IMF vs SmtpMail

[Kal]

This began when I installed the Intelligent Message Filter on the Exchange
Server 2003 I use to send the mail:
"Error sending email: The message could not be sent to the SMTP server. The
transport error code was 0x800ccc69. The server response was 550 5.7.1
Requested action not taken: message refused"

And from the Exchange Server Event Log:
"The message with ID <[email protected]>,
P1 From smtp:[email protected], Subject email test, from remote host
"EXCHANGESERVER" was Rejected/Deleted by Intelligent Message Filter. This
is an informational event and does not indicate an error.

MSExchangeTransport
SMTP Protocol
Event ID: 7512"
The same thing happens with ASP code taken from the MSDN article "Sending
SMTP Mail by Port 25 Using CDOSYS". These give error messages '8004020f' and
'0x80040211' but I believe it is the same problem.

Is there a way to use CDO (I guess SmtpMail uses this) and not have the
message trapped?

Kal

 

[Peter Huang [MSFT]]

Hi

Based on my knowledge, the IMF can be considered as a serverside event sink
dll, it is located at the server side and monitor the incoming mail and
filter them based on certain conditions.

So I think the problem seems to be at the server side. To isolate the
problem, I think we may try to use a mail client, e.g. Outlook Express to
send the same mail with identity subject,mail receipt and so on to see if
the similar problem will occur.

Also for exchange problem, I think you may try to post in the exchange
related newsgroup, so that othe community will benifit from your experience.
microsoft.public.exchange.admin
microsoft.public.exchange

If you still have any concern, please feel free to post here.



Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Kal]

Outlook Express goes thru without a problem. I did not find
microsoft.public.exchange.
Kal

 

[Peter Huang [MSFT]]

Hi

I also have discussed with our exchange engineer.
Here is his suggestion!

Based on our understanding,currently, you are sending mail with a software
written by yourself, and mails from it are rejected after IMF installed.

But Exchange response 5.7.1 in NDR, which generally means "unable to
relay". This is a problem on SMTP virtual server configuration, but not
about IMF. For NDR 5.7.1, here is a part of KB284204.

Numeric Code: 5.7.1
Possible Causes:
o General access denied, sender access denied - the sender of the message
does not have the privileges required to complete delivery.
o You are trying to relay your mail through another SMTP server and it
does not permit you to relay.
o The recipient might have mailbox delivery restrictions enabled. For
example, a recipient's mailbox delivery restriction was set to receive from
a Distribution List only and non-members' email will be rejected with this
error.
o For Exchange Server 2003, a distribution list can be configured to
restrict mail delivery from unauthenticated users. Mail that is sent by
using an unauthenticated SMTP session are rejected.
Troubleshooting: Check system privileges and attributes for the contact and
retry the message. Also, make sure you are running Exchange 2000 Service
Pack 1 or later for other potential known issues.

Delivery status notifications in Exchange Server and in Small Business
Server
http://support.microsoft.com/?id=284204

He suggested that we can try two steps:
1. disable IMF and check if the problem remains
2. use a mail client such as outlook express or simply telnet to submit a
mail, check if it works

If you still have any other concern, please feel free to post here.


Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Nick Malik [Microsoft]]

Hi Kal,

Ignore the advice to uninstall IMF.

You need to send authenticated e-mail.

You can do this either with Windows authentication (e.g. the service account
or app pool account running your application), or you can pass the
credentials to the SMTP server. Both methods can be done with CDOSYS.

There is an excellent FAQ at SystemWebMail.com with a good topic on sending
authenticated e-mail to your SMTP server.
http://www.systemwebmail.com/faq/3.8.aspx

One thing missing from that faq: if you set smtpauthenticate to "2" then
you are using Windows Authentication.
--
--- Nick Malik [Microsoft]
MCSD, CFPS, Certified Scrummaster
http://blogs.msdn.com/nickmalik

Disclaimer: Opinions expressed in this forum are my own, and not
representative of my employer.
I do not answer questions on behalf of my employer. I'm just a
programmer helping programmers.

 

[Kal]

Peter,
Thanks for your help. The Exchange Engineer did not read the entire message,
specifically the part from the Event Log. Never-the-less, the suggestion led
to useful information. I disabled IMF and SmtpMail worked as before.

While doing it I noted that this small app was written to send a logfile on
an error condition, so I re-enabled IMF and disabled the attached logfile.
Again the message went thru. I reattached the logfile and it was blocked.
The attachment was named testfile.log, so I changed the attachment name to
testfile.txt and tried it again. Again it worked.

In summary, an attachment named testfile.log is blocked by IMF but an
identical attachment named testfile.txt is not blocked. A message with no
attachment is not blocked.

