Configuring an Inbound and Outbound SMTP Relay on the ISA Server 2004 Firewall

Last week I did a two part article on how to install and configure a secure authenticating and anonymous access SMTP relay on the Internet network that you can use to help secure your Exchange Server. If you missed those articles, you can find them at:

The first step is to install the SMTP service on the ISA Server 2004 firewall. IIS services are not installed by default on Windows Server 2003 machine, so we must install the service now.

Perform the following steps to install the IIS 6 SMTP service:

1. Click Start and click Control Panel. Click Add or Remove programs.
2. In the Add or Remove programs applet, click the Add/Remove Windows Components button.
3. On the Windows Components page, select the Application Server entry and click Details.
4. In the Application Server dialog box, select the Internet Information Services (IIS) entry and click Details.
5. In the Internet Information Services dialog box, put a checkmark in the SMTP Service checkbox and click OK.
6. Click OK in the Application Server dialog box.
7. Click Next on the Windows Components page.
8. Click OK in the Insert Disk dialog box. In the Files Needed dialog box, enter the path to the i386 folder in the Copy files from text box and click OK.
9. Click Finish on the Completing the Windows Components Wizard page

The next step is to obtain a Web site certificate that we will bind to the SMTP service running on the ISA Server 2004 firewall. Since we are running an enterprise CA on the internal network, we typically would use the Certificates mmc snap-in to obtain the certificate. However, at the time of this writing the RPC filter on the ISA Server 2004 firewall breaks the Certificates mmc snap-in from obtaining a certificate from the enterprise CA. There is a possibility that the RPC filter will be fixed by the time the ISA Server 2004 product is released to manufacturing.

We will use the Web enrollment site to obtain the Web site certificate since the Certificates snap-in isn’t easily available to use at this time.

Perform the following steps to obtain the Web site certificate for the SMTP service:

1. Open Internet Explorer on the ISA Server 2004 firewall machine and enter http://10.0.0.2/certsrv and press ENTER. The IP address 10.0.0.2 is the address of our enterprise CA machine.
2. On the Welcome page of the Web enrollment site, click the Request a Certificate link.
3. On the Request a Certificate page, click the advanced certificate request link.
4. On the Advanced Certificate Request page, click the Create and submit a request to this CA link.
5. On the Advanced Certificate Request page, select the Web Server entry in the Certificate Template list. Enter the common name that will be on the certificate in the Name text box. In this example, the common name on the certificate will be mail.msfirewall.org. The common name is a critical piece of information because the e-mail client application must be configured with the same common name for its SMTP server.

6. Scroll down the page and put a checkmark in the Store certificate in the local computer certificate store checkbox. Click the Submit button.

7. Click Yes on the Potential Scripting Violation dialog box informing you that the Web site is requesting a certificate on your behalf.
8. On the Certificate Issued page, click the Install this certificate link.
9. Click Yes on the dialog box informing you that the Web site is adding one or more certificates to this computer.
10. Close the browser after you see the Certificate Installed page in the browser.

We can now bind the certificate to the SMTP server. Perform the following steps to bind the certificate to the SMTP service:

1. Click Start and point to Administrative Tools. Click Internet Information Services (IIS) Manager.
2. On the Default SMTP Virtual Properties dialog box, click the Access tab. On the Access tab, click the Certificate button.
3. On the Welcome to the Web Server Certificate Wizard page, click Next.
4. On the Server Certificate page, select the Assign an existing certificate option and click Next.
5. On the Available Certificates page, select the certificate that you installed on the ISA Server 2004 firewall. In this example, the certificate we requested is name mail.msfirewall.org, so we will select that one. Click Next.

6. Review the information on the Certificate Summary page and click Next.
7. Click Finish on the Completing the Web Server Certificate Wizard page.
8. Notice that the Communication button is now available. This indicates that the certificate was successfully bound to the SMTP service.

Now we’re ready for some heavy lifting. We need to configure the SMTP service to accept incoming mail to our Exchange Server and also configure the SMTP service to relay mail to external domains for authenticated users.

The first step is to configure a remote domain for the domain that we host. In this example, our public e-mail domain is msfirewall.org. Mail addressed to msfirewall.org should by relayed to our Exchange Server organization. Mail send to any other domain should not be sent to the Exchange Server. This prevents spammers from using our Exchange Server as a spam relay.

