards
Peter Johnson
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Tom KernSent: 21 September 2005 12:52To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Exchange relay(OT)
well, technically, most smtp software like sendmail or postfix, considers your users(pop3/imap) sending email over their MTA to a remote domain as relaying and its usually specified as such in the config files.
I know exchange is groupware,a different beast, but it is an smtp routing server and a pop3/imap server, so i was wondering if it treated mapi clients the same.
i know for a fact, the check box on the virtual server to allow relaying for auth users applies to pop3/imap users, since they are techinacally relaying but you are allowing them as they are your users.
I was just wondering if this affected intenal Exchange servers relaying off each other in your ORG or not.
as to the connector, i'm confused as to what the relaying check box means there-
if you're address space is a specific domain, you say checking or unchecking has no affect on users sending email out thry that connector.
yet MS(and everyone else) says if your addy space is * and you allow relaying, you are an open relay since the connector settings override whats on the virtual servers on the bridgeheads(assuming your bridgeheads have mx records and are the one's recieivng incoming mail. if not, then i guess they are just outgoing internal relays which could be bad if you have some smtp worm or spam bot on your network).
In all, I don't have much experince with Exchange(about 2 years). I've mostly worked with Postfix and sendmail so i'm using the traditional rfc defs of smtp and relays.
I know thats a bad idea when talking about a commercial product.
In reality, a internal mapi client in your domain
local.com, sending an email to someone@xxxxxxxxxxxxx, is relaying. its just auth'ed or allowed relaying, the way your isp allows you to relay from outlook express using their smtp server.
just wondering how exchange fit into all this in re: to the aforementioned settings- the relay check boxes on the virtual server and connector.
thanks alot!
On 9/20/05, Brian Desmond wrote:
Let me answer what I can authoritatively.
MAPI clients are totally different than pop3/imap. There is no virtual server or none of that. They submit their messages to the server over MAPI just like all their other traffic, and the then server handles the routing internally. You cannot disable mapi users from sending mail. They're not relaying anything off an SMTP server. If you create an
acme.com connector and uncheck the relay box, users will continue to be able to email to
acme.com
I'm not sure you understand what relaying means in the context of SMTP. Sending mail to the SMTP server's native domain is not relaying. It's what the SMTP server is there for. Submitting mail to the SMTP server for delivery to a remote smtp server is relaying. Usually you don't think of your internal users sending outbound mail as relaying though I guess technically it is.
A quick peek at the SMTP settings on a couple of the severs here indicates that they all have that allow computers which authenticate to relay box checked. Our outbound SMTP is locked down at the perimeter and inbound comes through a couple of iplanet boxes.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c - 312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Tom KernSent: Tuesday, September 20, 2005 9:01 PMTo: activedirectory
Subject: [ActiveDir] Exchange relay(OT)
I'm confused about relaying on virtual servers and smtp connectors.
I keep reading conflicting reports-
In "Microsoft Exchange Server 2003 24seven" from Sybex, JMcBee writes in chapter 14 on page 584 that unchecking "Allow All Computers WHich Sucessfully Authenticate To Relay..", Exchange servers will not be able to send mail to one another.
He states Exchange servers relay with each other in an Org all the time and unchecking this will break exchange.
Jim McBee has stated this in both Exchange 2k and 2k3 verisons of the book.
However in "Exchange Server Cookbook", recipe 7.19, they state to uncheck this value for security reasons and seem to imply that this is only for pop3/imap clients.
Tony redmond in "MS Exchange Server 2003 with sp1" seems to agree as well.
who's right?
Also, I know the setting for relaying on an smtp connector over rides the virtual server connection setting, so say i create a connector with "
acme.com" address space. If i uncheck the relay button on the connector, will users(mapi or pop3) be able to send mail to
acme.com?
or do i have to enable relaying for this to work on that connector?
Finally, how does exchange view mapi users?
are they lumped in with auth users like pop3/imap?
what mechanism allows mapi users to relay? is there a setting that can disallow mapi clients from relaying like for pop3/imap clients?
