none
Exchange Server 2010 with cdo and authentication RRS feed

  • Question

  • I am trying to setup my Exchange Server so that I can send emails to users outside to the organization using cdo and I can't seem to find the correct settings.

    I do not want to allow anonymous relay or have it limited by the IP address of the sender.

    I am actually specifying the user name and password in the cdo call.  It was my understanding that this was allowed by enabling "Basic Authentication" on the receive connector.  For security, offer basic only after TLS is also enabled to prevent sending the username and password across the network and possibly the internet (depending on where the server is) in clear text form.

    I thought our Exchange server was setup correctly, but it now appears that it was setup to allow anonymous relay :(.

    The following is a vbs script I was using to test this:

    'Values to specify are stored in the email setup for Event Alert - please manually add them to this script
        cdoSendUsingMethod       = "http://schemas.microsoft.com/cdo/configuration/sendusing"
        cdoSMTPServer            = "http://schemas.microsoft.com/cdo/configuration/smtpserver"
        cdoSMTPServerPort        = "http://schemas.microsoft.com/cdo/configuration/smtpserverport"
        cdoSMTPConnectionTimeout = "http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout"
        cdoSMTPAuthenticate      = "http://schemas.microsoft.com/cdo/configuration/smtpauthenticate"
        cdoSendUserName          = "http://schemas.microsoft.com/cdo/configuration/sendusername"
        cdoSendPassword          = "http://schemas.microsoft.com/cdo/configuration/sendpassword"
        cdoSMTPUseSSL            = "http://schemas.microsoft.com/cdo/configuration/smtpusessl"
        cdoSendEmailAddress      = "http://schemas.microsoft.com/cdo/configuration/sendemailaddress"
    
        Set objMessage = CreateObject("CDO.Message")
    
        With objMessage
            With .Configuration.Fields  'Set config fields we care about
                .Item(cdoSendUsingMethod)       = 2        ' = cdoSendUsingPort
                .Item(cdoSMTPServer)            = "exchange.client.local"          'Specify actual SMTP Server name or IP here
    
                .Item(cdoSMTPServerPort)        = 25
                .Item(cdoSMTPConnectionTimeout) = 60
                .Item(cdoSMTPAuthenticate)      = 1                                ' = cdoBasic
                .Item(cdoSendUserName)          = "ClientDomain\testaccount"       'Specify Actual user name here
                .Item(cdoSendPassword)          = "password"                       'Specify Actual password here
                .Item(cdoSMTPUseSSL)            = True                             'Using SSL/TLS? Specify True or False
                .Item(cdoSendEmailAddress)      = "testaccount@clientdomain.com"   'Specify email address here in the form "Display Name <email_address>"  (same as .From of objMessage)
    
                .Update
            End With
    
            .To       = Seradex@hotmail.com                                        'Specify Destination email here - form: "Display Name <email_address>"
            .From     = "TestAccount <testaccount@clientdomain.com>"               'Specify Source email here - form: "Display Name <email_address>"
            .Subject  = "Test email"
            .TextBody = "This is to test sending an email"
            '.HTMLBody = "This is to test sending an email"                        'To test HTMLBody add html formatted body - should not be required for basic test.
            .Send
        End With

    I appreciate all help in this matter.  Thank you.

    Mark

    Seradex Inc.


    • Edited by MD.seradex Thursday, February 25, 2016 12:00 AM
    Monday, February 22, 2016 10:51 PM

All replies

  • The default port on Exchange for authenticated SMTP client sessions is 587 have you tried that ?

    Cheers
    Glen

    Tuesday, February 23, 2016 2:36 AM
  • Hi Glen. Thanks for the quick reply.

    I tried to connect via that port previously and nothing seems to be listening there.

    There is no receive connector setup to listen on that port and I didn't see anything listening there using netstat.  I checked again, and there is no application listening to port 587.  It is peculiar that many people on the Internet have stated that "the default port on Exchange for authenticated SMTP client sessions is 587", however in my investigations with the many clients I have dealt with, I have never seen Exchange listen to that port.

    I know the script works with Exchange 365 servers so I should be able to setup my local Exchange to handle it.

    Is there a Microsoft article somewhere that explains how to set this up correctly? I have yet to find one.



