1

Firstly, I know nothing about how exchange operates and what is and isn't possible.

We're trying to send mail from our webserver (AWS) through our own mail server(In house) but for this we need an authentication method enabling in exchange. Our systems are managed by an outside company who have a contract with us, they seem very reluctant to enable any type of authentication for remote IPs to use (We asked them first back in February). Their latest response was to decline our request again and told us just use Amazon SES. I have no access to this server myself, so any answers can only be used when I talk to them next.

1) Are there any major security issues with enabling an authentication method on a server? (I'm aware that basic auth sends details in plain text)

2) Does Exchange offer an IP whitelist?

3) Is there an idiot proof guide to how to set all of this up?

Here is the result of connecting over telnet:

220 domain.com Microsoft ESMTP MAIL Service ready at Thu, 23 May 2
ehlo name
250-domain.com Hello [ip.ip.ip.ip]
250-SIZE 10485760
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH
250-8BITMIME
250-BINARYMIME
250 CHUNKING
Jamie Taylor
  • 372
  • 1
  • 6
  • 15
  • If a company that you pay to host your Exchange servers are declining to do something you have requested its time to get SOMEBODY WHO WILL. At the very least they should give you a reason they won't do it, provide options, and help you figure an alternative to your request. –  May 23 '13 at 15:59

1 Answers1

1

For 1) and 2):

You can set up a custom Receive Connector in Exchange that allows your preferred authentication type, and can be limited to accepting connections from only certain Networks, IPs, User types, etc.:

enter image description here

If you are aware the credentials are sent in plain text (with basic authentication), then you understand the primary security risks, and you'll have to decide if those risks are OK with you.

For 3):

See the link in the first line of this answer. :) Also, if you pay them to manage your Exchange Server, and they can't figure this out without an "Idiot-Proof" guide, then you need to consider a new Exchange host.

techie007
  • 1,894
  • 17
  • 25
  • Thanks a bunch, I'm going to mark this as correct since it has enough detail and the nature of my question (and the company we're dealing with) may take weeks to be resolved. I think the time we spoke to them before last, they mentioned that enabling a relay would be opening up our servers to anyone to send email through. I'm assuming with the possibility of white-lists, this makes their claim untrue, right? – Jamie Taylor May 23 '13 at 15:14
  • 2
    @JamieTaylor - Your host is serving you a bunch of hog wash. While their claims have a ounce of merit because ( it could allow somebody to send mail on your server's behalf ) you simply define which remote ip address can send mail on the server's behalf to prevent that. Furthermore anyone already can pretend to somebody from your company at any point, and in most setups, nothing would be flaged as being strange. You have to have very strict settings enabled to prevent that type of thing from happening. You can't prevent somebody masking the "sender" address as anyone they want. –  May 23 '13 at 16:02
  • @Ramhound: Thank you very much, I'll be using all of this when I next speak with them. – Jamie Taylor May 24 '13 at 07:32