Perform the following steps to configure the remote domain for inbound relay to your organizations Exchange Server:

1. In the Internet Information Services (IIS) Manager expand the Default SMTP Virtual Server and right click on the Domains node. Point to New and click Domain.
2. On the Welcome to the New SMTP Domain Wizard page, select the Remote option and click Next.
3. On the Domain Name page, enter the mail domain your Exchange Server hosts in the Name text box. In this example, we’ll enter msfirewall.org. Click Finish after entering the domain name.

4. You will see the new remote domain appear in the right pane of the console. Double click on the new remote domain.
5. In the remote domain’s Properties dialog box, put a checkmark in the Allow incoming mail to be relayed to this domain checkbox. In the Route domain frame, select the Forward all mail to smart host option and then enter the IP address of the Exchange Server that should accept the incoming mail. In this example, the IP address is [10.0.0.2]. Note that you must include straight brackets around the IP address so that the SMTP service does not considered this to be a fully qualified domain name and try to resolve it. Note that you also have the option to use Use DNS to route to this domain. If you use this option, the SMTP relay will use DNS to resolve the name of the remote domain by doing a DNS query for the MX record for the domain. Click Apply and then click OK.

Creating the remote domain is only the first step in configuring our SMTP relay on the ISA Server 2004 firewall. The next step is to configure the properties of the Default SMTP Virtual Server. Perform the following steps to configure the SMTP virtual server:

1. In the Internet Information Services (IIS) Manager console, expand the server name and then right click on the Default SMTP Virtual Server entry. Click Properties.
2. On the Default SMTP Virtual Server Properties dialog box, select the IP address of the SMTP Virtual Server from the IP Address list. In this example, we will select the IP address on the external interface of the ISA Server 2004 firewall, which is 192.168.1.70. Put a checkmark in the Enable logging checkbox.
3. Click on the Access tab. On the Access tab, click the Authentication button in the Access control frame.
4. In the Authentication dialog box, leave the checkmark in the Anonymous access checkbox in place. Place a checkmark in the Integrated Windows Authentication checkbox. Click OK.

5. In the Default SMTP Virtual Server Properties dialog box, click the Relay button in the Relay Restrictions frame.
6. In the Relay Restrictions dialog box, confirm that there is a checkmark in the Allow all computer which successfully authenticate to relay, regardless of the list above checkbox. This setting will allow your external users to relay through the SMTP relay machine to domains that you do not host. Click the Add button.
7. In the Computer dialog box, enter the IP address of the Exchange Server in the Single computer text box. We need to allow the Exchange Server to relay mail outbound to external mail domains and this setting will allow the Exchange Server that access. Note that if this Exchange Server had a logged on user, that user’s credentials could be used for outbound relay. However, since servers typically do not have logged on users, you need to enable relay access control by using the Exchange Server’s IP address. This does have the potential for abuse, as spammers could spoof their IP address. However, the ISA Server 2004 firewall rejects spoofed communications, so you are protected from this exploit when using an ISA Server 2004 firewall to protect your organization. Click OK.

8. In the Relay Restrictions dialog box, you will now see the IP address of the Exchange Server in the Computers list and the access is set as Granted. Click OK.
9. In the Default SMTP Virtual Server dialog box, click the Delivery tab. On the Delivery tab, click the Advanced button.
10. In the Advanced Delivery dialog box, you have the option to enter the IP address for FQDN for a smart host. A smart host is an SMTP server that you can forward e-mail messages to and in turn, the smart host will perform name resolution for the destination mail domains for the outgoing e-mail messages. The smart host offloads name resolution responsibility from the Exchange Server or SMTP relay to the smart host computer. You also have the option to allow the SMTP relay to attempt delivery by resolving the SMTP domain name itself before sending the message to the smart host. Only if the SMTP relay is not able to resolve the name itself will it forward the messages to the smart host. Your smart host can be your ISP’s SMTP server, or any other SMTP server that you consider highly effective and available. In this example, we will not enter a smart host address. This will allow the SMTP relay to resolve MX domain name itself. It will also require that we allow our Internal DNS server (located on the domain controller) to perform name resolution for Internet host names. The SMTP relay is configured to use the Internal DNS server, so it will send MX domain name queries to the Internal DNS server, the Internal DNS server will query Internet DNS servers to resolve the MX domain names, and then the Internal DNS server will forward the result to the SMTP relay. Then the SMTP relay will send the e-mail messages directly to the SMTP server responsible for that domain’s e-mail. Click OK.