Thanks.
alot of questions, i know.
Exchange in some ways confuses the heck outta me.
I find the sendmail.cf file easier than exchange sometimes.
Thanks again! | | | |
| Alm@xxxx.yyy
| | 09/21/2005 11:38 AM |
| Exchange servers have credentials. I haven't worked
with that check box lately, Tom, but I would not expect the servers to break
just because you expect to require credentials.
MAPI clients aren't relaying in the same context.
They don't submit a SMTP message but rather a local message that then gets
routed. An internet protocol MUA on the other hand, will have to act as a SMTP
client and send the message via SMTP. Technically, they would relay the
message off the Exchange server to it's destination (internal, external,
whatever.) To be allowed to have that conversation, you're saying that the
client (this is client-server, so a "server" can be a client as well) must
present credentials and be authorized to send mail via SMTP conversation.
does that help?
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom
KernSent: Wednesday, September 21, 2005 6:52 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] Exchange
relay(OT)
well, technically, most smtp software like sendmail or postfix, considers
your users(pop3/imap) sending email over their MTA to a remote domain as
relaying and its usually specified as such in the config files.
I know exchange is groupware,a different beast, but it is an smtp routing
server and a pop3/imap server, so i was wondering if it treated mapi clients the
same.
i know for a fact, the check box on the virtual server to allow relaying
for auth users applies to pop3/imap users, since they are techinacally relaying
but you are allowing them as they are your users.
I was just wondering if this affected intenal Exchange servers relaying off
each other in your ORG or not.
as to the connector, i'm confused as to what the relaying check box means
there-
if you're address space is a specific domain, you say checking or
unchecking has no affect on users sending email out thry that connector.
yet MS(and everyone else) says if your addy space is * and you allow
relaying, you are an open relay since the connector settings override whats on
the virtual servers on the bridgeheads(assuming your bridgeheads have mx records
and are the one's recieivng incoming mail. if not, then i guess they are just
outgoing internal relays which could be bad if you have some smtp worm or spam
bot on your network).
In all, I don't have much experince with Exchange(about 2 years). I've
mostly worked with Postfix and sendmail so i'm using the traditional rfc defs of
smtp and relays.
I know thats a bad idea when talking about a commercial product.
In reality, a internal mapi client in your domain local.com, sending an email to someone@xxxxxxxxxxxxx, is relaying. its
just auth'ed or allowed relaying, the way your isp allows you to relay from
outlook express using their smtp server.
just wondering how exchange fit into all this in re: to the aforementioned
settings- the relay check boxes on the virtual server and connector.
thanks alot!
On 9/20/05, Brian
Desmond brian@xxxxxxxxxxxxxxxx>
wrote:
Let me answer what I
can authoritatively.
MAPI clients are
totally different than pop3/imap. There is no virtual server or none of that.
They submit their messages to the server over MAPI just like all their other
traffic, and the then server handles the routing internally. You cannot
disable mapi users from sending mail. They're not relaying anything off an
SMTP server. If you create an acme.com connector and uncheck the relay box, users will
continue to be able to email to acme.com
I'm not sure you
understand what relaying means in the context of SMTP. Sending mail to the
SMTP server's native domain is not relaying. It's what the SMTP server is
there for. Submitting mail to the SMTP server for delivery to a remote smtp
server is relaying. Usually you don't think of your internal users sending
outbound mail as relaying though I guess technically it is.
A quick peek at the
SMTP settings on a couple of the severs here indicates that they all have that
allow computers which authenticate to relay box checked. Our outbound SMTP is
locked down at the perimeter and inbound comes through a couple of iplanet
boxes.
Thanks, Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom KernSent: Tuesday, September 20, 2005 9:01
PMTo:
activedirectorySubject:
[ActiveDir] Exchange relay(OT)
I'm
confused about relaying on virtual servers and smtp
connectors.
