MITM Security Registry Edit Causing SMTP Relay Issue
Hi, I recently was asked by a client to harden all externally facing web resources for a PCI compliance scan. I found a script that does most of the work by adding various protocols (TLS 1.2, SSL 3.0, etc.) and enabling them. The script however was not helping
us get past Man In The Middle (MITM) scans, so I added 2 registry settings;
HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\
added
DisableRenegoOnServer 1
AllowInsecureRenegoClients 0
After doing this a Linux web app could not relay messages via SMTP (the only server having a problem) on port 25. So, I had to back out the changes in Exchange, but now I'm wondering how to work around this? Anyone every run into this or have any tips they
can offer? Thanks in advance.
Hi,
When the users fail to send/receive emails, are there any error message or NDR?
Try removing the “AllowInsecureRenegoServers” key and see whether the issue still persists.
Thanks,
Simon Wu
TechNet Community Support
Similar Messages
-
Use Exchange 2010 Hybrid Edition for SMTP relay
Thanks guys.
hmmm.
I did try and telnet on port 25 to the hybrid and get the welcome, when i enter the mail from command and enter a valid email address, i get "530 5.7.1 Client was not authenticated"
I have exchange 2003 admin experiance and and learning my way around the 365 environment still
Hi all,
we recently moved our Exchange 2003 to Office 365 using a Hybrid Exchange 2010 to migrate the users.
the migration is complete and we have kept the Exchange 2010 Hybrid Edition running to enable us to mail enable new AD users after the DirSync has synchronized the user to the tenant.
has anyone used this limited version of Exchange as an smtp relay for network devices, copiers etc?
This topic first appeared in the Spiceworks Community -
We go to send mail via SMTP from all of servers, we are only able to send mail to @Dell.com addresses only.(same network)
We would not able to send to all address (like an @Microsoft.com or an @csc.com address)
I am able to send an email to all address through dot net application but not Biztalk
Please share your thoughts how to resolve the issueI hope your .Net Application sending e-mail is NOT OUTLOOK? :D
From the BizTalk Server can you do an interactive SMTP session with the SMTP server and check if relay is permitted? If you get relay denied then very clearly the SMTP Server configuration requires modification. (the responses from the SMTP server are in
BOLD)
> telnet <your smtp server name/ip> 25
220 <your SMTP Server name> Microsoft ESMTP MAIL Service, Version: 7.5.7601.17514
ready at Fri, 6 Mar 2015 11:45:03 +0530
HELO <your BizTalk Server FQDN>
250 <your BizTalk Server FQDN> Hello [<ip of your BizTalk Server>]
mail from: <some-email-address>@dell.com
250 2.1.0 <some-e-mail-address>@dell.com....Sender OK
rcpt to: <[email protected]>
What is the response? do you get "250 2.1.5 <[email protected]>" or "relay denied".
Either way you should get someone who know mail & messaging involved to help to ensure that it is not a SMTP issue.
I agree with Ashwin on this NOT being a BizTalk related issue.
Regards. -
Secure way for SMTP relay for DMZ server
Hi,
I would like to know if there is a secure way to allow SMTP relay from server in DMZ. This is our Exchange server configuration.
All Exchange server roles installed on a single server.
No Edge server.
Thanks in advance.Hello
if haven't got relay connector, need create one receive connector add only one dmz ip and if application can authentication use that authentication method, if cant use any auth method enable anoynous relay.
sorry my english -
Registry edit Apple requires is causing windows to not detect files on the DVD drive
Registry edit Apple requires is causing windows to not detect files on the DVD drive. If I set up the registry it requires then the files will not be dected & if I do it the way windows requires then the files will be detected but ITunes will not be able to use the optical drive. Is there any kind of patch or something someone can help me with?
Thanks O'BieTo fix registry, refer to this article:
iTunes for Windows: "Registry settings" warning when opening iTunes
http://support.apple.com/kb/TS3299 -
SMTP relay authentication issue with DynDNS MailHop Outbound
Hi,
I'm trying to use the SMTP relay functionality of my OS X Server but I get following log message:
Apr 4 21:40:21 mydomain postfix/smtp[7629]: 4EE3686F529: to=<xxxx@xxxxx>, relay=outbound.mailhop.org[204.13.248.71]:465, delay=140731, delays=140130/0.06/600/0, dsn=4.4.2, status=deferred (conversation with outbound.mailhop.org[204.13.248.71] timed out while receiving the initial server greeting)
I configured the relay settings in Server-Admin for host: outbound.mailhop.org:465 and added my dyndns username and password.