11. Click OK in the Default SMTP Virtual Server Properties dialog box.

The Exchange Server will use the SMTP relay for outbound relay via a smart host setting on the Exchange Server’s SMTP service. Perform the following steps to configure the SMTP service on the Exchange Server to use the SMTP relay as its smart host:

1. On the Exchange Server machine, click Start and point to All Programs. Point to Microsoft Exchange and click on System Manager.
2. In the Exchange System Manager console, expand the organization name and then expand the Servers node in the left pane of the console. Expand the Protocols node and then expand the SMTP protocol.
3. Right click the Default SMTP Virtual Server entry in the left pane and click Properties.
4. In the Default SMTP Virtual Server Properties dialog box, click the Delivery tab. On the Delivery tab, click the Advanced button.
5. In the Advanced Delivery dialog box, enter the IP address of the SMTP relay computer in the Smart host text box. In this example, the IP address of the SMTP relay is 192.168.1.70, so we will enter [192.168.1.70] into the text box. Notice that straight brackets must be placed around the IP address. Click OK.
6. Click Apply and then click OK in the Default SMTP Virtual Server Properties dialog box.

The Internal network DNS server must be able to resolve the mail domain name in the outgoing messages to the SMTP server responsible for the e-mail message. In our current scenario, the Internal network DNS server is on the domain controller/Exchange Server machine. This DNS server is configured to resolve Internet domain names and the ISA Server 2004 firewall is configured to use this DNS server for Internet host name resolution.

By default, the Microsoft DNS server can resolve Internet domain names if you configure the DNS properly before installing the Active Directory. The means you need to install and configure the DNS before you promote the machine to a domain controller. However, that is another subject for another time. The key factor here is that the DNS server must be primed with the proper root hints file that allows it to perform recursion to resolve Internet host names.

In order for the Internal network DNS server to resolve Internet host names, it must be able to perform recursion. This requires that the DNS server be able to access DNS servers on the Internet. We must create an Access Rule on the ISA Server 2004 firewall to allow the Internal network DNS sever to resolve Internet host names.

Perform the following steps to create the DNS Access Rule:

1. At the ISA Server 2004 firewall computer, open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name. Click the Firewall Policy node.
2. Right click the Firewall Policy node, point to New and click Access Rule.
3. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example we’ll call it Outbound DNS. Click Next.
4. On the Rule Action page, select Allow and click Next.
5. On the Protocols page, select the Selected protocols option from the This rule applies to list. Click the Add button.
6. In the Add Protocols dialog box, click the Common Protocols folder and double click on DNS. Click Close.
7. Click Next on the Protocols page.
8. On the Access Rule Sources page, click the Add button.
9. In the Add Network Entities dialog box, click the Networks folder and double click on Internal. Click Close.
10. Click Next on the Access Rule Sources page.
11. On the Access Rule Destinations page, click the Add button.
12. In the Add Network Entities dialog box, click the Networks folder and then double click on the External network. Click Close.
13. Click Next on the Access Rule Destinations page.
14. On the User Sets page, accept the default entry All Users and click Next.
15. On the Completing the New Access Rule Wizard page, click Finish.

A Server Publishing Rule allows external hosts to access servers located behind the ISA Server 2004 firewall. A Server Publishing Rule can either route, or perform a reverse NAT to forward the incoming connections to the published server. In the case of the published SMTP server in this example, the publishing rule performs reverse NAT and exposes the connection to the SMTP filter, which protects the SMTP server from buffer overflow attacks.