    • Edited by MD.seradex Wednesday, February 24, 2016 11:53 PM re-checked with netstat
    Tuesday, February 23, 2016 2:09 PM
  • AFAIK cdo doesn't support TLS you can enable protocol logging on the Connector to confirm that, cdoSMTPUseSSL just means it uses SLL (there is a difference), if you mandata TLS first before basic on the connection then your code would never work because it won't start the TLS conversation (but check your protocol logs you should see a StartTLS etc).

    Cheers
    Glen

    Wednesday, February 24, 2016 1:20 AM
  • Everything I read basically says that TLS is the next generation of SSL. They didn't create a new flag for it because they essentially do the same thing.  TLS just does it more securely.  My understanding is that cdo (or MAPI which is what cdo wraps) was internally updated to support TLS or SSL via the same flag, depending on the mail server requirements.  It determines which cryptographic protocol is used during the negotiation with the server.

    I appreciate any information that can be provided.
    • Edited by MD.seradex Wednesday, February 24, 2016 11:49 PM
    Wednesday, February 24, 2016 2:26 PM
  • What are seeing in the Protocol logs ? That will tell you what is happening with the SMTP conversation which will be critical to working out what is going wrong.

    I think your confusing CDO versions your not using MAPI only CDO 1.2 is an exMapi wrapper your using CDOSYS http://blogs.technet.com/b/postwoman/archive/2010/09/14/diferences-between-cdonts-cdosys-cdo-cdoex-and-cdoexm.aspx

    But you really need to look at the protocol logs to see if it is starting (and offering) TLS correctly (eg it implies you have the certificates set correctly on the Server side etc but that's what the protocol logs will tell you).

    You have also never said what the error you get is ?

    Cheers
    Glen

    Thursday, February 25, 2016 1:38 AM
  • The error is the standard cannot relay error.

    Also, one client has an odd situation where they have an anonymous receive connector for a specific IP (the machine the script is tested from), which when disabled so the Default Receive Connector will take over, they instead get "unable to connect" errors.  Note that the Default Receive Connector is set to accept from all internal IPs and from Exchange users on port 25.

    In regards to the protocol logs, I am not sure how to access them.  I have tried unsuccessfully to view Exchange logs in the past.  Is there something that needs to be enabled/restarted/set for the logs to give useful info?  A link to an article about the protocol logs would be helpful.

    Note that there is a Certificate setup and enabled on the server that has the server's name and is set to be used for SMTP.  I wonder though if there is some specific setting/property the certificate needs to be there for this to all function correctly.

    In addition, it is my understanding, from many articles I have read, that CDOSYS is the underlying dll for the .NET System.Web.Mail and System.Net.Mail namespaces.  As such, shouldn't it be supporting the newer technologies (TLS for instance)?

    I appreciate all your assistance with this.

    Thursday, February 25, 2016 3:41 PM
  • >> CDOSYS is the underlying dll for the .NET System.Web.Mail and System.Net.Mail namespaces

    That's correct for SWM (which is also really old) but System.Net.Mail is native implementation.

    Protocol logging needs to turned on http://exchangeserverpro.com/exchange-server-protocol-logging/ on a production server these logs can quite large so you just want to turn it on for long enough to capture the SMTP conversation. ?

    >>Also, one client has an odd situation where they have an anonymous receive connector for a specific IP (the machine the script is tested from), which when disabled so the Default Receive Connector will take over, they instead get "unable to connect" errors.  Note that the Default Receive Connector is set to accept from all internal IPs and from Exchange users on port 25.

    Sound like configurations setting have been changed I would suggest you check the current setting against the default setting on the Receive Connectors and I would re create the default Client Receive connector on port 587 for authenticated SMTP connections see https://technet.microsoft.com/en-us/library/aa996395(v=exchg.141).aspx rather then trying to modify the default.

    With TLS and SMTP there is both Implicit and Explicit SSL, the later which is what your want is where "Connect on 25 -> StartTLS (starts to encrypt) -> authenticate -> send data" http://blogs.msdn.com/b/webdav_101/archive/2008/06/02/system-net-mail-with-ssl-to-authenticate-against-port-465.aspx . This is where you want the protocol logs to tell you what is happening because the server should advertise back to the client that TLS is available and then the client should use StartTLS - etc


    Friday, February 26, 2016 5:35 AM
  • Thank you very much for the information and all of your help.

    I will be looking at this again (hopefully) soon and will update this thread with my results.

    Mark
    Seradex Inc.

    Monday, March 7, 2016 3:41 PM