I thought of authenticating all POP3/SMTP external users. POP3 access are provided by Client Access Server (CAS) and is joined to domain. No problem in authentication for POP access.
As for SMTP service, it is only provided by Hub Transport or Edge Transport. Hence, it made much security sense that I created a new Receive Connector on the edge server and enable "Basic Authentication". But when I configured Outlook client for SMTP authentication, the edge server rejected the authentication. Initially, I thought it could be due to Exchange ACL error or AD LDS faults within the Edge server. I came to realize that this is a wrong concept when I come to this Technet blog. Remember that AD LDS is for extending AD partition to the perimeter network and it's not meant for authentication (only a full Domain Controller or RODC does authentication but Exchange doesn't support the latter).
As for SMTP service, it is only provided by Hub Transport or Edge Transport. Hence, it made much security sense that I created a new Receive Connector on the edge server and enable "Basic Authentication". But when I configured Outlook client for SMTP authentication, the edge server rejected the authentication. Initially, I thought it could be due to Exchange ACL error or AD LDS faults within the Edge server. I came to realize that this is a wrong concept when I come to this Technet blog. Remember that AD LDS is for extending AD partition to the perimeter network and it's not meant for authentication (only a full Domain Controller or RODC does authentication but Exchange doesn't support the latter).
Important note:
Configuring SMTP
Most commonly, however, your clients will be authenticating for the purposes of identifying themselves (sender permissions checks) and prove that they are allowed to relay. This authorization can be done by Edge only if it is in the domain. Since is not be the most common configuration, the Hub role may be more suited for this purpose.
No comments:
Post a Comment