SMTP forwarding question
in [IIS]
|
From: H-Man on 25 Feb 2010 13:00 On Thu, 25 Feb 2010 08:35:26 +0000, Chris M wrote: > On 24/02/2010 23:22, H-Man wrote: >> On Wed, 24 Feb 2010 10:27:38 +0000, Chris M wrote: >> >>> On 23/02/2010 22:48, H-Man wrote: >>>> I have a Windows 2000 server with IIS installed >>>> >>>> As so many others, I have several laptops out there that have issues >>>> sending email due to port 25 being blocked. I would like to make an >>>> authenticated port (something other than 25) available to my field >>>> personnel and have it forward to my ISP SMTP server on port 25. My internet >>>> domain is hosted by my ISP. >>>> >>>> I know this might be a basic question, but how do I go about making IIS >>>> allow a secure connection, accept emails destined for anywhere and forward >>>> it to our ISP's server for further handling? >>>> >>> >>> One way of doing it (sorry if these settings don't look the same in >>> Windows 2000 but I don't have anything running that version any more!) >>> >>> Set the SMTP virtual server Authentication setting to require Basic >>> Authentication. Disable anonymous access. In the relay restrictions, >>> allow all computers which successfully authenticate to relay. >>> >>> Now, this will have the unforunate effect of causing your clients to >>> send their username/passwords across the Internet in clear text which >>> you obviously don't want. Therefore, set the virtual server to use a >>> certificate, and require a secure channel for communication. If you're >>> using a self-signed certificate then your clients will need to trust >>> this certificate. Set the listening port on the server to 465 (standard >>> for Secure SMTP). This will secure the connection before authentication >>> takes place. >>> >>> Hope this helps, >> >> I got the relay working, thanks for you help. >> >> Just a bit more on certificates. >> I tried a self signed certificate, but can't get it to show up so that I >> can select it. Win2KS comes with IIS5. The only self ssl tool I could find >> to install a certificate was in the IIS6.o resource kit. I installed the >> ssldiag too and ran it to create a self-signed cert. It won't show when I >> go to select the certificate. I would imagine I'd need to open port 443 on >> our corporate firewall then as well, right? The SMTP doe listen on port 465 >> as indicated. >> >> A self-signed certificate is not a problem as it should only be my staff, >> and just a few at that, that need in, so they can accept the certificate as >> legit. > > Sorry, I'm not able to jump onto a Windows 2000 box so I can't really > try this myself. Did you import the certificate into the local computer > certificate store? > > You won't need to open 443 incoming - just 465. Thanks for all of your help. I know that without a machine in front of you it's all just by guess. I've had some success, maybe you can apply some general principles to my current problem. My understanding was that if I wanted secure authentication to the server I'd need a certificate. I created a self signed certificate using SSLDIAG. It seemed to work okay and the certificate was available to select. I also created my own with OpenSSL, and it as well is available to select. My problem exists regardless of which certificate I choose. I am selecting the certificate in the SMTP Virtual server properties under Access and Certificates. Also in the Access tab is the option to select basic authentication (plain text, and I have this working well on port 465), with another option to require TLS encrytion. As this is an option for Basic Authentication, I'm assuming this would make it secure authentication, this is what I'm after. There's also a communications button just below and part of the Certificates section. In the clicking the Communications button allows me the option of requiring a secure channel and the option of making that 128bit. No combination of these settings and client settings will get me authenticated. The connection just times out. If I choose TLS authentication at the server, but set my client (Thunderbird) to none for connection security (SSL/TLS is an option) I get a screen asking for a new password, but none will work. I suspect that, that is because the password is received but not recognized because it's not encrypted where the server is expecting an encrypted password. No matter what I can't seem to get connected to the server. Any ideas? -- HK