I would appreciate if someone could help me to figure out what I'm missing.
ThanksIf you're getting a 550 error then it indicates an issue with the SMTP server you're using / how you're connecting to it. Either the mail server you've got configured for SMTP isn't setup to handle email for you, or in addition to setting the server address
in the SMTP settings, you also need to configure it to configure authentication on the email accounts. In the account settings you need to select More settings (I think, I don't have an Outlook 2007 copy to check on), then you'll see an Outgoing
Server tab, within which you can configure the required authentication. It will either be the same as the POP3 login, in which case you can select "Use same settings as my incoming mail server", or if they're different you can enter the specific details that
are required to send. -
Have to add 0.0.0.0/0 to "Accept SMTP relays only from these"?
To reach the server via vpn I had to add a virtual IP (192.168.1.1) to the ethernet port. Since then mail acts a bit strange: I have to add 0.0.0.0/0 to "Accept SMTP relays only from these" in SA. Otherwise i get a "[/var/imap/socket/lmtp]: Connection refused" in the smtp log and the server does not accept any delivery of mails from the internets.
I'm not quite sure if it's a good idea. Can anyone please tell if this is still a security risk (while having access restrictions on the mail service)?After a few telnet tests I can answer my own question: It makes an open relay server to spammers! But to solve the former issue with the connection refuse, I had to switch to virtual hosting in the advanced tab of the mail service and add my own domains.
-
We are using windows server 2008 Server R2. We installed IIS and the SMTP relay component. It is setup to relay mail to our exchange 2010 CAS server. All internal mail is relaying properly on this server to the exchange 2010 CAS server to internal email
addresses. When someone tries to send to a recipient outside the organization such as to domain name hotmail.com, gmail.com microsoft .com, it does not relay the message. When I check the logs it looks like it does not even relay the external email address
to the cas server.
The error message we get is below. Please assist in what is wrong.
Delivery has failed to these recipients or groups:
[email protected]
Your message wasn't delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept e-mail from certain senders, or another restriction may be preventing delivery.
Diagnostic information for administrators:
Generating server:PRI.cross.com
[email protected]
#< #5.7.1 smtp;550 5.7.1 Unable to relay> #SMTP#
Original message headers:
Received: from HH-DATAserver ([192.111.111.2]) by PRI.cross.com with
Microsoft SMTPSVC(7.5.7601.17514); Wed, 7 May 2014 20:12:03 -0300
From: hh-dataserver <[email protected]>
To: <[email protected]>
Date: Wed, 7 May 2014 18:12:03 -0500
Subject: test messase
X-Mailer: SMTP Mail Component
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Return-Path: [email protected]
Message-ID: <[email protected]>
X-OriginalArrivalTime: 07 May 2014 23:12:03.0714 (UTC) FILETIME=[C2029620:01CF6A49]Hi,
Is there any update on this thread?
Thanks,
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Simon Wu
TechNet Community Support -
On-premise Exchange 2010 SMTP Relay to O365 mailboxes does not resolve Display Name
Dear All,
We have SMTP relay receive connector in our on-premise Exchange 2010 server that accepts emails from anonymous users.
The Externally Secured check box is checked. Display Name of the sender in Emails to mailboxes in on-premise is resolved correctly.
But the display name of the sender in the same email to mailboxes which are migrated to O365 is not getting resolved.
Please let me know if anyone has seen this issue. Some of our mailboxes are in O365 and some are in On-premise server.
Thanks
FredDo you have a hybrid configuration set up, and if not, is there any particular reason?
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." -
Our company recently moved to Office 365 which mean our on premise exchange server went away as well with the move. I am trying to configure my new sql server (OS-Windows Server 2012 R2, DBMS- SQL 2014 Std Edtion). After some searching I found
this article (http://blogs.technet.com/b/meamcs/archive/2013/02/25/how-to-configure-sql-database-mail-so-send-emails-using-office-365-exchange-online-a-walkthrough.aspx) and have followed these steps exactly, but to no avail. I did some further research
on the SMTP relay I setup and found a way to test it (listed here http://technet.microsoft.com/en-us/library/dn592151(v=exchg.150).aspx at the bottom of the article). If I drop the email.txt file in the pickup folder, it gets sent out no problem.