I keep
reading conflicting reports-
In
"Microsoft Exchange Server 2003 24seven" from Sybex, JMcBee writes in chapter
14 on page 584 that unchecking "Allow All Computers WHich Sucessfully
Authenticate To Relay..", Exchange servers will not be able to send mail to
one another.
He states
Exchange servers relay with each other in an Org all the time and unchecking
this will break exchange.
Jim McBee
has stated this in both Exchange 2k and 2k3 verisons of the
book.
However
in "Exchange Server Cookbook", recipe 7.19, they state to uncheck this value
for security reasons and seem to imply that this is only for pop3/imap
clients.
Tony
redmond in "MS Exchange Server 2003 with sp1" seems to agree as
well.
who's
right?
Also, I
know the setting for relaying on an smtp connector over rides the virtual
server connection setting, so say i create a connector with " acme.com" address space. If i uncheck the relay button on
the connector, will users(mapi or pop3) be able to send mail to acme.com?
or do i
have to enable relaying for this to work on that
connector?
Finally,
how does exchange view mapi users?
are they
lumped in with auth users like pop3/imap?
what
mechanism allows mapi users to relay? is there a setting that can disallow
mapi clients from relaying like for pop3/imap clients?
Thanks.
alot of
questions, i know.
Exchange
in some ways confuses the heck outta me.
I find
the sendmail.cf file easier than
exchange sometimes.
Thanks
again! | | | |
| PeterJ
Posts:5
| | 09/21/2005 11:59 AM |
| IIRC the fact that your exchange servers
are explicitly members of the Exchange Enterprise and Exchange Domain Servers
groups means that they have specific rights across the org. As long as you don™t
mess around with the SMTP virtual server settings, outside of what the
connector gives you, you should be fine as these rights are explicitly given to
the members of these two groups.
Plus the exchange server SMTP extensions
don™t treat, I believe, SMTP connections and e-mail delivery from other
servers in the ORG as relay attempts since this isn™t controlled by MX
records as normal SMTP delivery is. Exchange actually has some extended SMTP
verbs to process this sort of e-mail. So an e-mail from abc@xxxxxxxxx to xyz@xxxxxxxxx
where these two mailboxes are on different servers within the org is not
treated as a Relay attempt plus the mailbox is not located by an MX record but
rather by some sort of LDAP query performed by the Routing/Categorisation
engine. Take a look at the Exchange Technical Reference Guide for all the gory
details.
Regards
Peter Johnson
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom Kern
Sent: 21 September 2005 13:32
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Exchange
relay(OT)
Thanks!
so it doesn't apply to servers relaying internally to each other across
an org?
correct?
alos, why does checking off that box on a connector going to *, make
you an open relay? doesn't that take into account authentication or does that
really mean relay to and from any domain(well i assume just "to",
because its only outbound).
Thanks again
On 9/21/05, Peter
Johnson
wrote:
Hi Tom
In a MAPI client scenario on Exchange no SMTP replaying
occurs at all. The MAPI client submits the mail to the mailstore using the MAPI
protocol and the exchange server's MTA then processes it and hands it off to
the right connector based on target address space or type eg SMTP, Rightfax
etc. In the case of an SMPT address the SMTP virtual server on Exchange server
then performs an normal SMPT transaction to the destination server. The
checkbox on the Connector refers to clients who are using standard protocols
such as IMAP/POP.
Regards
Peter Johnson
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Tom Kern
Sent: 21 September 2005 12:52
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] Exchange
relay(OT)
well,
technically, most smtp software like sendmail or postfix, considers your
users(pop3/imap) sending email over their MTA to a remote domain as relaying
and its usually specified as such in the config files.
I know
exchange is groupware,a different beast, but it is an smtp routing server and a
pop3/imap server, so i was wondering if it treated mapi clients the same.
i know
for a fact, the check box on the virtual server to allow relaying for auth
users applies to pop3/imap users, since they are techinacally relaying but you
are allowing them as they are your users.