Perform the following steps to publish the SMTP server:

1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click on the Firewall Policy node.
2. Right click on the Firewall Policy node, point to New and click Server Publishing Rule.
3. On the Welcome to the New Server Publishing Rule Wizard page, enter a name for the rule in the Server publishing rule name text box. In this example, we’ll name the rule Publish SMTP Relay. Click Next.
4. In the Select Server dialog box, enter the IP address of the SMTP relay on the ISA Server 2004 firewall in the Server IP Address text box. In this example, the SMTP relay is at IP address 192.168.1.70. We will enter that address into the text box and click Next.
5. On the Select Protocol page, select the SMTP Server protocol from the Selected protocol list. Note that you do not need to publish the secure SMTP server protocol separately, since the SMTP relay is able to accept incoming SSL/TLS secured connections on TCP port 25. Click Next.
6. On the IP Addresses page, select the External network by placing a checkmark in the External checkbox. Click Next.
7. Click Finish on the Completing the New Server Publishing Rule Wizard page.
8. Click Apply to save the changes and update the firewall policy.
9. Click OK in the Apply New Configuration dialog box.

The SMTP relay on the ISA Server 2004 firewall must be able to send SMTP messages to both the Exchange Server on the Internal network and to Internet SMTP servers that are responsible for domains you do not host. To allow the SMTP relay this access, we must create an Access Rule that allows the ISA Server 2004 firewall outbound access for the SMTP protocol to both the Exchange Server and to the External Network.

Perform the following steps to create this rule:

1. Open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name. Click the Firewall Policy node.
2. On the Firewall Policy node, click the Create New Access Rule link on the Tasks tab of the Task Pane.
3. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example, we’ll name the rule SMTP Local Host to Internal and External. Click Next.
4. Select Allow on the Rule Action page.
5. On the Protocols page, select the Selected protocols option on the This rule applies to list. Click the Add button.
6. In the Add Protocols dialog box, click the Common Protocols folder. Double click the SMTP entry and then click Close.
7. Click Next on the Protocols page.
8. On the Access Rule Sources page, click the Add button.
9. In the Add Network Entities dialog box, click the Networks folder. Double click the Local Host entry and click Close.
10. Click Next on the Access Rule Sources page.
11. On the Access Rule Destinations page, click the Add button.
12. On the Add Network Entities dialog box, click the New menu. Click the Computer entry.
13. In the New Computer Rule Element dialog box, enter a name for the Exchange Server in the Name text box. In this example, we’ll call it Exchange SMTP. Enter the IP address of the Exchange Server in the Computer IP Address text box. In this example, the IP address of the Exchange Server is 10.0.0.2 and we will enter that value into the text box. Click OK.
14. In the Add Network Entities dialog box, click the Computers folder. Double click the Exchange SMTP entry. Click the Networks folder. Double click the External entry. Click Close.
15. Click Next on the Access Rule Destinations page.
16. On the User Sets page, accept the default entry All Users and click Next.
17. Click Finish on the Completing the New Access Rule Wizard page.

The Exchange Server must be able to send mail to the SMTP service on the ISA Server 2004 firewall so that it can use it as an outbound SMTP relay. In order to make this happen, we must create an Access Rule that allows outbound SMTP from the Exchange Server to the published SMTP service on the ISA Server 2004 firewall.

Perform the following steps to create the Access Rule:

1. In the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name. Click the Firewall Policy node.
2. On the Firewall Policy node, click the Create New Access Rule link on the Tasks tab of the Task Pane.
3. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example, we’ll name the rule

Remote SMTP clients need to be able to resolve the name on the SMTP server’s certificate to the IP address on the external interface of the ISA Server 2004 firewall machine. The reason for this is that the SMTP client application (such as Outlook or Outlook Express) is configured to use the FQDN contained on the certificate to verify the identity of the server. If the name on the certificate does not match the name the SMTP client application uses to connect to the SMTP server, the connection attempt will fail.

This is a very common reason for SSL/TLS connection failure. It is critical that you configure your public DNS with the same name on the SMTP virtual server’s certificate. In the current example, we chose the name mail.msfirewall.org. The external SMTP server client must be able to resolve this name to the IP address on the external interface of the ISA Server 2004 firewall machine you’re using to publish the Web site.

This is quite easy to do if you’re hosting your own DNS servers. If you have a third party host the DNS records for your domain, its may be easy or virtually impossible to get the correct records put into place.

If you manage your own DNS servers and those DNS servers use the Microsoft Windows Server 2003 DNS server (which believe it or not, is one of the most secure DNS servers available, just check for BIND DNS exploits and compare the number of those with the number of identified Microsoft DNS server exploits and you’ll get the point pretty quick), then you can perform the following procedures to create the required records.

