Announcement

Collapse
No announcement yet.

Mail Relay document on this site is INCORRECT?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Mail Relay document on this site is INCORRECT?

    First off, I love Daniel's site and have always relied on any info I found on it, any link found via a Google term search would be the first one I would click on.

    However, today I have found what I can only believe to be incorrect information in this document:

    http://www.petri.com/preventing_exch...m_relaying.htm

    Step 5 states:

    Click to select either the Basic Authentication check box, or the Windows security package check box, or both of these check boxes, and then click to clear the Anonymous access check box. When you select the Basic Authentication check box, you need to provide a default user domain. Click OK.

    Why on earth would you deselect Anonymous here? This setting has nothing to do with a server being configured as an open relay and causes greater problems to which the document even states below the Consequences section at the end:

    You must understand what will happen if you choose to clear the "Anonymous access" check box in the Authentication window of the SMTP Virtual Server. Although this will indeed successfully stop your server from being a relay, on the other hand it will cause your server to stop receiving incoming mail from the Internet. This is because all the servers (it doesn't matter if they are E2K, Send Mail or any other mail servers) that will ever need to open an SMTP connection to your server will be required to authenticate, and it will be impossible for them to do so because they are not configured to use a specific username and password. You can't expect every mail server that will need to "talk" to your server to to "know" what username and passwords you've got configured in your domain, so basically no one will ever be able to send mail to your domain.


    If you uncheck Anonymous, you won't receive any e-mail but yet your document is falsely indicating this is required to prevent mail relay. Catch 22 much? Am I missing something here? I just finished cleaning up after one of our technicians who used this document to configure an Exchange server and left the Exchange server unable to receive e-mail.

  • #2
    Re: Mail Relay document on this site is INCORRECT?

    If you continue reading the article to the end it says
    Consequences
    You must understand what will happen if you choose to clear the "Anonymous access" check box in the Authentication window of the SMTP Virtual Server. Although this will indeed successfully stop your server from being a relay, on the other hand it will cause your server to stop receiving incoming mail from the Internet. This is because all the servers (it doesn't matter if they are E2K, Send Mail or any other mail servers) that will ever need to open an SMTP connection to your server will be required to authenticate, and it will be impossible for them to do so because they are not configured to use a specific username and password. You can't expect every mail server that will need to "talk" to your server to to "know" what username and passwords you've got configured in your domain, so basically no one will ever be able to send mail to your domain.


    Conclusions
    Keeping the SMTP Virtual Server's default settings (the authentication and relay buttons) will safely protect you from relaying un-authorized messages while still enabling outside users to send e-mail to your domain.
    I would say that the article is correct, wouldn't you?
    Last edited by JeremyW; 14th February 2007, 02:18.
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: Mail Relay document on this site is INCORRECT?

      The anonymous option might be good for a incoming gateway server, where all inbound SMTP traffic will be sent to it (i.e. it is also the MX record for the company). But if you have a mail relay in your DMZ, and the mail relay is the MX record and is responsible for the incoming SMTP traffic, then in most cases it's best to configure it to send the mail to the Exchange machine but require authentication. That way you will get mail, but accomplish the goal of the article - to prevent yourself from being an open relay.

      HTH
      Cheers,

      Daniel Petri
      Microsoft Most Valuable Professional - Active Directory Directory Services
      MCSA/E, MCTS, MCITP, MCT

      Comment


      • #4
        Re: Mail Relay document on this site is INCORRECT?

        Originally posted by danielp View Post
        The anonymous option might be good for a incoming gateway server, where all inbound SMTP traffic will be sent to it (i.e. it is also the MX record for the company). But if you have a mail relay in your DMZ, and the mail relay is the MX record and is responsible for the incoming SMTP traffic, then in most cases it's best to configure it to send the mail to the Exchange machine but require authentication. That way you will get mail, but accomplish the goal of the article - to prevent yourself from being an open relay.
        Excellent example. Why not add it to your Consequences section and put a Note: in Step 5 to read Consequences first? That may have saved Shinedog in this case and may save another admin in the future.
        Cheers,

        Rick

        ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

        2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

        Comment

        Working...
        X