setting up an IIS server to relay email to Exchange in DMZ, through two ISA firewalls.
Saira
Sorry about the big mail list, but my question involves 3 different
expertise, so I am not sure where to post.
In a nutshell what I am trying to do is the following.
a) Get IIS, in an anonymous access DMZ, to pick email from my ISP through an
ISA server 2004 firewall
I haven't figured out yet how to get the mail server to pick up email, I
could publish the SMTP server on the external firewall, but all email is
currently being sent to my ISP and I quite like this because they can take
care of a lot of spam filtering, virus etc. problems for me.
b) I then want IIS to forward the email to an internal exchange server
(through another ISA firewall)
I am trying to setup IIS to relay email. when I configure SMTP I get the
error "the domain name is not valid". I am setting up a domain and selecting
forward all email to smarthost, but when I check this option and type in the
IP address of the Exchange server, this is the error I get. It will be
picking up email destined for three different comains x.com , y.com and
z.com. The domain name for the Windows domain that needs to accept these
emails is called b.com. is this going to be a problem? I have not set up
anything on the Exchange server yet (should I be doing this first?)
c) Theoretically Exchange should then deliver the incoming mail to the
indovodual users. I have configured the exchange policies such that all
users have the appropriate associated SMTP email addresses against their
user names, so hopefully this should just work.
Sorry for all the questions, I seem to have half answers for most issues,
but just can't seem to get there.
Thanks to anyone who profers help/advice.
Saira
The users in Exchange
![Mark Arnold [MVP]'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjWfOoakncIeAwDFlTp-kGUX3hCQcyUCiH7av8m1Ynjuwi6dWQ=s40-c)
Mark Arnold [MVP]
wrote:
>Hello
>Sorry about the big mail list, but my question involves 3 different
>expertise, so I am not sure where to post.
>
>In a nutshell what I am trying to do is the following.
>a) Get IIS, in an anonymous access DMZ, to pick email from my ISP through an
>ISA server 2004 firewall
>I haven't figured out yet how to get the mail server to pick up email, I
>could publish the SMTP server on the external firewall, but all email is
>currently being sent to my ISP and I quite like this because they can take
>care of a lot of spam filtering, virus etc. problems for me.
Your IIS server won't do any picking up of email. You would need a 3rd
party POP3 connector on that server to collect the mail and deliver it
to a local SMTP server. That server has the anti virus and spam
solution on it and will forward it to the Exchange server.
>
>b) I then want IIS to forward the email to an internal exchange server
>(through another ISA firewall)
>I am trying to setup IIS to relay email. when I configure SMTP I get the
>error "the domain name is not valid". I am setting up a domain and selecting
>forward all email to smarthost, but when I check this option and type in the
>IP address of the Exchange server, this is the error I get. It will be
>picking up email destined for three different comains x.com , y.com and
>z.com. The domain name for the Windows domain that needs to accept these
>emails is called b.com. is this going to be a problem? I have not set up
>anything on the Exchange server yet (should I be doing this first?)
>
>c) Theoretically Exchange should then deliver the incoming mail to the
>indovodual users. I have configured the exchange policies such that all
>users have the appropriate associated SMTP email addresses against their
>user names, so hopefully this should just work.
>
>Sorry for all the questions, I seem to have half answers for most issues,
>but just can't seem to get there.
>
>Thanks to anyone who profers help/advice.
>
>Saira
>
>The users in Exchange
>
I'm a bit lost as to why you want an IIS server in a DMZ and then have
two ISA's. I'm not even sure why you want 2 ISA's. Who has told you
that you should do all this? It's a big waste of hardware for no
tangible gain in security.
ZVR
> a) Get IIS, in an anonymous access DMZ, to pick email from my ISP through
> an ISA server 2004 firewall
> I haven't figured out yet how to get the mail server to pick up email, I
> could publish the SMTP server on the external firewall, but all email is
> currently being sent to my ISP and I quite like this because they can take
> care of a lot of spam filtering, virus etc. problems for me.
You cannot do this with IIS alone. You will need a POP3 connector that
integrates with your Exchange instance and retrieves mail from your ISP (I
assume the ISP is using POP3 for message retrieval). In this case there is
no need for point b) below.