The first record you must create is a Host (A) record that maps the IP address on the external interface of the ISA Server 2004 firewall to the name on the SMTP virtual server’s certificate. In this example, the name is mail.msfirewall.org, so we need to create a Host (A) record with the same name. Perform the following steps to create the Host (A) record:

1. On the Windows Server 2003 DNS server, click Start and point to Administrative Tools. Click DNS.
2. In the DNS console, expand your server name and then expand the Forward Lookup Zones node. Right click on the domain name and click New Host (A).
3. In the New Host dialog box, enter the host name portion of the FQDN listed on the SMTP virtual server’s certificate in the Name (uses parent domain if left blank text box. In this example, the host name portion of the FQDN is mail, so we will enter that into the text box. In the IP address text box, enter the IP address on the external interface of the ISA Server 2004 firewall that you used in the SMTP Server Publishing Rule. In this example, the external IP address is 192.168.1.70, so we enter that into the text box. Click Add Host.

4. Click OK in the DNS dialog box informing you that the record was successfully created.
5. Click Done.

The next step is to create an MX record for your e-mail domain. Perform the following steps on the Windows Server 2003 DNS server to create the MX record:

1. Right click the domain name and click the New Mail Exchanger (MX) command.
2. In the New Resource Record dialog box, enter the FQDN of the Host (A) record you created for the SMTP relay server. In this example, the name is mail.msfirewall.org. Enter this value in the Fully qualified domain name (FQDN) of mail server text box. You can also use the Browse button to find this host record.

3. Click OK in the New Resource Record dialog box.

If you host your own DNS servers (and even if you don’t), you must inform your domain Registrar of at least two DNS servers that are authoritative for your domain. You can configure your DNS all day long and have the configuration absolutely perfect, but if you do not inform your domain Registrar, then no one will be able to locate your DNS servers to obtain information about the resources you host.

The procedure for informing your domain Registrar varies among the Registrars. I use Network Solutions, or Verisign, or whatever name they go by today J . I go to their Web site and enter the names of my DNS servers and the IP addresses that go with those names. Go Daddy, another Domain Registrar, has a similar procedure, but it appears to be much simpler. If you publish your own DNS servers, make sure to have at least two IP addresses bound to the external interface of the ISA Server 2004 firewall and publish two Internal DNS servers (you are required to have two public DNS servers for fault tolerance).

In a later article, we’ll go over the procedures for publishing DNS servers, and I’ll also share with you some tips and tricks on how to make your DNS publishing scheme as fault tolerant as possible. But this article is already getting too long, so we’ll move on to the next step, which is installing the root CA certificate into the user’s Trusted Root Certification Authorities certificate store.

The SMTP client computer must have the root CA certificate installed into the local user’s certificate store. The reason for this is that there is no interface that allows you to continue to connect to the secure SMTP virtual server when using a e-mail client application like Outlook or Outlook Express.

If you’ve ever tried to connect to a Web site that uses a secure SSL link, but you do not have a CA certificate installed for the root CA that issued that Web site’s certificate, then you know that one of issues that appears in the information dialog box that pops up is that you have not chosen to trust the CA that issued the site’s certificate. This dialog box allows you to continue, but you do not have this option when using an SMTP client application. Therefore, you must install the CA certificate on the client machine before you attempt to create a secure SMTP connection to the SMTP relay machine.

Perform the following steps to obtain and install the root CA certificate into the user’s Trusted Root Certification Authorities store:

1. On the Outlook Express e-mail client computer, enter the IP address and path that connects you to the enterprise CA’s Web enrollment site. You can do this from an external host by publishing the Web enrollment site, you can you connect to the machine directly if the host is located behind the ISA Server 2004 firewall. In this example, we’ll assume the client is located behind the ISA Server 2004 firewall when it requests and installs the enterprise CA’s root certificate. Enter http://10.0.0.2/certsrv in the Address bar and press ENTER.
2. In the Connect to dialog box, enter Administrator in the User name text box and the Administrator’s password in the Password text box. Click OK.
3. On the Welcome page of the Microsoft Certificate Services site, click the Download a CA certificate, certificate chain, or CRL link.
4. On the Download a CA Certificate, Certificate Chain, or CRL page, click the Install this CA certificate chain link.
5. Click Yes in the Security Warning dialog box asking if you want to install the Microsoft Certificate Enrollment Control.
6. Click Yes in the Potential Scripting Violation dialog box informing you that the Web site will add a certificate to the machine.
7. Click Yes in the Root Certificate Store dialog box asking if you want to add the CA certificate.
8. Close the browser after you see the CA Certificate Installation page that informs you that The CA certificate chain has been successfully installed.

