question

AdamTyler-3751 avatar image
0 Votes"
AdamTyler-3751 asked AndyDavid commented

Proxy Exchange SMTP

Hi everyone, I am beginning an Exchange migration and I am looking over design options. I would like to establish some kind of proxy server in the DMZ to handle the submission of email over TCP:587 by Exchange users. I've looked over IIS ARR and WAP a bit, but these seem focused on HTTP based services like EWS, OWA, OAB, ActiveSync, etc..

It appears that the non-domain joined Edge Transport server may be an option for this, but it appears to handle all mail flow and offer anti-SPAM features. We use a Barracuda appliance for this and I am not looking to replace that. Can the Edge Transport server only proxy inbound TCP:587 SMTP submission from authenticated Exchange users?

Regards,
Adam Tyler

office-exchange-server-administrationoffice-exchange-server-mailflow
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered AdamTyler-3751 commented

No, it doesnt proxy. You'll probably need to look at 3rd party or open source products.

Quick Question: Why do you want to support port 587? Do you allow POP and IMAP clients?

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi AndyDavid, We only use inbound TCP:587 mail submission for niche things. For example, our public web site developers have an Exchange user "service" account that get's used for forms submission. Things like that. Right now TCP:587 is forwarded from perimeter directly to our old Exchange server, I want to move away from that somehow.

Otherwise client access is only available over a VPN. We don't publish any services from Exchange over the public internet with the exception of ActiveSync. A service I plan to proxy with IIS ARR or WAP. Not sure yet. WAP appears to require ADFS which I am not excited about deploying on top of an Exchange migration project. That may only be a requirement for using WAP for ECP/OWA using pre-authentication, it may be able to proxy ActiveSync without ADFS, not sure.

Regards,
Adam Tyler

0 Votes 0 ·

ok, cool, just wondering! :)

Yea, I think you'll have to look at 3rd party or open source. Nothing native in Exchange/Windows can do that.

0 Votes 0 ·

Hmm. Crap. Seems really strange that M$ would supply tools like WAP and IIS ARR, but still expect you to forward ports directly from the internet to your mushy mailbox servers. Anyone out there have a suggestion on a third party product to serve this requirement?

Regards,
Adam Tyler

0 Votes 0 ·
LucasLiu-MSFT avatar image
0 Votes"
LucasLiu-MSFT answered AdamTyler-3751 commented

Hi @AdamTyler-3751 ,
Agree with what Andy said.
If we installed the Edge tranpsort servers, all mail coming from the Internet or going to the Internet flows through the Edge transport server. We can't restrict it to only process mail on a specific port.
For more information: Mail flow and the transport pipeline



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @AdamTyler-3751 ,
Do suggestions above help? If the issue has been resolved, please click “Accept as answer” to mark helpful reply as an answer, this will make answer searching in the forum easier and be beneficial to other community members as well.

Thanks for your understanding.



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·

Hi @LucasLiu-MSFT .. I’m in the process of deploying an Edge Transport server now just to verify this. Will post back with the results.

-Adam

0 Votes 0 ·
AdamTyler-3751 avatar image
0 Votes"
AdamTyler-3751 answered AndyDavid commented

@LucasLiu-MSFT
anonymous userDavid

So I took this about as far as I can and I suspect that you both are correct, it isn't possible to accept authenticated email over TCP:587 with an Edg Transport server.

I did deploy one in the lab and configured edge sync successfully. Test-EdgeSynchronization completes and states the SyncStatus as "Normal". As expected it created the necessary TCP:25 SMTP connectors between itself and the back end Exchange MBX server. What I was curious to know is what happens if I manually create a new receive connector directly on the Edge Transport server designed to use authentication for ExchangeUsers. So I did that and was able to make TCP:587 connections using OpenSSL from the CLI to interact with the SMTP service.

First problem I ran into was authentication, I couldn't seem to use a Domain User account like I would expect. I was hoping the EdgeSync magic of pulling in the AD user database from the back end MBX server would allow this still (AD LDS). I did take this a step farther and created a local user account in the local user database of the Non-domain joined EdgeSync server. Low and behold, I was actually able to authenticate during the SMTP process! Local accounts isn't ideal, but I was making progress. When I actually tried to submit an email for relay however I got an error stating that the from address was invalid for the user I was authenticated with.

So, hmm.. Sort of at a stopping point with this implementation. It does look like I am going to need to find a different mechanism for forwarding TCP:587 traffic directly to an MBX server. Perhaps some kind of a reverse proxy device from a third party in the DMZ.

Regards,
Adam Tyler

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @AdamTyler-3751 ,
Thank you for providing such detailed test results.
Yes, according to my understanding and the introduction of mail flow in Microsoft's official article, Exchange's own functions cannot meet your needs.



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·

Yea, the problem is that SMTP is not considered a "client" in the sense you think of when requiring a reverse proxy.
There is one product that does this ( or sort of does this) and that was the old Cisco FW SMTP Fixup stuff. Not sure its still around, but it was notorious for screwing things up, so the recommendation was to always disable it:
https://docs.microsoft.com/en-us/exchange/troubleshoot/mailflow/cannot-send-receive-email-behind-cisco-firewall


0 Votes 0 ·