From: H-Man on 25 Feb 2010 17:29 On Thu, 25 Feb 2010 11:00:06 -0700, H-Man wrote: > On Thu, 25 Feb 2010 08:35:26 +0000, Chris M wrote: > >> On 24/02/2010 23:22, H-Man wrote: >>> On Wed, 24 Feb 2010 10:27:38 +0000, Chris M wrote: >>> >>>> On 23/02/2010 22:48, H-Man wrote: >>>>> I have a Windows 2000 server with IIS installed >>>>> >>>>> As so many others, I have several laptops out there that have issues >>>>> sending email due to port 25 being blocked. I would like to make an >>>>> authenticated port (something other than 25) available to my field >>>>> personnel and have it forward to my ISP SMTP server on port 25. My internet >>>>> domain is hosted by my ISP. >>>>> >>>>> I know this might be a basic question, but how do I go about making IIS >>>>> allow a secure connection, accept emails destined for anywhere and forward >>>>> it to our ISP's server for further handling? >>>>> >>>> >>>> One way of doing it (sorry if these settings don't look the same in >>>> Windows 2000 but I don't have anything running that version any more!) >>>> >>>> Set the SMTP virtual server Authentication setting to require Basic >>>> Authentication. Disable anonymous access. In the relay restrictions, >>>> allow all computers which successfully authenticate to relay. >>>> >>>> Now, this will have the unforunate effect of causing your clients to >>>> send their username/passwords across the Internet in clear text which >>>> you obviously don't want. Therefore, set the virtual server to use a >>>> certificate, and require a secure channel for communication. If you're >>>> using a self-signed certificate then your clients will need to trust >>>> this certificate. Set the listening port on the server to 465 (standard >>>> for Secure SMTP). This will secure the connection before authentication >>>> takes place. >>>> >>>> Hope this helps, >>> >>> I got the relay working, thanks for you help. >>> >>> Just a bit more on certificates. >>> I tried a self signed certificate, but can't get it to show up so that I >>> can select it. Win2KS comes with IIS5. The only self ssl tool I could find >>> to install a certificate was in the IIS6.o resource kit. I installed the >>> ssldiag too and ran it to create a self-signed cert. It won't show when I >>> go to select the certificate. I would imagine I'd need to open port 443 on >>> our corporate firewall then as well, right? The SMTP doe listen on port 465 >>> as indicated. >>> >>> A self-signed certificate is not a problem as it should only be my staff, >>> and just a few at that, that need in, so they can accept the certificate as >>> legit. >> >> Sorry, I'm not able to jump onto a Windows 2000 box so I can't really >> try this myself. Did you import the certificate into the local computer >> certificate store? >> >> You won't need to open 443 incoming - just 465. > > Thanks for all of your help. I know that without a machine in front of you > it's all just by guess. I've had some success, maybe you can apply some > general principles to my current problem. > > My understanding was that if I wanted secure authentication to the server > I'd need a certificate. I created a self signed certificate using SSLDIAG. > It seemed to work okay and the certificate was available to select. I also > created my own with OpenSSL, and it as well is available to select. My > problem exists regardless of which certificate I choose. I am selecting the > certificate in the SMTP Virtual server properties under Access and > Certificates. Also in the Access tab is the option to select basic > authentication (plain text, and I have this working well on port 465), with > another option to require TLS encrytion. As this is an option for Basic > Authentication, I'm assuming this would make it secure authentication, this > is what I'm after. There's also a communications button just below and part > of the Certificates section. In the clicking the Communications button > allows me the option of requiring a secure channel and the option of making > that 128bit. No combination of these settings and client settings will get > me authenticated. The connection just times out. If I choose TLS > authentication at the server, but set my client (Thunderbird) to none for > connection security (SSL/TLS is an option) I get a screen asking for a new > password, but none will work. I suspect that, that is because the password > is received but not recognized because it's not encrypted where the server > is expecting an encrypted password. No matter what I can't seem to get > connected to the server. > > Any ideas? Chris, Thanks again for all of your help and insight. Just an update. I discovered that TLS and SSL isn't really that but requires a STARTTLS conversation. Once I discovered that little tidbit, I got ThunderBird working. OE is a different matter though. I found out that OE will not work using port 465, but will for any other port. I switched to 587 and away we went. I have some tweaking to do, but everything works now. Thanks again. -- HK
From: H-Man on 26 Feb 2010 15:39
