Allowing both SMTP filtering and relay for POP3 users

On Exchange Server 2003 it is common for administrators to enable filtering to block out various users and domains, or to implement Relay Black Listing (RBL) to prevent spam entering the system. Part of this procedure requires that administrators edit the properties of the SMTP Virtual Server Instance (VSI) and select filtering to be "on". For assistance on this, see: http://support.microsoft.com/kb/261087/EN-US/. Another common procedure is to add your own SMTP domain into the Sender Filtering so that spammers or other malicious external agencies cannot send a mail, spoofed as if it had come from an internal user.
 
Under normal circumstances the above actions will prevent users who access the server via POP/IMAP4 from submitting and relaying mail through SMTP.
 
To resolve the functionality over security dilemma follow these basic steps. This article assumes that users are familiar with Exchange and have a certificate applied to the server, typically because the server being configured is an Exchange Front End or an Outlook Web Access over SSL server.
 
1. Add another IP address to the server
2. Create an A record in DNS called "smtpsecure" (or another similarly descriptive name)
3. Use Exchange System Manager and create another SMTP VSI using the new SMTP address only
4. Configure the new VSI with the (existing) certificate and set it to require SSL
5. Configure the new VSI to allow submission and relay from the required set of users. By default the Authenticated users will be allowed submission but not relay access. It is your responsibility to make sure that you decide which users you wish to allow submission and/or relay and then configure the VSI accordingly.
6. Remove the Anonymous access from this VSI so that only authenticated users (that you have specified where you remove the "Authenticated Users" group) can attach to this address
7. Configure the firewall to allow TCP 465 and 25 to this IP address
8. Ensure that you select the correct IP address or host name on the client email application and that you select use SSL for the client
 
Where one, or a series of, Routing Groups and SMTP connectors are used you should create a new SMTP Connector and assign the newly created VSI to it. Simply following the above will only allow messages to internal parties to be submitted. When a user attempts to send an external message the current Bridgehead will deny the message because there is a filter applied to it, preventing submission of messages, via SMTP, to that VSI. You may either use DNS to route the messages or submit to a smarthost, possibly the same smarthost as is currently used by your existing connector. You may assign permissions to this new connector so that only those POP3/IMAP4 authorised users may submit to it. That will involve creating a new Group and assigning members in the normal way. Again, this article assumes familiarity with connectors and creating Active Directory Groups.
 
The benefits of this are that external spammers or malicious ex-employees etc. cannot send mails to someone@yourdomain.com purporting to have come from the-boss@yourdomain.com and yet your POP3 and IMAP4 users can submit directly to your SMTP services so that they can work from their homes or laptops anywhere.
 
Readers will understand that they will need either to use a Public IP address and configure the firewall accordingly or do the necessary port translation and forwarding on their gateways. It is vital that you configure and test the Exchange Server internally first of all and then decide how you wish to publish this to Internet users.