Kal

 

[Kal]

Thanks Nick,
Not my exact problem, but useful. I have used systemwebmail's information
previously, and it is excellent. I do not allow authentication as a
compromised password will allow spammers access. The only allowed relay is
by ip address and these are all on my private network in the 10.1.x.x
series.
Kal

 

[Peter Huang [MSFT]]

Hi

I am glad that you have resolved the problem.
Since I am not familar with Exchange, and I am sorry for the response
before.

If you still have other dot issue, please feel free to post here.

Thanks for your understanding!

Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Nick Malik [Microsoft]]

Hello Kal,

I do not allow authentication as a compromised password will allow
spammers access.

If you use windows authentication, you do not have to put the userid or
password into the code. The Userid and Password are simply derived from the
app pool account you have already set up.

--
--- Nick Malik [Microsoft]
MCSD, CFPS, Certified Scrummaster
http://blogs.msdn.com/nickmalik

Disclaimer: Opinions expressed in this forum are my own, and not
representative of my employer.
I do not answer questions on behalf of my employer. I'm just a
programmer helping programmers.
--

 

[Kal]

Nick,
If you allow relay for the internal network you can use anonymous and no
userid or password. If you allow only anonymous no one can use exchange to
crack your passwords because authentication is simply not being done.
Kal

 

[Nick Malik [Microsoft]]

Hi Kal,

If someone can get your passwords from the app pool, they aren't using
Exchange to crack your passwords. They'd need access to the physical
servers. (Hope you have a few locked doors . The credentials are
already in the app pool. By using anonymous e-mail, your app is simply
ignoring the credentials available to it.

Anonymous access gives your internal applications the ability to send e-mail
with two lines less of code. However, the receiving e-mail client may
decide that the message came from an external spammer, because the e-mail
"from" address is not verified. Outlook 2003 will frequently consider these
messages to be Junk Mail and move them out of the recipient's In Box. If
you want your messages to always get to the reader, Authenticate.

In my personal opinion, all anonymous access to e-mail should be completely
banned as the first step in a long process of killing off the sourge of
unsolicited e-mail.

If you want to make an argument, based on security, for using anonymous
e-mail, I'd suggest strongly that spam fighting is a far greater benefit to
your organization than the minor code inconvenience (with zero security
impact) of using authenticate e-mail.

If you want to debate the merits of anonymous vs authenticated e-mail, and
the security implications thereof, I'd suggest that you post a query on one
of the exchange or security groups.

--
--- Nick Malik [Microsoft]
MCSD, CFPS, Certified Scrummaster
http://blogs.msdn.com/nickmalik

Disclaimer: Opinions expressed in this forum are my own, and not
representative of my employer.
I do not answer questions on behalf of my employer. I'm just a
programmer helping programmers.

 

[Kal]

Nick,
As I understand it, if you allow authenticated users to send email any
compromised password will allow spamming, however the compromise was
accomplished. As I recall, authentication does not discriminate between
internal and external. If you do not allow authentication I fail to see how
it will provide an opening to a spammer, provided you do not have an open
relay.

I am pretty sure this recommendation came from an MS document. I do not have
it at hand so cannot refer you. I do not want to have a debate. Neither am I
sure that allowing authentication improves security. I take your point that
it improves chances for successful delivery.

On this webserver we have form based email that users who have authenticated
to the website but who are not members of the domain can use to send email.
The from address on this email is taken from the user's web login. In order
for this email to be authenticated it would need to show a from address of a
domain member. Is that correct? How would you propose to handle this?

My objective here is to be able to remove SMTP from the webserver. It
appears that spammers are using it for an NDR spam scam, and the Exchange
Server seems to provide more control.

Kal

Hi Kal,

If someone can get your passwords from the app pool, they aren't using
Exchange to crack your passwords. They'd need access to the physical
servers. (Hope you have a few locked doors . The credentials are
already in the app pool. By using anonymous e-mail, your app is simply
ignoring the credentials available to it.

Anonymous access gives your internal applications the ability to send
e-mail with two lines less of code. However, the receiving e-mail client
may decide that the message came from an external spammer, because the
e-mail "from" address is not verified. Outlook 2003 will frequently
consider these messages to be Junk Mail and move them out of the
recipient's In Box. If you want your messages to always get to the
reader, Authenticate.

In my personal opinion, all anonymous access to e-mail should be
completely banned as the first step in a long process of killing off the
sourge of unsolicited e-mail.

If you want to make an argument, based on security, for using anonymous
e-mail, I'd suggest strongly that spam fighting is a far greater benefit
to your organization than the minor code inconvenience (with zero security
impact) of using authenticate e-mail.

If you want to debate the merits of anonymous vs authenticated e-mail, and
the security implications thereof, I'd suggest that you post a query on
one of the exchange or security groups.

--
--- Nick Malik [Microsoft]
MCSD, CFPS, Certified Scrummaster
http://blogs.msdn.com/nickmalik

Disclaimer: Opinions expressed in this forum are my own, and not
representative of my employer.
I do not answer questions on behalf of my employer. I'm just a
programmer helping programmers.