I am wondering if anyone could verify the Exchange 03 relay settings for me, I am not sure if this is correct, much appreciate your help, Thanks in advance~~ We have a stand alone server running Win 03 Svr Std, installed with Exchange 03 Enterprise. The exchange server is behind the firewall (using a LAN IP) and it lies on the same LAN as other workstations. Under the SMTP Virtual Server properties, these are my settings. Authentication = Checked Anonymous Access ONLY. Under "Users", I grant "Domain Users" to have Submit Permission and Relay Permission ONLY. Connections = Selected "All except the list below", the list is blank. Relay = Selected "Only the list below" and I granted access for IPs "127.0.0.1" and the mail server LAN IP. I "unchecked" Allow all computers which successfully authenticate to relay, regardless of the list above. Under "Users", I grant "Domain Users" to have Submit Permission and Relay Permission ONLY. I am not sure if the above settings are correct, so that others won't be able to use my mail server as relay, Thanks for the help~~ Also, if there are anything I need to be aware of under Exchange 2003 (a MUST setting), please let me know~~

I believe you have your server a bit too open, these are my settings: Authentication = Basic and Integrated only, Anonymous is unchecked. This is a major thing to get right, otherwise anyone can use your smtp. Connections = Only the list below, in the list are the subnet 192.168.5.0 (255.255.255.0). Notice the 0 in the end, that signifies the subnet address and not a specific host. Relay = Only the list below, my list is empty but I don't need relaying, otherwise there should be a single IP, a group of IP's or a domain there. I wouldn't put the routing address there, that means anyone logged into the domain would be able to relay and that's an unnecessary risk. Hope that helps!

Thanks for the reply. If I uncheck "Anonymous" under Authentication, internet emails aren't coming into our mail server, do you know a way to resolve that? I saw others setting it up like you did, but they usually have a front-end / back-end Exchange servers....I only have one Mail Exchange server. Thanks for the help!!

DO NOT uncheck anonymous authentication. All communication via SMTP over the internet to other mail servers is done anonymously. That is the nature of the SMTP protocol as ratified by the RFC. If you uncheck that tab you will NOT recieve any email as no server on the internet will be able to authenticate with your server unless you specify an account. For obvious reasons that is simply impractical. You do NOT need to modify any of the permmisions under SMTP virtual server. All mail when "submitted" to exchange via a MAPI client or OWA is authenticated with their domain credendentials and Exchange is responsible for relaying the email. The only time you will ever need to modify those settings is if you have remote users using IMAP or POP3 to retrieve email and then need the corresponding relay permmisions to send email through your server. Other than this scenario they should be left at the defaults.

To Phatsta Authentication = Basic and Integrated only, Anonymous is unchecked. This is a major thing to get right, otherwise anyone can use your smtp. Connections = Only the list below, in the list are the subnet 192.168.5.0 (255.255.255.0). Notice the 0 in the end, that signifies the subnet address and not a specific host. Relay = Only the list below, my list is empty but I don't need relaying, otherwise there should be a single IP, a group of IP's or a domain there. I wouldn't put the routing address there, that means anyone logged into the domain would be able to relay and that's an unnecessary risk. ----------------------------------------------------------------------------------------- This is bad advice. Communication over the SMTP protocol must remain anonymous. That itself does not make you an open relay. Having the tab checked "allow users to which successfully authenticate to relay.." WILL make you an open relay. If you must grant servers the ability to relay through your mail server you must be specific and grant the precise IP address as that is a more secure configuration.No email admin will not want an entire subnet given the ability to abitrarily relay mail through their mail server.

Thanks for the reply. As referring to my server setup, I can simply leave the settings to its default, am I correct? I did set to enable POP3 for end users to download email, however they are not allow to send emails through the Exchange server.

Yes leave the settings at the default. Just ensure under the SMTP virtual server you do not have "allow users to which successfully authenticate to relay.." remains unchecked otherwise you will be an open relay. Additionally if users need to view mail on your server over the internet use OWA (outlook web access). Or enable IMAP instead of POP3. ( You can use RPC over HTTP but we wont go there for now :-) ) POP3 will download there email from exchange and it will reside on there local machine. The result will be calls to yourself from users when they logon to the domain as to "where" there email has gone. IMAP is a server side protocol that will allow them to view their mail from any PC but the email data remains on your exchange server.