I have configured my db email exactly as describe here(http://blogs.technet.com/b/meamcs/archive/2013/02/25/how-to-configure-sql-database-mail-so-send-emails-using-office-365-exchange-online-a-walkthrough.aspx). But keep getting an unable to connect
to SMTP server error. I have even tried completely shutting down firewall to see if that is the issue and multiple restarts. Any ideas how to get this to work on Office 365?
DB Mail error log:
Date 6/10/2014 10:28:41 PM
Log Database Mail (Database Mail Log)
Log ID 46
Process ID 2196
Mail Item ID 19
Last Modified 6/10/2014 10:28:41 PM
Last Modified By xx
Message
The mail could not be sent to the recipients because of the mail server failure. (Sending Mail using Account 2 (2014-06-10T22:28:41). Exception Message: Cannot send mails to mail server. (Failure sending mail.).Hi,
I followed this blog and got the below error message in the Database Mail Log.
“The mail could not be sent to the recipients because of the mail server failure. (Sending Mail using Account 2 (2014-06-11T19:34:00). Exception Message: Cannot send mails to mail server. (Mailbox unavailable. The server response was: 5.7.1 Unable to relay
for [email protected]).”
If you are getting the same error message, you can try the below steps to resolve the issue.
1. Open the IIS 6.0 management console. Right click on the SMTP server and open the properties window.
2. Click on the Access tab, click Relay button under Relay restrictions. loopback IP address (i.e 127.0.0.1).
Then the email should be sent out from Database Mail without problem.
Thanks.
Tracy Cai
TechNet Community Support -
Updating link to Word Doc is causing a permissions issue
Hi. I am attempting to update a link to a Word file, and it is causing a permissions issues in Word when I try to open the Word document back up while the InDesign file is still open.
Is there any way to link to a Word document that can be worked on while the InDesign file is being worked on? I think I can use buzzword as an alternative, but I'm looking for the easiest possible solution.
Thanks!
AliciaWord checks for locked files. In that if another app is using the file, you can not open the file until the other app closes the file. It does this to make sure word has the lastest version of the file. This is partly due to word being using in an office environment were multiple people can be working on the same document.
Since word is fairly quick to open. You could use the edit original icon in the links panel of InDesign. Make your changes in word once the document opens, then use the keyboard shortcuts ctrl-s to save and alt-F4 to close word. -
HKCU Registry Edit fails (System as user) on RDP
Hi folks.
Can anyone confirm the following potential bug (or just my user error):
Running Zenworks 11.2.3a.
Create a empty windows bundle
Create a REGISTRY EDIT action in LAUNCH
HKCU / Software / TestKey
Run as SYSTEM, but use logged in user hive instead of .default
Perform a remote connection to a test PC using RDP (not Zenworks Remote) as a non admin user (but a user who is a member of the Remote Adminstrator Group).
When trying to launch the above bundle, the following error occurs:
In the action "Registry Edit", the operation on key "HKEY_USERS\\Software\TestKey" failed due to the following error - "The specified path is invalid. at Microsoft.Win32.RegistryKey.Win32Error(Int32 errorCode, String str) at Microsoft.Win32.RegistryKey.CreateSubKey(String subkey, RegistryKeyPermissionCheck permissionCheck, RegistrySecurity registrySecurity) at Microso".
Specifically, you can see that the users SID is not referenced in the HKEY_USERS path when trying to write the key.
If we perform the same actions when logged onto the machine with the same user, but NOT remotely (i.e. actually at the workstation), there is no problem.
If we perform the same actions remotely with an administrative user (one who is at least in a nested local admin group), there is no problem.
It also seems to affect the "DELETE REGISTRY KEY" action - although no error is displayed (I assume the "do not show error if attempting to delete a key that does not exist" issue was resolved), the key is NOT deleted. I would assume that any registry operation where the SYSTEM user attempts to modify the logged in user's key on a remote desktop session will results in an error.
I'll raise an SR if anyone confirms I'm not being stupid, but I admit not many people are likely to see this issue.SR #10924934061.
