SQLMAIL on Windows 2003 with SQL Server 2000
-
I've been told I can not install the Outlook 2000 client on a Windows 2003 server running SQL 2000 because of the security risks associated with Outlook 2000 client. So I'm looking for suggestions on how to configure SQL Mail and SQL Agent Mail l in SQL Server 2000 on a Windows 2003 server that doesn't have security risks. Note SQL Mail and SQL Agent Mail needs to use Internet Mail (POP3/SMTP), and not Exchange. Any suggestions?
Here are some questions I have:
1) Has anyone successfully applied all the patches to Outlook 2000 client to eliminate the security risks associate with the Outlook 2000 client and gotten it to successfully work with out hanging SQL MAIL or SQL Agent Mail using SQL Server 2000 on a Windows 2003 server? Note KB Q263556 makes mention that these patches don't cause SQL MAIL to hang.
2) What are all the patches that need to be applied to eliminate the security risks associated with the Outlook 2000 client?
3) Has anyone got SQL MAIL and/or SQL Agent Mail working without installing the Outlook Client? Note the KB Q306962 seems to suggest this can be done.
What I don't want to do:
1) I don't want to install the Outlook 2002 or 2003 client since it needs to be open to get SQL MAIL to work.
2) I don't want to use CDO to send mail, because that is not SQL MAIL.
Gregory A. Larsen, MVP
-
I have not seen these patches that you describe, but wanted to point out an alternative to SQL Mail, which I use, when our policy of no Outlook clients installed kicks in for some of our production servers.
It does use SMTP (so, I guess its CDO), but it is very detailed on how it works.
XPSMTP does not rely on MAPI or any other Microsoft Outlook or Outlook Express components.
You can still use it under the SQLAgent as a job.
Check it out to see if you can use it
-
Greg,
Since SQL Mail and SQL Agent Mail are MAPI bound, the only thing that I could suggest is researching another MAPI driven mail client and using it. You aren't specifically limited to Exchange. The only other thing would be to do exactly what you don't want to do, and that's write the code to utilize SMTP within a stored procedure or write the same time of code directly into a job step. Sorry... I know, it stinks! Please keep us all posted if you find anything else. We have all had the same consternation with messaging in SQL Server.
Scottye McClain
-
I think you can not install outlook 2000 on window 2003 server, but you can install outlook 2003 on window 2003 server.
You don't need to open the mail box for sql-mail to work. You just need to login to your server using the service account of sql service and configure your outlook mail box. After this step, you don't need to login with that login again.
After outlook mail works, you could set your sql service to use that outlook profile. Also make sure that the sql service account has access to the mail box on that outlook profile.
Good Luck.
mom
-
Can someone verify what mom said, that you can't install the Outlook 2000 client on Windows 2003?
Mom would you clarify what you meant by the this statement "You don't need to open the mail box for sql-mail to work.".
Does this mean with Outlook 2003 you don't need to have the Outlook Client open to make SQL MAIL work with Internet Mail (POP3/SMTP)?
I this KB article http://support.microsoft.com/kb/q263556/ there is the following statement "In Outlook 2002, the MAPI spooler logic was moved in-process, so any non-Exchange messages sent (such as those to an Internet mail server) require the Outlook client to be actively running on the server computer." seems to imply you do have to have the Outlook Client open in order to send mail.
Gregory A. Larsen, MVP
-
Gregory,
It has been my experience that since Outlook 2002 on SQL mail is in BAD SHAPE. The only fair solutions so far has been either xp_smtp or CDO with 2003 you can get blocked by sql mail becuse it tries to hold on to the session in the service and O2k3 simply crashes when you have used SQL mail and try to open the mail box.
When working with other than W2k3 I recommend Outlook 2000 but with W2k3 you are pretty much reduced to the above. There are some interesting fixes performed on SP4 that may have corrected the session problem but you have to wait a little
Can't wait for YUKON
HTH
* Noel -
Does SQL Server 2005 (aka yukon) fix some of the SQL MAIL issues?
Is any one using Outlook 2000 client with Windows 2003 for SQL Mail using a Internet Mail (POP3/SMTP)? Or Outlook 2002? Or Outlook 2003? I find it hard to believe everyone has given up on getting SQL Mail to work with Internet Mail on a Windows 2003 server? Or am I the only one bull headed enough to continue beating my head against the wall?
I guess I'm going to have to do some of my own testing.
Gregory A. Larsen, MVP
-
Yukon has besides SQLMail, SQLiMail ( smtp client) so you may be able to get your stuff out of OUTLOOK but again still in beta and you never know how reliable is going to be the feature.
Some people use 2002 some others use 2003 and they both work. You just have to be aware of the constraints.
HTH
* Noel -
Noeld, by constaint do you mean having to have the Outlook client active? Or are there others.
Gregory A. Larsen, MVP
-
Greg,
I am sorry. Let me say it again. I am using outlook 2003 client on window 2003 server. I do not use pop3 or internet mail. I used exchange mailbox.
I have no experience using internet mailbox.
I do use smtp_mail to send email out of server that has no access to Exchange server. It has been very reliable as well. I was even able to have it sent paging out or send 1 of the attatchement as part of the body.
-
I have had Outlook 2000 client set up on two Windows 2003 servers for a few months now (using Exchange) and SQL Mail has been working fine. It's even running on a cluster that is not in production yet and even though MS doesn't support it. I haven't added any security patches, but maybe I'll look into it since you mentioned it 🙂
Linda
-
So it looks like the outlook 2000 client will work on Windows 2003 server. Now I'm wonder if the security patches actually make the outlook 2000 client more secure. This KB article (http://support.microsoft.com/kb/q263556/ ) has the following text:
"In response to the threat posed by e-mail worms, Microsoft released a security patch for Outlook 2000 that notifies the user when a non-Outlook program attempts to send mail and requests the user to indicate whether this should be allowed by clicking Yes or No. Because SQL Mail is run through the SQL Server service, this security pop-up screen is sent to the virtual desktop and is never seen by a user. Because mail will not be sent pending user interaction, the end result is that SQL Mail will hang.
This behavior can be seen with SQL Mail for SQL Server 6.5 or SQL Server 7.0 because they make a simple MAPI connection to the mail client and this will trigger the security pop-up screen. Because SQL Mail for SQL Server 2000 makes an extended MAPI connection, the security pop-up screen is bypassed.
"
Now I have to ask each of you how you read this. Does the security patches for Outlook 2000 make Outlook more secure? If the security pop-up is bypassed, what happens when a non-Outlook program attempts to send email? Is it send or not? I would hope it is not sent. Does anyone know whether my "hope" is a true statement.
Gregory A. Larsen, MVP
-
Good question. I started reading KB 262617 and went down a rabbit trail of other articles regarding known issues, interoperability issues, attachments, etc. and at this point am going to leave things as they are. I don't know if installing Office 2000 sp3 (a pre-requisite) and then the Outlook security patch would also create issues---plus the only rollback is to uninstall-reinstall Outlook. If I get a chance to try it on a test box I will post the results.
Linda
-
Thank you for your thoughts, but I need to follow this issue to some conclusion to determine if we are at risk by not applying the patches. Therefore I'm looking for a way to send a non-outlook email, so I can test before and after applying the patch. Does anyone know how I can exploit the security hole in Outlook. I've only been able to find a way to exploit it using Access, and of course Access is not installed on our server. Any help would be greatly appreciated.
Gregory A. Larsen, MVP
Viewing 14 posts - 1 through 13 (of 13 total)
You must be logged in to reply to this topic. Login to reply