For the rest of the week, I’m in the Securing Microsoft Exchange Server 2003: Defense in Depth class taught by Microsoft’s Konstantin Ryvkin. Konstantin is another extremely knowledgeable member of the Microsoft IT team and is again giving us a unique and valuable look into the principles he is teaching by showing us how Microsoft has implemented them in their production Exchange environment.
For all of the power that Exchange 2003 brings to the table, there are always limitations that can make life really annoying. One such limitation is found when you try to restrict incoming connections to an SMTP virtual server. Exchange gives you two methods for such restrictions: source IP address or SMTP authentication. A common scenario is that you have a set of hosts you wish to be able to connect to your SMTP VS anonymously (such as from trusted business partners) but require authentication before allowing mail submission from anyone else (allowing your roaming users to use your server when outside the network). Out of the box, you can’t do this with a single SMTP VS. If you enable both restriction types, Exchange uses a logical AND to evaluate them The results: only authenticated users from the trusted hosts can connect.
The workaround involves a lot of pain and usually requires a second virtual server or machine. Both of these scenarios can cause their own problems and complications; quoting from Chapter 6 of the Exchange Server 2003 Routing and Transport Guide:
If you use multiple SMTP virtual servers on a single Exchange server, be careful when you configure them. By default, multiple virtual servers cannot communicate with one another. For proper mail flow, you need to configure them appropriately so that mail can be routed between them. Additionally, each SMTP virtual server must be configured with a unique Internet Protocol (IP) address and port combination. Generally, all SMTP virtual servers require port 25 so you must assign unique IP addresses to them.
Thanks to Konstantin, I learned that there is a little-known IIS 6.0 metabase parameter that can be quite useful for this situation (yet another reason to deploy Exchange 2003 on Windows 2003). The SMTPIPRestrictionFlag property (PropID 37031) controls the logic that Exchange uses. In the default setting of 0, Exchange uses the logical AND, resulting in the out-of-the-box behavior. You can set this to an alternate value (I’m guessing 1, but I don’t know for sure because the only documentation for the property is rather sparse) to trigger the use of the logical OR. The end result? Exchange will allow anonymous connections from trusted IP addresses and authenticated connection from any address. Exactly what we wanted!
I’m sure I’ll have spare time in the lab tomorrow, so I’ll ask for more details and trying playing with it to cobble together a usable example for you. Stay tuned.
Update 0920 PDT 05 May 2005: Konstantin has confirmed that you want to set SMTPIPRestrictionFlag to a value of 1 in order to enable the logcial-OR behavior. Even though this property has been minimally documented for a while, it’s only been last week that they’ve been allowed to start talking about use of this property. Breaking news from Ecubed!