> b) I then want IIS to forward the email to an internal exchange server
> (through another ISA firewall)
You don't need this if you install and configure the POP3 connector on the
Exchange server itself. Here's an example of such a connector that
integrates natively with Exchange 2000/2003:
http://www.mapilab.com/exchange/pop3_connector/
Not too expensive either by comparison with other products of this nature.
> I am trying to setup IIS to relay email. when I configure SMTP I get the
> error "the domain name is not valid". I am setting up a domain and
> selecting forward all email to smarthost, but when I check this option and
> type in the IP address of the Exchange server, this is the error I get.
This should not be a problem, but check your DNS configuration carefully for
errors.
> It will be picking up email destined for three different comains x.com ,
> y.com and z.com. The domain name for the Windows domain that needs to
> accept these emails is called b.com. is this going to be a problem? I have
> not set up anything on the Exchange server yet (should I be doing this
> first?)
Yes you need to set up Exchange to accept messages for all three domains -
this is being done mainly through Recipient Policies in the Exchange System
Manager.
Virgil
Phillip Windell
IIS) it doesn't need the connector. The connector is required if Exchange
"polls" (pulled from IIS to Exchange) the IIS/SMTP for the mail as a "POP3
Client".
I use IIS/SMTP to relay to Exchange myself. The IIS/SMTP box runs a Spam
Filtering system that processes the incomming mail, then passes it on to the
Exchange. There was nothing to configure on Exchange,..Exchange is
completely "oblivous" to what is happening.
It sounds to me like the IIS/SMTP Service is just simply missconfigured.
The question should be answered in an IIS Group, not ISA. ISA has nothing
to do with it,..the fact that it is going through an ISA as a result of
Publishing is irrelevant.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
"ZVR" <no_spa...@me.local> wrote in message
news:4405f815$0$5488$9a6e...@unlimited.newshosting.com...
ZVR
news:%23OkOYzW...@TK2MSFTNGP10.phx.gbl...
> If Exchange is only recieving from the IIS SMTP (pushed to Exchange from
> IIS) it doesn't need the connector. The connector is required if Exchange
> "polls" (pulled from IIS to Exchange) the IIS/SMTP for the mail as a "POP3
> Client".
I know what you mean, however from the original post I got the impression
that the mailboxes are currently hosted at the ISP which performs all kind
of processing on them and also "stores" the messages in which case a POP3
connector would be required. If the ISP does not "store" the mailboxes and
simply passes everything on to the IIS relay after applying some anti-virus
filtering and so on, then the POP3 connector would be unnecessary as you
pointed out.
Virgil
Phillip Windell
clarify it then.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
"ZVR" <no_spa...@me.local> wrote in message
news:440618bd$0$28053$9a6e...@unlimited.newshosting.com...
Julian Dragut
connector to the ISP is gonna be used?
He's publishing the mail server with ISA anyways, so I gues he's best bet
would be to configure exchange to only receive email from ISP's smtp
server(and for "filtering" to use as a smart host for sending as well),
after Exchange have been published through ISA!
Julian Dragut
"Phillip Windell" <@.> wrote in message
news:O2DLxKY...@TK2MSFTNGP15.phx.gbl...
Saira
internal Exchange server to the internet.
One option that we did have was to put in place another Exchange server in
the DMZ, in this case we would have used a POP Connector to contact the ISP
and the email would then have gone through to the backend server, however
this is not our setup.What we actually have is an IIS server in a DMZ and an
Exchange server on the internal LAN. My questions was:
What is the best way to get mail from the ISP into the DMZ (yes, the ISP
stores the email in mailboxes, so from previous feedback, it looks like the
opinion is that I will need a POP connector to get the mail down).
Once the email gets to the IIS Server I need it to be relayed to the
internal Exchange server (this is where I am getting the IIS SMTP
configuration error). My main question here, was how do I make sure that all
mail for all three domains gets forwarded through to the internal Exchange
server.
We already have our internal mailboxes configured via recipient policies to
receive mail from the various different domains, but I was not sure whether
this was all I needed to do.
"Julian Dragut" <julian...@itsm.ca> wrote in message
news:u%23CpCJbP...@tk2msftngp13.phx.gbl...
