Announcement

Collapse
No announcement yet.

Question about relaying options in Exchange 2003

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Question about relaying options in Exchange 2003

    I got a call from our ISP that someone is using our exchange server to relay spam. So most likely someone is using a username/password to authenticate on the exchange smtp. The weird thing is that when i look at the smtp logs it says that a user named "user" is being logged but there isn't a user named user.

    Anyway, my question is:

    I unchecked the box under the relay restrictions that says: "allow all computers which successfully authenticate to relay regardless of the list above". Which found by going the properties of the smtp , access tab, relay button.

    When unchecked this box now it allows me to selectively specify which users can relay. It also appears that even if I don't add a user to the list but is using outlook via mapi, it lets you send out to anyone in the internet. Is this right? So MAPI connection doesn't require the to be added to the relay?

    Also, that check box: "allow all computers which successfully authenticate to relay regardless of the list above "... when it refers to the authentication is this basically when someone from the outside have a username and password it will relay? And when I uncheck this then it will allow me to specify show has rights , more granular control?

    Also the OWA users and ActiveSync users will also be able to send emails to anyone on the internet without the need to add these users to the relay users?

    Thanks in advance.

  • #2
    Re: Question about relaying options in Exchange 2003

    Exchange as a default will not permit itself to be used as an open relay.
    If you haven't changed it then it should be fine.Check this article from this very website.

    http://www.petri.com/preventing_exch...m_relaying.htm

    What makes you think that the spammer has a valid username and password to authenticate?

    Comment


    • #3
      Re: Question about relaying options in Exchange 2003

      1) when unticked "allow all computers which successfully authenticate to relay regardless of the list above" that means youe exchange was an open relay. That relay is now closed.

      2)ONLY the exchange server should be allowed to relay. ONLY its IP address should now be listed in that box. All users that are authenticated via a MAPI connection (AD/DNS/GC) will be allowed to relay via the exchange. If there are MIME clients they will need to be given relay access either by a username in AD under the users tab or by IP address. A username is more secure.

      3)SMTP by default is an anonymous connection. Any server anywhere can talk to your server unless you define permissions for those connections which in practicality isnt possible. By ticking that tab you allow ANY server to relay through your own server which turns your exchange into an open relay. It would only be a matter of time before your subnet would be blacklisted as a result of the open relay.

      Comment


      • #4
        Re: Question about relaying options in Exchange 2003

        In response to scurlaruntings:

        1. Authenticated relaying is not an open relay. An open relay is when anyone can relay regardless of ip address or authentication. If you require authentication in order to relay then it's not open. Authenticated relaying is often used when you have external users who connect via POP. They authenticate to your SMTP server (Exchange) in order to send email out.

        2. Nothing needs to be on the allowed to relay ip address list. Exchange doesn't "relay" through itself. MAPI, OWA, and ActiveSync clients don't relay through the Exchange SMTP component, they send email to Exchange (the store) and then the SMTP component sends outbound email.

        3. There are two options in the relay settings properties and only one of them will make you an open relay: the option "All except the list below" with an empty list. This would allow any server or user to relay through your server. In a default installation of Exchange the following settings are set:

        A. Only the list below, with an empty list.
        B. Allow all computers which successfully authenticate... is unchecked.

        Out of the box, Exchange is NOT an open relay.

        Go to www,google.com and Google for "open relay test". There are hundreds of SMTP open relay tests that will test your server externally to see if it is in fact an open relay.

        Comment


        • #5
          Re: Question about relaying options in Exchange 2003

          Thanks so much for your reply. I really appreciate it.

          I was also thinking if there was a way for exchange to filter relaying messages, that it firsts checks the header for a valid from:domain.com address that I can specificy. So that if and email doesn't contain from:<domain.com> it doesn't relay the email even after authenticating successfully using a username/password on the smtp?

          Thanks!

          Originally posted by joeqwerty View Post
          In response to scurlaruntings:

          1. Authenticated relaying is not an open relay. An open relay is when anyone can relay regardless of ip address or authentication. If you require authentication in order to relay then it's not open. Authenticated relaying is often used when you have external users who connect via POP. They authenticate to your SMTP server (Exchange) in order to send email out.

          2. Nothing needs to be on the allowed to relay ip address list. Exchange doesn't "relay" through itself. MAPI, OWA, and ActiveSync clients don't relay through the Exchange SMTP component, they send email to Exchange (the store) and then the SMTP component sends outbound email.

          3. There are two options in the relay settings properties and only one of them will make you an open relay: the option "All except the list below" with an empty list. This would allow any server or user to relay through your server. In a default installation of Exchange the following settings are set:

          A. Only the list below, with an empty list.
          B. Allow all computers which successfully authenticate... is unchecked.

          Out of the box, Exchange is NOT an open relay.

          Go to www,google.com and Google for "open relay test". There are hundreds of SMTP open relay tests that will test your server externally to see if it is in fact an open relay.

          Comment


          • #6
            Re: Question about relaying options in Exchange 2003

            Exchange doesn't do anything with the headers to control relaying. I don't think any product will do that as it could easily be abused.

            The only ways that Exchange controls relaying is via IP address or authentication. Nothing else.

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment

            Working...
            X