Announcement

Collapse
No announcement yet.

Default Exchange 2003 Install SBS2K3 - Open Relay Potential?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Default Exchange 2003 Install SBS2K3 - Open Relay Potential?

    I have installed a couple of SBS2K3 servers and have noticed that the default installation of Exchange 2003 via the (CEICW) wizard includes three IPs in the SMTP virtual server Relay Restrictions that may relay through this virtual server. They are the LAN, WAN and 127.0.0.1. I removed the WAN and 127.0.0.1 and everything email wise works great and has for some several months now. The 'Allow all computers which successfully authenticate to relay, regardless of the list above' is also checked.

    The question is whether the default installation with the WAN and 127.0.0.1 IPs could potentially allow for an “Open relay” or might not be “best practice” methodology. How are single Exchange 2003 boxes configured for a single domain? What is the safest method to follow?

    Thank you for your time and thoughtful consideration.

    Karen

  • #2
    Open Relay

    The default settings for Exchange 2003 doesn't allow relaying by non authenticated users.

    The only circumstance to which someone may be able to psudeo relay is to send email to users within your domain. They'd have to guess user names in order to try it but it might allow this to occur.

    Remove anonymous access and force users to authenticate on the SMTP server.

    Check your server for open relay if you're concerned - HERE
    Andrew

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    Comment


    • #3
      Exchange 2003 does not go through the process of wizards running like SBS2K3. Exchange 2003 is tight and secure out of the box from what I've seen (although I only work with it in SBS2K3). Configuration is the responsiblity of the local IT group.

      The primary concern here was the inclusion of the WAN IP via the CEICW wizard and how that might be potentially spoofed and used as a relay. It appears that the default SBS2K3 installation includes Anonymous, Basic and Integrated for SMTP access which is not very safe or secure. Your method and suggestions are well taken.

      Of course tests for relay have proven negative.

      Here is a post from an SBS Product Manager and their explanation: http://www.sdsbsug.org/openrelay.htm

      Thanks. Karen

      Comment


      • #4
        Relay

        After reading the post you provided I now better understand your concern.

        I think you made the right choice by removing WAN and LocalHost, I'd consider these to be the biggest threats as they're either known or predictable. I however wouldn't be too worried about someone spoofing an IP, its possible but not simple.

        ---

        With the exceptions that SBS allows for relay and you are worried about someone spoofing the WAN IP you should also be concerned about this occuring with a LAN IP as well.
        I don't work with SBS - I consider it to be a "dumbed down" version of the stand alone packages. It does offer some nice reporting features and simplified administration and on top of that its cheaper. I work for a company that has no use for SBS so I haven't bothered with it beyond a cursory overview.

        Originally posted by kchristian
        How are single Exchange 2003 boxes configured for a single domain?
        Stand alone Exchange 2003 does not allow relay for any users (even authenticated users) by default. The exception list to allow relay is empty.
        Andrew

        ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

        Comment

        Working...
        X