i have exchange 2000, i want to secure my server in such a way that nobody can send emails without password

56,495 pts.
Tags:
Email security
Exchange 2000
Outlook
Password
i have exchange 2000, i want to secure my server in such a way that... nobody can send emails without password.(outlook/exchange not require password for sending emails) for eg.: my email address is owais.siddiq@arwentech.com but my colleague address is zahid.ishtiaque@arwentech.com if i configure this acc.(Zahid.ishtiaque) as POP in outlook , I can send emails to others by using his email because sending not require password. and i want sending in such a way that .. it require password how secure it?/is it possible? , if i grant access in exchange as anonymous user(exch. sys. mangr.--->filtering), we cannot receive emails from remote site.
ASKED: September 22, 2008  3:01 PM
UPDATED: September 24, 2008  12:16 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

Create a new SMTP virtual server to use for incoming client connections.

Connection control

Connection control restricts connections that are based on IP address or domain name, including reverse Domain Name System (DNS) lookups. Connection control options do not encrypt passwords or message data.

Access control

You can configure either basic authentication, anonymous authentication, or integrated Windows authentication (formerly named NTLM or Windows NT Challenge/Response authentication). Because basic authentication sends user names and passwords in clear text, it is not secure. To enable the encryption of user names and passwords, use either basic authentication with Transport Layer Security (TLS), or use integrated Windows authentication. Like Secure Sockets Layer (SSL), TLS encrypts user names, passwords, and message data. Note that integrated Windows authentication works only in scenarios where the client computer can contact a Windows-based domain controller to validate its credentials. In most firewall configurations, this contact cannot occur. However, internal implementations of SMTP access (where the logon session does not traverse the Internet) can use integrated Windows authentication.
Encryption

Security-enhanced communication encrypts the SMTP session, including the user name, the password, and the message data by using SSL encryption. It is better if you use SSL for all SMTP connections to Exchange 2003 that cross public networks such as the Internet. You must install a certificate on your SMTP virtual server. You can either use an external certification authority or you can install Certificate Services to your Microsoft Active Directory directory service forest to install a certificate.
Relaying control

By default, when you create a SMTP virtual server in Exchange 2003, it is configured to prevent the relaying of e-mail messages. Note that if your POP3 or IMAP4 clients do not have permission to relay, users cannot send SMTP mail to external domains through the SMTP virtual server. However, if you permit the relaying of messages, a user may be used to propagate unsolicited commercial e-mail messages (junk e-mail messages). When you use the default relay settings, only clients that are authenticated can relay messages through the SMTP virtual server. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
319278 (<a href=”http://support.microsoft.com/kb/319278″>http://support.microsoft.com/kb/319278</a>/) How to secure Internet Message Access Protocol client access in Exchange 2000

<b>To Create a New SMTP Virtual Server</b>

1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. Expand Administrative Groups (if appropriate), expand AdministrativeGroup (if appropriate), expand Servers, expand ServerName, and then expand Protocols.
3. Right-click SMTP, point to New, and then click SMTP Virtual Server.
4. In the Name box, type the name of the virtual server, and then click Next.
5. Click the IP address that you want to use, and then click Finish.
6. After you create the SMTP virtual server, confirm that the new virtual server is using the correct fully qualified domain name (FQDN). To do so:
a. Right-click the SMTP virtual server that you created, and then click Properties.
b. Click the Delivery tab, and then click Advanced.
c. Confirm that the domain name in the Fully-qualified domain name box matches the name that your users type when they configure their client software to deliver SMTP mail. To confirm that the domain name resolves correctly, click Check DNS.
d. Click OK, and then click OK.
Note If you are configuring an SMTP virtual server for clients that access this SMTP virtual server across the Internet, you may have to configure external DNS servers because the FQDN of the SMTP virtual server must resolve to an external Internet address. To do so, click Configure in the Advanced Delivery dialog box, click Add, and then type the IP address of the external DNS server. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
326992 (http://support.microsoft.com/kb/326992/) Outgoing SMTP mail messages are not sent

<b>
To Configure IP Address Restrictions</b>

To configure IP address restrictions:
1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. Expand Administrative Groups (if appropriate), expand AdministrativeGroup (if appropriate), expand Servers, expand ServerName, and then expand Protocols.
3. Expand SMTP, right-click Default SMTP Virtual Server, and then click Properties.
4. Click the Access tab, and then click Connection.
5. In the Connection dialog box, click Only the list below.

This indicates that only the IP addresses and the domains that are in the list are permitted to connect to the SMTP virtual server.
6. Click Add, and then do one of the following to add a single computer, a group of computers, or a domain, as appropriate to your situation:
• To add a single computer, click Single Computer, type the IP address of the e-mail messaging server of your Internet service provider (ISP) in the IP address box, and then click OK.

Alternatively, click DNS Lookup, type a host name, and then click OK.
• To add a group of computers, click Group of computers, type the subnet address and the subnet mask of the group in the corresponding boxes, and then click OK.

Microsoft recommends this option if your ISP has a tendency to change the IP address of their e-mail messaging server without warning.
• To add a domain, click Domain, type the domain name that you want in the Name box, and then click OK.