ZVR
> stores the email in mailboxes, so from previous feedback, it looks like
> the opinion is that I will need a POP connector to get the mail down).
Yes you will. However! As I was saying in my previous email, if you
integrate a POP3 connector into your internal Exchange instance, you will
not need this intermediate DMZ step, period. The reason being that the
internal Exchange can connect to your ISP and retrieve the POP3 mail
directly, then route the messages to the appropriate mailboxes. Nowhere in
this scenario are you "exposing" the internal Exchange machine - there will
be no "incoming" connections to it, just outgoing requests made from the
POP3 connector to your ISP mail servers. This is as secure at it can be -
you only need to allow outbound access through your firewalls for the ISP
IP(s), for the POP3 protocol.
> Once the email gets to the IIS Server I need it to be relayed to the
> internal Exchange server (this is where I am getting the IIS SMTP
> configuration error).
This type of configuration is actually even less secure than what I am
suggesting because you need to allow traffic from the DMZ into the internal
network space, so if your DMZ ever gets compromised, the offenders will have
a direct access path into your SMTP service. Still secure enough if you ask
me, but just pointing out for the sake of the design that integrating the
POP3 connector into your internal Exchange instance is probably the best
option security-wise.
Virgil
Phillip Windell
"Saira" <Sa...@BayonetVentures.com> wrote in message
news:ORZNtTeP...@TK2MSFTNGP12.phx.gbl...
> and we do not want to expose our
> internal Exchange server to the internet.
Why not? If you publish it from ISA (followed by the "outer" firewall doing
a Static NAT to the ISA) you are only exposing the SMTP service which isn't
any different (or worse) than using an SMTP service in the DMZ.
> One option that we did have was to put in place another Exchange server in
> the DMZ, in this case we would have used a POP Connector to contact the
ISP
> and the email would then have gone through to the backend server, however
> this is not our setup.
Yes you could do that, but (in my opinion) this whole method is based on
needless paranoia and on top of that the Admin doing it has to buy ($$$$) 2
Exchange Servers to perform a "single" job that could have just as easily
and safely been done with one Exchange.
> What we actually have is an IIS server in a DMZ and an
> Exchange server on the internal LAN. My questions was:
> What is the best way to get mail from the ISP into the DMZ (yes, the ISP
> stores the email in mailboxes, so from previous feedback, it looks like
the
> opinion is that I will need a POP connector to get the mail down).
Then you have exactly what I thought you did. *IF* you need a POP3
Connector it would have to go on the IIS/SMTP in the DMZ (not the Exchange
machine) so it could interact with the ISP's system. However I don't think
there is such a thing. There isn't even a POP3 Service with IIS until you
get to the one with Server2003,...and a POP3 Service is not the same thing
as a POP3 Connector, which as far as I know is an "Exchange only" item.
Now with all that said,...you don't need a POP3 Connector. The ISP's SMTP
Server will use *SMTP* (not POP3) to send whatever it gets to the "outer
firewall's external IP#,...the firewall using Static NAT will pass it on to
the IIS/SMTP in the DMZ. The IIS/SMTP does a "rinse & repeat" of what the
ISP did and simply forward everything it recieves to the ISA's external IP#
where the Publishing Rule grabs it and passes it to the Exchange Server.
The Exchange Server is the one with the "brains" and will determine what to
do with the messages and if they even really belong there.
> Once the email gets to the IIS Server I need it to be relayed to the
> internal Exchange server (this is where I am getting the IIS SMTP
> configuration error). My main question here, was how do I make sure that
all
> mail for all three domains gets forwarded through to the internal Exchange
> server.
1. In the MMC below the IIS/SMTP Virtual Server there is a Domains
Object,...in it you have to list all the Domains you are dealing with (do
not include the "@"). Make sure they aren't spelled wrong.
a. Then in the Properties of each of those Domain (not counting the
Local
Default one),...enable "Allow the mail to be relayed to this domain"
b. Then enable "Forward all mail to Smarthost" and give it the external
ISA's IP# and enclose it in square brackets.
c. Leave everything else blank. Leave the Advanced Tab blank. Leave
"Outbound Security" set to anonymous.
2. Then in the Properties of the IIS/SMTP Virtual Server go to the Access
Tab, then the Relay button. Select "Only the list below",..then leave the
list blank. At the bottom Select the "Allow Computer that successfully
authenticate".
