Unable to send SMTP mail over VPN
Yofnik
through VPN. They are getting "550 5.7.1 Unable to relay" error
messages. While I expect this when they are not connected to the VPN,
I don't understand why it is still happening when they are connected.
Here is our setup:
- SBS 2003. No authentication (too many dictionary attacks). Relaying
allowed only for internal private network - 192.168.100.0
(255.255.255.0).
- SonicWall Firewall / VPN Appliance (love it)
When users are in the office, they can send SMTP just fine. When they
are out of the office and connect to the VPN, they do get a
192.168.100.XXX IP address. So why then can't they send mail out using
SMTP?
FYI...I know they can just use Exchange services if they are connected
to the VPN. However a number of our users (CEO included), manage many
accounts in Outlook. One is Exchange, the rest are POP / SMTP.
Any help would be appreciated. Thanks.
Claus
Have you considered switching your users to Outlook over HTTP? It works
great and they wouldn't need VPN to do their mail.
--
Claus
"Yofnik" <yof...@comcast.net> wrote in message
news:1193505353.9...@o80g2000hse.googlegroups.com...
Lanwench [MVP - Exchange]
> Our users cannot send SMTP mail when they are connected to our network
> through VPN. They are getting "550 5.7.1 Unable to relay" error
> messages. While I expect this when they are not connected to the VPN,
> I don't understand why it is still happening when they are connected.
> Here is our setup:
>
> - SBS 2003. No authentication (too many dictionary attacks). Relaying
> allowed only for internal private network - 192.168.100.0
> (255.255.255.0).
>
> - SonicWall Firewall / VPN Appliance (love it)
Yep.
>
> When users are in the office, they can send SMTP just fine. When they
> are out of the office and connect to the VPN, they do get a
> 192.168.100.XXX IP address. So why then can't they send mail out using
> SMTP?
Not sure, but if you must keep this icky config for some unknown reason (see
below), just have them authenticate to the SMTP server in their Internet
Mail account properties and be done with it. You shouldn't allow anything
other than authenticated relay anyway - regardless of IP address. Those can
be spoofed.
>
> FYI...I know they can just use Exchange services if they are connected
> to the VPN. However a number of our users (CEO included), manage many
> accounts in Outlook. One is Exchange, the rest are POP / SMTP.
>
> Any help would be appreciated. Thanks.
<schoolmarm mode>
1. Don't mix and match account types in Outlook. This is a mess and will
cause problems. Seriously. No POP, no PST, period.
2. See # 1. Even for your CEO. If you clean up your config and everything
works more smoothly, your CEO will forgive you and maybe buy you a wonderful
birthday present, like a pony or something.
3. Have Exchange handle all your mail -both internal & external - as
illustrated here: http://www.msexchange.org/tutorials/MF002.html
4. Use only Exchange w/Cached Mode in the Outlook profile
5. Have your external users use RPC over HTTP to access the Exchange
server - no VPN needed. They can still use VPN if they want, but if all they
need is mail, they don't have to useit - and RPC over HTTP will work *far*
more reliably than VPN on most networks, as TCP 443 is hardly ever blocked.
</schoolmarm mode>
Yofnik
Thank you for your advice. It is much appreciated. A few follow up
questions:
- Regarding authentication - I read that it is better to not have any
authentication at all and just lock down who can relay. This will
prevent dictionary attacks. We definitely were hit with a number of
these attacks and I believe some user accounts were compromised. We
have since enforced strict passwords, etc., but no authentication was
recommended in a Microsoft article I read. Am I misunderstanding here?
- As for our use of SMTP. I agree. I would much rather go the
"Exchange Only" route. However, we just have not had the same success
with that. Our users (especially our CEO), relies heavily on the
ability to open up a new mail message and select the mail account he
wants to send from. He needs to maintain two separate email accounts
within his single Outlook. I tried setting him up to be able to use
Exchange for both (I think its called Delgation?). However, this did
not work as well. Whenever he sent a mail from the secondary account,
I believe it went out as something like "From User2 on behalf of
User1". This was just not acceptable. He needs to be able to send
mail AS the second account. If there is a better way to do this other
than using SMTP for the second account, I am all ears.
Thanks again for your help.
Lanwench [MVP - Exchange]
> Lanwrench,
> Thank you for your advice. It is much appreciated. A few follow up
> questions:
>
> - Regarding authentication - I read that it is better to not have any
> authentication at all and just lock down who can relay. This will
> prevent dictionary attacks. We definitely were hit with a number of
> these attacks and I believe some user accounts were compromised. We
> have since enforced strict passwords, etc., but no authentication was
> recommended in a Microsoft article I read. Am I misunderstanding here?
I haven't seen that article myself, and am a bit skeptical. However, this
may be a "choose your own poison" matter - and if you don't allow any relay,
it isn't going to be an issue. Remember, IP addresses can be spoofed. You
need a very good password policy (8char minimum, regular changes, and I'd
force complexity as well).
>
> - As for our use of SMTP. I agree. I would much rather go the
> "Exchange Only" route. However, we just have not had the same success
> with that. Our users (especially our CEO), relies heavily on the
> ability to open up a new mail message and select the mail account he
> wants to send from. He needs to maintain two separate email accounts
> within his single Outlook. I tried setting him up to be able to use
> Exchange for both (I think its called Delgation?). However, this did
> not work as well. Whenever he sent a mail from the secondary account,
> I believe it went out as something like "From User2 on behalf of
> User1". This was just not acceptable.
Grant him Send As rights onthe other mailbox - this is done on the Exchange
server. Then he can use the From field. You may need to revoke the Outlook
delegation changes you already made....he should be given Full Mailbox
rights & Send As, set on the server.
Yofnik
type the "From" field. With multiple POP accounts, you can select the
account from the Accounts drop down list. When you do this, Outlook
will also display the approriate email footer for that account. This
just isn't the case with multiple Exchange accounts.
Back to my original issue for a moment, if I allow relaying for my
internal subnet, theoretically, SMTP should work fine when connected
via VPN. Right? I just don't understand what is going on here. Maybe
the SMTP connection is still being made with the remote IP address,
not the VPN connection? How can I trouble shoot this?
Lanwench [MVP - Exchange]
> What our users really find annoying with this approach is having to
> type the "From" field. With multiple POP accounts, you can select the
> account from the Accounts drop down list. When you do this, Outlook
> will also display the approriate email footer for that account. This
> just isn't the case with multiple Exchange accounts.
That's true, and it's a common complaint. However, it works - and it's still
far better than configuring everyone with Internet Mail accounts in Outlook
by a long shot. People can be trained, and people can learn. There's also
www.ivasoft.biz - ChooseFrom and RightFrom which may be of some use to you.
>
> Back to my original issue for a moment, if I allow relaying for my
> internal subnet, theoretically, SMTP should work fine when connected
> via VPN. Right? I just don't understand what is going on here. Maybe
> the SMTP connection is still being made with the remote IP address,
> not the VPN connection? How can I trouble shoot this?
I don't use this config, so I can't say, but you may be on the mark with
your suspicion.
Use authenticated relay. It's much better. Relying on IP address is not the
way to go here.
sdo...@hotmail.com
I have has the same issue trying to make Outlook 2013 on a Surface RT tablet to work with an old Exchange 2003 service through IMAP and SMTP over VPN and without SMTP authentication relay as X.400 from 2003 is no longer supported and the SMTP needed anonymous authentication too for some legacy service.
To resolve the problem I just needed to edit the SMTP (outgoing) server name from Outlook account settings and instead of the full name (which, when used, didn't tunnel the VPN) I entered the short name (local network computer name, that forced VPN and got local relay settings).