I was
just wondering if this affected intenal Exchange servers relaying off each
other in your ORG or not.
as to the
connector, i'm confused as to what the relaying check box means there-
if you're
address space is a specific domain, you say checking or unchecking has no
affect on users sending email out thry that connector.
yet
MS(and everyone else) says if your addy space is * and you allow relaying, you
are an open relay since the connector settings override whats on the virtual
servers on the bridgeheads(assuming your bridgeheads have mx records and are
the one's recieivng incoming mail. if not, then i guess they are just outgoing
internal relays which could be bad if you have some smtp worm or spam bot on
your network).
In all, I
don't have much experince with Exchange(about 2 years). I've mostly worked with
Postfix and sendmail so i'm using the traditional rfc defs of smtp and relays.
I know
thats a bad idea when talking about a commercial product.
In
reality, a internal mapi client in your domain local.com, sending an email to someone@xxxxxxxxxxxxx,
is relaying. its just auth'ed or allowed relaying, the way your isp allows you
to relay from outlook express using their smtp server.
just
wondering how exchange fit into all this in re: to the aforementioned settings-
the relay check boxes on the virtual server and connector.
thanks
alot!
On 9/20/05,
Brian Desmond brian@xxxxxxxxxxxxxxxx>
wrote:
Let me answer
what I can authoritatively.
MAPI clients
are totally different than pop3/imap. There is no virtual server or none of
that. They submit their messages to the server over MAPI just like all their
other traffic, and the then server handles the routing internally. You cannot
disable mapi users from sending mail. They're not relaying anything off an SMTP
server. If you create an acme.com
connector and uncheck the relay box, users will continue to be able to email to
acme.com
I'm not sure
you understand what relaying means in the context of SMTP. Sending mail to the
SMTP server's native domain is not relaying. It's what the SMTP server is there
for. Submitting mail to the SMTP server for delivery to a remote smtp server is
relaying. Usually you don't think of your internal users sending outbound mail
as relaying though I guess technically it is.
A quick peek
at the SMTP settings on a couple of the severs here indicates that they all
have that allow computers which authenticate to relay box checked. Our outbound
SMTP is locked down at the perimeter and inbound comes through a couple of
iplanet boxes.
Thanks,
Brian
Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Tom Kern
Sent: Tuesday, September 20, 2005
9:01 PM
To: activedirectory
Subject: [ActiveDir] Exchange
relay(OT)
I'm
confused about relaying on virtual servers and smtp connectors.
I keep
reading conflicting reports-
In
"Microsoft Exchange Server 2003 24seven" from Sybex, JMcBee writes in
chapter 14 on page 584 that unchecking "Allow All Computers WHich
Sucessfully Authenticate To Relay..", Exchange servers will not be able to
send mail to one another.
He states
Exchange servers relay with each other in an Org all the time and unchecking
this will break exchange.
Jim McBee
has stated this in both Exchange 2k and 2k3 verisons of the book.
However
in "Exchange Server Cookbook", recipe 7.19, they state to uncheck
this value for security reasons and seem to imply that this is only for
pop3/imap clients.
Tony
redmond in "MS Exchange Server 2003 with sp1" seems to agree as well.
who's
right?
Also, I
know the setting for relaying on an smtp connector over rides the virtual
server connection setting, so say i create a connector with " acme.com" address space. If i
uncheck the relay button on the connector, will users(mapi or pop3) be
able to send mail to acme.com?
or do i
have to enable relaying for this to work on that connector?
Finally,
how does exchange view mapi users?
are they
lumped in with auth users like pop3/imap?
what
mechanism allows mapi users to relay? is there a setting that can disallow mapi
clients from relaying like for pop3/imap clients?
Thanks.
alot of
questions, i know.
Exchange
in some ways confuses the heck outta me.
I find
the sendmail.cf file easier
than exchange sometimes.
Thanks
again! | | | |
|
|