But this group is supposed to be about configuring and troubleshooting
ISA,...not IIS/SMTP. But then you crossposted to about a million other
groups.
> We already have our internal mailboxes configured via recipient policies
to > receive mail from the various different domains, but I was not sure
whether > this was all I needed to do.
Yes, as far as Exchange is concerned,...that is all you do. Exchange only
cares about what to do with the mail once it arrives (hence the Recipient
Policy), but Exchange couldn't care less how the mail found its way to the
server.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html
Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc
Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------
Saira
It is a very long thread, I didn't realise what I was starting when I
posted!!
What you are saying makes sense, I must admit I am trying to listen to all
sides (some of whom say it is a bad idea to allow your Exchange server to
interact directly with the internet).
If I am to publish my Exchange server to the outer firewall (I am working in
a back to back scenario), do you have any idea on how to do this? I can see
how to do this if Exchange was in the DMZ, but not in the internal LAN. I
assume that if I do this, I am basically done and dusted as Exchange will
receive all the email and I will then just need to enable the firewall to
allow outgoing SMTP from Exchange and that's it....
Saira
"Phillip Windell" <@.> wrote in message
news:uzVbTogP...@TK2MSFTNGP10.phx.gbl...
Phillip Windell
> What you are saying makes sense, I must admit I am trying to listen to all
> sides (some of whom say it is a bad idea to allow your Exchange server to
> interact directly with the internet).
I always enjoy "poking" at the guys that believe that. Just for their
enjoyment,...my Exchange is Published directly to the internet (before I
added the Spam Filtering machine) and I do not run any DMZ at all,...and
probably never will.
A LAN can be made perfectly secure without a DMZ.
> If I am to publish my Exchange server to the outer firewall (I am working
in
> a back to back scenario), do you have any idea on how to do this?
Assuming the ISA is the "inner firewall" and is publishing Exchange to the
DMZ,...you would just pretend that the ISA is the Exchange server and use
the "outer firewall" to publish the ISA Server *as if* it was the Exchange
Saira
then on the Front end publish again, but this time point to the ISA server?
How about mail going out? Do I just allow SMTP from the internal to the
external netwtork via by the Exchange server?
Saira
"Phillip Windell" <@.> wrote in message
news:e8bJI6g...@TK2MSFTNGP10.phx.gbl...
Saira
Can I not just use the POP 3 Connector to go and fetch mail from the ISP (no
publishing involved), and allow SMTP mail our through the inner firewall by
Exchange (just setting the ISP smtp server as the server to use for
unresolved email?)
Saira
"Saira" <Sa...@BayonetVentures.com> wrote in message
news:O9Ue8ahP...@TK2MSFTNGP11.phx.gbl...
ZVR
> Actually Philip, now I've got myself really confused with all the options.
> Can I not just use the POP 3 Connector to go and fetch mail from the ISP
> (no publishing involved), and allow SMTP mail our through the inner
> firewall by Exchange (just setting the ISP smtp server as the server to
> use for unresolved email?)
That's what I said all along. Yes you can do that (although it will require
you purchase such a POP3 connector for your Exchange), and again this is the
most secure scenario and requires the least amount of reconfiguration
because everything will continue to work as before. Mail continues to arrive
in the POP3 mailboxes hosted by your ISP, so no DNS reconfiguration will be
required, no nothing - you just configure the POP3 connector to fetch email
from the ISP and that's it. No inbound connections of any kind (=server
publishing rules) are needed with this setup.
So if you're OK with the ISP having control over your email storage and can
afford to buy the POP3 connector software, by all means, go with it.
Virgil
Phillip Windell
> So you are saying publish the Exchange server to the Back end firewall and
> then on the Front end publish again, but this time point to the ISA
server?
That is correct. As far as the outer-most firewall is concerned, it thinks
the ISA is the Exchange box.
> How about mail going out? Do I just allow SMTP from the internal to the
> external netwtork via by the Exchange server?