Yes! We’re just about ready to test the connection. The SMTP relay on the ISA Server 2004 firewall and the Exchange Server are ready to go. The ISA Server 2004 firewall is setup with the required Access Rules and an SMTP Server Publishing Rule. The last link in the chain is the SMTP client application.

Any e-mail client application can be an SMTP client. Outlook, Outlook Express, and all other popular e-mail client applications can be configured as SMTP clients. However, there may be varying support for SSL/TLS secured SMTP connections and the configuration interface varies widely between products.

For this reason, I’ll demonstrate how to configure the secure SMTP client with Outlook Express. Outlook Express is almost universal, since its included with every version of Windows. Outlook Express is an effective, albeit, not full featured e-mail client, and many corporate and home users find it an acceptable alternative to the full Outlook 2000/2002/2003 client.

The CA certificate is already installed on the Outlook Express client computer. The next step is to create the e-mail account and then configure the e-mail account to log into the SMTP server using NTLM and also to use SSL/TLS for the connection.

Perform the following steps to create the e-mail account in Outlook Express:

1. At the Outlook Express client machine, open Outlook Express.
2. If the New Account Wizard starts, close it. This Wizard only comes up when no account has ever existed on the machine. I want these instructions to apply to everyone, whether they have created an account on the machine before or not.
3. Click the Tools menu and then click Accounts.
4. In the Internet Accounts dialog box, click the Mail tab.
5. On the Mail tab, click the Add button. From the fly-out menu, click the Mail command.
6. On the Your Name page, enter your name or alias. In this example, we will use Administrator. Click Next.
7. On the Internet E-mail Address page, enter your e-mail address in the E-mail address text box. In this example, we will use [email protected]. Click Next.
8. On the E-mail Server Names dialog box, select the appropriate type of mail server from which the client pulls down new mail. We have not covered POP3 or IMAP4 publishing in this article, so neither of these options will work at this time. However, it is very simple to publish both of these services. Check out the ISA Server 2004/Exchange Deployment Kit for details on how to publishing the Exchange POP3 and IMAP4 services. We will use the name mail.msfirewall.org for the Incoming mail (POP3, IMAP or HTTP) server and we will use the same name for the Outgoing mail (SMTP) server. We will select the IMAP option in the My incoming mail server is a … server list. Click Next.
9. On the Internet Mail Logon page, enter the user account name and user password in the Account name and Password text boxes. In this example the account name is Administrator and the administrator’s password is entered. Note that this setting only applies to the IMAP service logon, not the SMTP service log on.
10. On the Congratulations! page, click Finish.
11. On the Mail tab, click the new mail account and click Properties.
12. On the mail account’s Properties dialog box, click the Servers tab.
13. On the Servers tab, put a checkmark in the My server requires authentication checkbox that is located in the Outgoing Mail Server frame. Click the Settings button.

14. In the Outgoing Mail Server dialog box, select the Log on using option. In the Account name text box, you can enter the user name using the UPN (like [email protected]) or the DOMAIN\username format. We will enter the name [email protected] in the Account name text box and enter the Administrator’s password in the Password text box. Put a checkmark in the Remember password checkbox, and put a checkmark in the Log on using Secure Password Authentication checkbox. Click OK.

15. Click the Advanced tab.
16. On the Advanced tab, put a checkmark in the This server requires a secure connection (SSL) checkbox that lies just under the Outgoing mail (SMTP) port number text box.

17. Click Apply and then click OK in the mail accounts Properties dialog box.
18. Click Close in the Internet Accounts dialog box.
19. If you selected the IMAP server as your download server, you will see a dialog box asking if you want to download folders now. Click No.
20. Close Outlook Express.