On Thu, 25 Feb 2010 15:29:01 -0700, H-Man wrote: > On Thu, 25 Feb 2010 11:00:06 -0700, H-Man wrote: > >> On Thu, 25 Feb 2010 08:35:26 +0000, Chris M wrote: >> >>> On 24/02/2010 23:22, H-Man wrote: >>>> On Wed, 24 Feb 2010 10:27:38 +0000, Chris M wrote: >>>> >>>>> On 23/02/2010 22:48, H-Man wrote: >>>>>> I have a Windows 2000 server with IIS installed >>>>>> >>>>>> As so many others, I have several laptops out there that have issues >>>>>> sending email due to port 25 being blocked. I would like to make an >>>>>> authenticated port (something other than 25) available to my field >>>>>> personnel and have it forward to my ISP SMTP server on port 25. My internet >>>>>> domain is hosted by my ISP. >>>>>> >>>>>> I know this might be a basic question, but how do I go about making IIS >>>>>> allow a secure connection, accept emails destined for anywhere and forward >>>>>> it to our ISP's server for further handling? >>>>>> >>>>> >>>>> One way of doing it (sorry if these settings don't look the same in >>>>> Windows 2000 but I don't have anything running that version any more!) >>>>> >>>>> Set the SMTP virtual server Authentication setting to require Basic >>>>> Authentication. Disable anonymous access. In the relay restrictions, >>>>> allow all computers which successfully authenticate to relay. >>>>> >>>>> Now, this will have the unforunate effect of causing your clients to >>>>> send their username/passwords across the Internet in clear text which >>>>> you obviously don't want. Therefore, set the virtual server to use a >>>>> certificate, and require a secure channel for communication. If you're >>>>> using a self-signed certificate then your clients will need to trust >>>>> this certificate. Set the listening port on the server to 465 (standard >>>>> for Secure SMTP). This will secure the connection before authentication >>>>> takes place. >>>>> >>>>> Hope this helps, >>>> >>>> I got the relay working, thanks for you help. >>>> >>>> Just a bit more on certificates. >>>> I tried a self signed certificate, but can't get it to show up so that I >>>> can select it. Win2KS comes with IIS5. The only self ssl tool I could find >>>> to install a certificate was in the IIS6.o resource kit. I installed the >>>> ssldiag too and ran it to create a self-signed cert. It won't show when I >>>> go to select the certificate. I would imagine I'd need to open port 443 on >>>> our corporate firewall then as well, right? The SMTP doe listen on port 465 >>>> as indicated. >>>> >>>> A self-signed certificate is not a problem as it should only be my staff, >>>> and just a few at that, that need in, so they can accept the certificate as >>>> legit. >>> >>> Sorry, I'm not able to jump onto a Windows 2000 box so I can't really >>> try this myself. Did you import the certificate into the local computer >>> certificate store? >>> >>> You won't need to open 443 incoming - just 465. >> >> Thanks for all of your help. I know that without a machine in front of you >> it's all just by guess. I've had some success, maybe you can apply some >> general principles to my current problem. >> >> My understanding was that if I wanted secure authentication to the server >> I'd need a certificate. I created a self signed certificate using SSLDIAG. >> It seemed to work okay and the certificate was available to select. I also >> created my own with OpenSSL, and it as well is available to select. My >> problem exists regardless of which certificate I choose. I am selecting the >> certificate in the SMTP Virtual server properties under Access and >> Certificates. Also in the Access tab is the option to select basic >> authentication (plain text, and I have this working well on port 465), with >> another option to require TLS encrytion. As this is an option for Basic >> Authentication, I'm assuming this would make it secure authentication, this >> is what I'm after. There's also a communications button just below and part >> of the Certificates section. In the clicking the Communications button >> allows me the option of requiring a secure channel and the option of making >> that 128bit. No combination of these settings and client settings will get >> me authenticated. The connection just times out. If I choose TLS >> authentication at the server, but set my client (Thunderbird) to none for >> connection security (SSL/TLS is an option) I get a screen asking for a new >> password, but none will work. I suspect that, that is because the password >> is received but not recognized because it's not encrypted where the server >> is expecting an encrypted password. No matter what I can't seem to get >> connected to the server. >> >> Any ideas? > > Chris, > Thanks again for all of your help and insight. Just an update. I discovered > that TLS and SSL isn't really that but requires a STARTTLS conversation. > Once I discovered that little tidbit, I got ThunderBird working. OE is a > different matter though. I found out that OE will not work using port 465, > but will for any other port. I switched to 587 and away we went. I have > some tweaking to do, but everything works now. > > Thanks again. Just another update for anyone who's interested, ThunderBird can take any unverifiable certificate (in my case self signed) and put it into it's trusted pool. OE6 cannot. I had to jump through some hoops to get this done, but everything now works as expected. My server is just a local, file / database server, so it really is just for the LAN. We are on a static IP so I used the external IP as my SMTP server name in my email clients. OE6 requires that the certificate name exactly match the server name, so I created another certificate for my external IP address, and imported the certificate into OE. Lo and behold, everything works as expected. I learned a bit about certificates and how TLS and SSL work, so this was a positive experience indeed. -- HK |