Seems confirmed bug. -
Smtp relay on osx 10.9.5 and server 3.2.2
What we have
We have a mac mini setup using 10.9.5 and server 3.2.2. The mail server is OFF but we have a Relay Outgoing Mail through ISP checked (and the proper credentials for the outgoing relay (FQDN) and the authorization credentials.
What we are trying to do
Our mac mini runs a php script to generate an email that needs to be sent to users. The mail has to use a smtp relay and we are trying to use the smtp relay provided by our email vendor.
Settings required by our email vendor
Instructions for configuring an email client can be found here
https://www.namecheap.com/support/knowledgebase/article.aspx/1179/2175/general-c onfiguration-for-mail-clients-and-mobile-devices
We set up the relay in Mail on the Server 3.2.2 to use SSL and port 465. In our particular case the relay is configured as shown below. Obviously the [email protected] is the proper username for our authorization.
When we try to send mail (we test this function by sending mail from terminal by using the following command (sending mail to myself from myself)
printf "Subject: TestnHello" | sendmail -f [email protected] [email protected]
and then watch the mail logs the smtp server rejects our mail due to authorization issues. The mail log text is shown below (email addresses replaced with [email protected] and IP addresses modified)
Dec 22 11:57:03 109-218-164-81.lightspeed.austtx.sbcglobal.net postfix/pickup[16825]: 5545383231: uid=501 from=<[email protected]>
Dec 22 11:57:03 109-218-164-81.lightspeed.austtx.sbcglobal.net postfix/cleanup[16827]: 5545383231: message-id=<[email protected]bal.net>
Dec 22 11:57:03 109-218-164-81.lightspeed.austtx.sbcglobal.net postfix/qmgr[16826]: 5545383231: from=<[email protected]>, size=340, nrcpt=1 (queue active)
Dec 22 11:57:03 109-218-164-81.lightspeed.austtx.sbcglobal.net postfix/error[16838]: 5545383231: to=<[email protected]>, relay=none, delay=0.04, delays=0.02/0/0/0.02, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to eforwardct3.name-services.com[216.163.176.39]:465: Connection refused)
Dec 22 11:57:05 109-218-164-81.lightspeed.austtx.sbcglobal.net postfix/master[16824]: master exit time has arrived
We find many self help pages on the internet that talk about modifying the main.cf file located at /Library/Server/Mail/Config/postfix. Some even talk about modifying settings in the master.cf file in /ect/postfix. I have tried several and none seem to work.
Can anyone provide some guidance?
Regards!The Server GUI doesn't provide for this use case.
Take the following steps to configure Postfix to relay mail to a remote SMTP server with password authentication over SSL. Substitute as required for strings in italics below. Address is the fully-qualified domain name of the relay host. The value of port is usually either 25, 465, or 587. Username and password refer to your credentials on the relay host.
In the current version of OS X Server (but not necessarily in older versions), Steps 1 and 3 should be done for you when you enable relaying and relay authentication in the Server application.
1. If necessary, create or update the relayhost directive in
/Library/Server/Mail/Config/postfix/main.cf
It should look like this:
relayhost = [address]:port
2. Add these lines, above the section at the end that begins with the comment "# Mac OS X Server":
smtp_sasl_security_options =
smtp_tls_CAfile = /etc/certificates/relayhost.pem
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtp_use_tls = yes
3. If it doesn't already exist, create the password file
/Library/Server/Mail/Config/postfix/sasl/passwd
with this content:
[address]:port
username:password
Here address must match $relayhost.
Then create the password database:
sudo postmap /Library/Server/Mail/Config/postfix/sasl/passwd
This action creates the file
/Library/Server/Mail/Config/postfix/sasl/passwd.db
The two password files should be readable by root only.
4. Create the file
/etc/certificates/relayhost.pem
with the CA certificate(s) to be trusted for authentication of the remote host. You get those certificates from the service provider. If you can't find a link to download them, try this:
openssl s_client -connect address:port -showcerts < /dev/null | sed -n '/-BEGIN /,/-END /p' | sudo sh -c 'cat > /etc/certificates/relayhost.pem'
The command may produce an error message that isn't necessarily significant. For servers that use the older STARTTLS protocol, rather than straight TLS or SSL, this command may need to be modified.