Note that this option requires a DNS reverse lookup on each incoming connection. This requirement may adversely affect the performance of the Exchange server. For more information, see the Troubleshoot section later in this article.
<b>
To Configure Access Control</b>

To configure access control:
1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. Expand Administrative Groups (if appropriate), expand AdministrativeGroup (if appropriate), expand Servers, expand ServerName, and then expand Protocols.
3. Expand SMTP, right-click the SMTP virtual server, and then click Properties.
4. Click the Access tab, and then click Authentication.

By default, anonymous access is disabled, and basic authentication and integrated Windows authentication are enabled. Configure the SMTP virtual server to use basic authentication with TLS encryption or integrated Windows authentication, and then click OK.
Note You must also enable the logon by using the Secure Password Authentication option on the SMTP client software. To do so in Microsoft Outlook Express:
1. Start Outlook Express.
2. On the Tools menu, click Accounts.
3. Click the Mail tab, and then click Properties.
4. Click the Servers tab, click to select the Log on using Secure Password Authentication check box, click OK, and then click Close.
Note that the user name and the password are encrypted. Message data is not encrypted.
<b>
To Configure Encryption</b>

To configure encryption:
1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. Expand Administrative Groups (if appropriate), expand AdministrativeGroup (if appropriate), expand Servers, expand ServerName, and then expand Protocols.
3. Expand SMTP, right-click the SMTP virtual server, and then click Properties.
4. Click the Access tab, and then click Certificate. Web Server Certificate Wizard starts.
5. Click Next.
6. Follow the instructions on the remaining pages of the wizard to create a new certification or to assign an existing certificate.
After the certificate is installed on the server, configure the communications method. To do so:
1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. Expand Administrative Groups (if appropriate), expand AdministrativeGroup (if appropriate), expand Servers, expand ServerName, and then expand Protocols.
3. Expand SMTP, right-click the SMTP virtual server, and then click Properties.
4. Click the Access tab, and then click Communication.
5. Click to select the Require secure channel check box.
6. If both the Exchange 2003 computer and the clients support 128-bit encryption, click Require 128-bit encryption.
7. Click OK, and then click OK.
8. Stop and then restart the SMTP virtual server.
If your clients are using Outlook Express, configure Outlook Express to use SSL. To do so:
1. Start Outlook Express.
2. On the Tools menu, click Accounts.
3. Click the Mail tab.
4. Double-click the Exchange Server mail account, and then click the Advanced tab.
5. Under Outgoing Mail (SMTP), click to select the This server requires a secure connection (SSL) check box.
6. Click OK, and then click Close.

<b>
To Configure Relaying</b>

To configure relaying:
1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. Expand Administrative Groups (if appropriate), expand AdministrativeGroup (if appropriate), expand Servers, expand ServerName, and then expand Protocols.
3. Expand SMTP, right-click the SMTP virtual server, and then click Properties.
4. Click the Access tab, and then click Relay.

The default settings permit authenticated clients to relay messages. Typically, these settings are sufficient so that only clients with the correct credentials can relay messages through the SMTP virtual server. You can also restrict relay permissions to single IP addresses, IP address ranges, or DNS suffixes.
5. Click OK.

<b>
To Test Whether the SMTP Virtual Server Settings That You Configured Work Correctly</b>

To test whether the SMTP virtual server settings that you configured work correctly:
• To confirm that the IP restrictions work correctly, use a POP3 and an IMAP4 client to try to connect to the server from an excluded IP address. If the IP restrictions are configured correctly, you receive a message that notifies you that a connection to the server is declined.
• To verify authentication encryption:
a. Run Network Monitor on your Exchange 2003 computer, and use the default authentication settings to initiate an SMTP session from the client while you capture the traffic that is coming to the Exchange 2003 computer.
b. Review the SMTP session and note the packets from the client to the server on port 25 (0019h).

Note that the user’s logon name and password are sent in clear text.
c. Remove support for basic authentication, configure the client to require Secure Password Authentication, initiate another SMTP session from the client, and then capture the traffic in Network Monitor.

The user account and password are now encrypted.
• To test SSL encryption:
a. Add a certificate, configure the settings so that you require a security-enhanced channel on the SMTP virtual server, and then configure the client to use SSL.
b. Start a Network Monitor capture, and then initiate an SMTP mail collection session from the client.
c. Stop the capture, and then examine the packets that were sent.

Note that all client to server packets with a destination of port 25 (0019h) are encrypted.
Note If you have not enabled encryption on the POP3 or IMAP4 mail collection , you may still see some unencrypted packets from the client that are destined for port 110 (006Eh) or for port 143 (008Fh).
• To test whether relay restrictions work correctly, send mail from an excluded IP address to an external domain. You receive an error message that states that the server was unable to relay for the recipient’s address.
<b>
Troubleshoot</b>
Any restrictions that are based on DNS lookup can adversely affect the performance of the Exchange 2003 computer. Because the server performs a reverse DNS lookup on each inbound connection, a DNS reverse lookup zone must be available and the sending host must be registered with that zone.

Discuss This Question:  

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following