Publishing doesn't effect outbound. The Exchange uses SMTP outbound exactly
the same way a user would use SMTP outbound with Outlook Express or
something. So in that respect Exchange is just nothing more than an SMTP
Client initiating an outbound SMTP connection,...however it *does* need to
be able to do so "anonymously". It is all completely unrelated to any of
the Publishing,... Publishing is only inbound.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
Phillip Windell
> Actually Philip, now I've got myself really confused with all the options.
> Can I not just use the POP 3 Connector to go and fetch mail from the ISP
(no
> publishing involved), and allow SMTP mail our through the inner firewall
by
> Exchange (just setting the ISP smtp server as the server to use for
> unresolved email?)
I suppose you could,...but it is more work and more complicted (to me) than
the other way. This all has to be worked out by the ISP. The ISP has to
configure thier system to *hold* your mail when it would otherwise
immediately send the mail to you over SMTP. The ISP's system would only let
you have the mail when your machines "comes and gets it" using the POP3
Connector. To me this is a lot worse to deal with and has the most things
that can go wrong.
Of course, everything would be easier if you eliminated the DMZ & Firewall
and ran the ISA totally alone as an "edge" device between the LAN and the
Intenet. This is why I preach so much against DMZs,...most people don't
even really know why they have one other than someone somewhere told them
they were more secure if they had one. Now if someone has a good
justifyable reason for one, then fine, that's great,...but doing it "just
because" isn't enough for me.
Saira
If I publish the Exchange server, what sort of security should I put on it?
Obviously the ISP is not able to 'authenticate'. it's just going to forward
emails to my IP address. Do i just publish the Exchange server and that's it
(it all sounds a little simple).
On outgoing, presumably I only need to allow the Exchange server access
through the firewall and then I'm done.
"Phillip Windell" <@.> wrote in message
news:eljtE8h...@TK2MSFTNGP11.phx.gbl...
Phillip Windell
> Thanks for you advice Philip.
> If I publish the Exchange server, what sort of security should I put on
it?
> Obviously the ISP is not able to 'authenticate'. it's just going to
forward
> emails to my IP address. Do i just publish the Exchange server and that's
it
> (it all sounds a little simple).
That is pretty much it. It really isn't that complex,..it is just the DMZ
situation that makes it seem that way. You still have to make sure Exchange
itself isn't an "open relay" for Spam and in all other ways, properly
configured,..but that is always the case,..it is not part of the
"publishing" aspect.
Remember that when published, only the SMTP Serivce is exposed, nothing else
is,...unless you get into POP3 Publishing for "roaming users" but you
haven't indicated you want to do that.
> On outgoing, presumably I only need to allow the Exchange server access
> through the firewall and then I'm done.
Yes,..and it only has to be outbound SMTP.
ZVR
> than
> the other way. This all has to be worked out by the ISP. The ISP has to
> configure thier system to *hold* your mail when it would otherwise
> immediately send the mail to you over SMTP.
The ISP does that already Phillip...
> The ISP's system would only let
> you have the mail when your machines "comes and gets it" using the POP3
> Connector.
To the ISP the POP3 connector would look like a client. Nothing special
there.
> To me this is a lot worse to deal with and has the most things
> that can go wrong.
I don't necessarily share this view :-), once the POP3 connector it's up and
running, it's smooth sailing - you just set it and forget it. In the end
it's Saira's decision, I just thought I would suggest this option too.
Virgil
Phillip Windell
> I don't necessarily share this view :-), once the POP3 connector it's up
and
> running, it's smooth sailing - you just set it and forget it. In the end
> it's Saira's decision, I just thought I would suggest this option too.
It is a valid way to do it, I'm not denying that. But the ISP may not
already being doing that. It all depends on where the mailboxes reside. If
they already exist on the ISP's server then the POP3 Connection would be the
way to go,...but if the mail boxes don't already eixt at the ISP then the
ISP's server would not be holding the mail and would be just passing the
mail onward to the customers IP#. In fact it may not even touch the ISP's
mail server at all if the customer already has the MX Record pointing to the
themselves which is the assumption I was operating under.
Asher_N
2 things that often get overlooked in that scenario are:
A) Delays. POP3 connectors fetch mail on a schedule. Usually no faster than
every 15 minutes.
B) flexibility. You simply cannot add e-mail addresses to Exchange. It has
to also be done at the ISP. And often, ISPs charge by the mailbox.