5. Restart the Mail service. -
Registry editing disabled by your administrator
Win7 Enterprise edition.
64Bit.
In a workgroup setting.
Logged in as local ADMIN.
GPO SETTING - USER CONFIGURATION/Administrative Templates/System - Prevent Access to Registry Editing Tools
Prevent Access to the Registry is ENABLED
Disable regedit from running silently? Is set to NO.
I have a batch file that looks like this below. It is a tool that we use to support the NBC software in use in over a 1000 computers some on a domain some off.
@echo off
cls
echo NBC values:
REM note: "findstr ." removes blank lines
REG QUERY "HKLM\System\NBC\Software\CurrentConfig" /s | find /v "REG.EXE" | findstr .
echo Done.
pause
This BAT file worked without any issues in XP using the settings at the top BUT in Win7 I receive the message "Registry editing has been disabled by your Administrator" message.
By setting the GPO setting to "Not Configured" the BAT file works but we do not want to give users any access to the Registry.
Why does the /s setting not work in Win7 but works in XP?My thinking is you could achieve what you wanted if it was domain based group policy as you could filter your admin accounts from applying the GPO so it wouldn't take effect for them, but would for non-admins.
But i don't think you can filter out the local policy in the same way - it's been a long time since i've used local policies - so there may be a way to do it - i'll take a quick look.
It's actually possible to do exactly this kind of filtering on the local group policy nowadays. At least in Windows 7/2008 R2.
It's not the same nice kind of filtering as you have on domain GPOs where you can select specific groups or users but you can setup different User Configuration for Administrator and Non-administrators.
Start MMC elevated and add the Group Policy Object Editor snap-in.
When the snap-in is added you have the possibility to change the target of the Policy Editor from the default Local Computer. Click Browse and select the Users tab and chose to edit Administrators or Non-administrators.
You can add them both to the console to simplify editing.
hopefully that should do it for you, if you just edit the local policy for non-admins.
Regards,
Denis Cooper
MCITP EA - MCT
Help keep the forums tidy, if this has helped please mark it as an answer
Blog: http://www.windows-support.co.uk
Twitter: LinkedIn: -
I am trying to install two registry edits via a Zen bundle:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\O utlook\Preferences]
"DelegateSentItemsStyle"=dword:00000001
and
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\O utlook\Preferences]
"IgnoreSOBError"=dword:00000001
In the bundle, under Advanced Settings, I have Run Action As System and checked Apply HKEY_CURRENT_USER changes to the logged in user's hive instead of .DEFAULT
The regedits are still going under HKEY_USERS .Default
If I 'manually' merge the .reg files, they go where they are intended so it is not the files themselves.Odd....
You could just try as "Logged on User" since AFAIK these keys are not
restricted from a general user modifying them.
On 3/14/2013 2:45 PM, Anders Gustafsson wrote:
> I know there were some such issues in the past that were fixed when I
> updates to 11.2.2 IIRC. Is there any chance of you updating?
>
Craig Wilson - MCNE, MCSE, CCNA
Novell Knowledge Partner
Novell does not officially monitor these forums.
Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.
Maybe you are looking for
-
Function app.mailmsg doesn't work in Acrobat 9.4.2.220
Hello all: Today I update Acrobat 9 from 9.3 to 9.4. I find the function app.mailMsg() doesn't work any more. when I use app.mailMsg() in Javascript, the Acrobat will be aborted and send Error Report. Is anyone able to help me with this? Many thanks!
-
Get PA0002-INITS by using Partner (ZI Introducing Employee)
Hello everyone, need to write a routine as follows, in oder to get the reimbursement for the person who related to this quotation. and the initials should be appears on the quotation sheet, using the ZI introducing employee I can fetch the personnel
-
Hi Gurus, We have report requirement related to rebate, where in we need to show the follwing field in the output. Rebate No: Total Accruals posted: Accruals reversed: Credit note amount. Can any one throw some light in which table and field the valu
-
When sharing pages document can others make changes/type on the form created as needed?
when sharing pages that have specific layout can that remain and still type as needed?
-
Error in automatic payment run
hai guys, when i am trying for proposal run in f110 i am getting error like COMPANY CODE ES01/ES01 DO NOT APPEAR IN 30.01.2007 BIG16 ;CORRECT PLEASE HELP ME regards bigy