Now we’re ready to do some testing. First, let’s test our ability to send mail to the msfirewall.org domain. Remember that users do not need to authenticate to send mail to this domain because we have configured a remote domain to forward mail to the msfirewall.org domain to the Exchange Server. This test will just test basic functionality of the SMTP Server Publishing Rule:

1. Create an e-mail message in Outlook Express and address the message to [email protected] or an account in your domain. In the subject line enter Test and in the body enter test. Send the message.
2. The message arrives at the Exchange Server. If you had real-time monitoring turned on, or if you query the log files at the ISA Server 2004 firewall, you will see that the Server Publishing Rule accepted the connection

Next, we’ll test the ability of the machine to relay through the SMTP relay to an external domain. Remember that in order to relay through to an external domain, the SMTP client application must be able to authenticate with the SMTP relay machine. This will test the ability to relay through the SMTP server, check the authentication method, and confirm that SSL/TLS is being used to secure the connection. I will run Network Monitor on the SMTP relay machine to confirm these findings:

1. Create an e-mail message on the Outlook Express computer and address it to an external user. I’ll address this message to [email protected] and enter Test in the subject line and Test in the body. Send the message.
2. In Network Monitor, you can see the following frames. The first figure shows the SMTP relay machine sending the requirements for establishing the session to the Outlook Express client. The second figure shows the Outlook Express client sending the STARTTLS command to the SMTP relay machine. After this point, the communications are secured by SSL/TLS encryption and you are unable to see the user credentials or the data in the Network Monitor trace.

3. However, if you look at the Event Viewer’s Security node, you can see the log on of the Outlook Express client, as seen the lines below. NTLM authentication was used and the IP address of the Outlook Express client is listed in the Source Network Address line.

Event Type: Success Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 540

Date: 6/6/2004

Time: 11:57:01 AM

User: MSFIREWALL\Administrator

Computer: ISALOCAL

Description:

Successful Network Logon:

User Name: Administrator

Domain: MSFIREWALL

Logon ID: (0x0,0x5658A)

Logon Type: 3

Logon Process: NtLmSsp

Authentication Package: NTLM

Workstation Name: XPPROSP1

Logon GUID: –

Caller User Name: –

Caller Domain: –

Caller Logon ID: –

Caller Process ID: –

Transited Services: –

Source Network Address: 192.168.1.187

Source Port: 1064

You can also view the e-mail headers of this message to see the path taken to the external domain. Notice that the header on the SMTP relay machine indicates that a secure channel was used to send the initial message.

Microsoft Mail Internet Headers Version 2.0

Received: from IHATESPAM.shindermail.net ([192.168.1.102]) by owa.shindermail.net with Microsoft SMTPSVC(6.0.3790.0);

Sun, 6 Jun 2004 12:03:51 -0500

Received: from MAILSEC8 ([192.168.1.101]) by IHATESPAM.shindermail.net with Microsoft SMTPSVC(5.0.2195.6713);

Sun, 6 Jun 2004 12:06:01 -0500

Received: from ME8 ([192.168.1.100]) by MAILSEC8 with Microsoft SMTPSVC(5.0.2195.5329);

Sun, 6 Jun 2004 12:04:34 -0500

Content-Class: urn:content-classes:message

Received: from FILEWAY ([192.168.1.21]) by ME8 with Microsoft SMTPSVC(5.0.2195.5329); Sun, 6 Jun 2004 12:02:22 -0500

Received: from ISALOCAL.msfirewall.org ([209.30.170.29]) by FILEWAY with Microsoft SMTPSVC(5.0.2195.2966); Sun, 6 Jun 2004 12:03:06 -0500

Received: from xpprosp1 ([192.168.1.187]) by ISALOCAL.msfirewall.org over TLS secured channel with Microsoft SMTPSVC(6.0.3790.0); Sun, 6 Jun 2004 12:02:17 -0500

Message-ID: <001301c44be8$0457b810$bb01a8c0@xpprosp1>

From: “Administrator” <[email protected]>

To: <[email protected]>

Subject: Test

Date: Sun, 6 Jun 2004 12:02:13 -0500

You can also see the outgoing message by viewing the ISA Server 2004 firewall’s real-time log monitor. The SMTP Server lines indicate the incoming connections to the SMTP relay on the ISA Server 2004 firewall via the SMTP Server Publishing Rule and the SMTP Local Host to Internal and External lines indicate the outbound SMTP messages being sent to the external domain. The

I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=23;t=000072#000000 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our ‘Real-Time Article Update’ by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy