POP client can't relay to outside addresses

[cowboy00242]

I have set up our Exchange box to allow POP clients to use it. I have also closed the machine off to external relay using the typical Microsoft suggestions. However, these POP clients cannot relay to outside addresses, they can only send to internal recipients.

I have the Exchange server set to allow Authenticated users to relay, and have the clients set to send authentication information to the SMTP server.

WHat else do I need to check? Clients are being told they are not allowed to relay, and yet they can recieve their mail and also send to internal recipients.

So, I'm sorta baffled...

Any thoughts?

 

[DigitalRolly]

Silly question...

Are they authenticating on the mail client side?

Rolly

 

[cowboy00242]

Yes, they are... and no, they are not.

The clients in question are outside of our "internal" network. If I am using a POP client internally, I cannot relay to an external domain unless I send a username and password to the Exchange server (I have tested this), which is correct and expected behavior. If I try the same set of troubleshooting steps with external clients, I cannot relay regardless of the configuration of the client. It's as if the external clients are being disallowed to give authentication to use SMTP, or that their authentication is being ignored.

So the server is acting like they are not authenticating, although they are correctly set up (as far as I can tell) to do so.

Error returned from the Exchange server is 550: Relay denied.

 

[pleebo]

You will have to identify the external POP clients domains and put it in the allow list for the Exchange Server to relay these external POP users' mails via your Exc Server.

Cool!

 

[tom11011]

2 questions.

1.)On the pop client, who's smtp authentication are you using, yours or the end users ISP?

2.) Does your mailserver use a real internet IP address or a LAN address with NAT?

 

[cowboy00242]

Thanks for the advice, but I solved it lust a day ago, with a caveat. Here's what was happening, and how it was fixed:

1) Exchange was not allowing machines outside of its IP network to authenticate for SMTP. It would allow a machine to relay into the home domain, and allow machines from within the home domain to send out, but not allow a machine outside of the network to even authenticate to relay.

2) I went ahead and added the external subnet (where my SMTP/POP clients resided) to the exception list for relay. Before that, no machines were allowed to relay, although any machine that authenticated successfully could relay without restrictions.

3) Once the subnet was allowed, the external machines could relay. Great! Problem solved. But there is more...

4) I tested a different scenario: I used one of the external POP clients in the allowed subnet and sent to my hotmail address (an external relay). I had checked the box "Server requires authentication" in the POP client, and the message went through with no issue (I expected this). What I did not want to have happen was the next step: I unchecked that box, and the mail was relayed anyways. So essentially, the external clients are not required to authenticate to the SMTP server. This is not good.

Granted, the external clients sit in a 32 address subnet, so the range is very small, but conceivably it could be spoofed. So here is my next question to the group:

My email server sits behind a firewall, with only the SMTP and POP ports open for use externally. Is there another port necessary for the SMTP authentication data? Could this be why the external clients never authenticated properly, and the internal ones did? (I could sift through firewall logs, sure... but maybe someone has an answer?)

 

[bitcrawler]

Don't you are using TLS authentication ?