• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

How to stop others from using my server as relay.

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2000] >> General >> How to stop others from using my server as relay. Page: [1]
Login
Message << Older Topic   Newer Topic >>
How to stop others from using my server as relay. - 8.Apr.2001 10:38:00 PM   
Guest
Hello:

We have Exchange 2K running. It is support POP3, SMTP and Exchange client. We have a lot of remote users who need to have our mail server as their SMTP for outgoing mail. How do I configure the server so that users have to be authenticated to the server in order to send mail and reject anonymous users?

Thanks
;-p

  Post #: 1
RE: How to stop others from using my server as relay. - 9.Apr.2001 11:19:00 AM   
robert

 

Posts: 434
Joined: 24.Jan.2001
From: Malta
Status: offline
Go to SMTP options and to the relay options in the Exchange system Manager. Make it that no one should be able to relay except the ip's of the remote users. Check it out.

------------------
Regards
Robert Abela
robert@gfi.com


(in reply to Guest)
Post #: 2
RE: How to stop others from using my server as relay. - 9.Apr.2001 11:34:00 PM   
Guest
But these people could have dynamic IPs. Can I just use authentication instead?

(in reply to Guest)
  Post #: 3
RE: How to stop others from using my server as relay. - 10.Apr.2001 2:56:00 AM   
Guest
Same problem here. It's well documented under 5.5, but not with E2K. We would like to be able to use authentication rather than I.P. addresses for the allowed relay. Second best would be to only allow those with a "from" of mycompanydomain.com to relay. Anyone?

Thanks,
josh@vyou.com


(in reply to Guest)
  Post #: 4
RE: How to stop others from using my server as relay. - 12.Apr.2001 11:01:00 PM   
Guest
You could still go to relay options and select a range of IP addresses. If most of your users are using dhcp they are probably w/in an IP range.

You could also try going into connection control and specifying your internal domain name.

Pete


(in reply to Guest)
  Post #: 5
RE: How to stop others from using my server as relay. - 8.May2001 10:52:00 PM   
Guest
The best thing to do to prevent SPAM and still allow users with dynamic IPs to relay is to make sure the "Allow all computer which successufully authenticate..." is checked in the relay options. Then you have your users configure Outlook to authenticate to the E2K box. In Outlook, you have to set the "My server requires authentication" area. POOF! All done now your POP3/IMAP4 client can relay and spammers cannot. Enjoy!

(in reply to Guest)
  Post #: 6
RE: How to stop others from using my server as relay. - 9.Jan.2002 7:05:00 PM   
TheAdmin

 

Posts: 1
Joined: 9.Jan.2002
From: Overland Park, KS
Status: offline
That's great and all there "guru", except you neglected to mention the little caveat there. If you allow all "authenticated users" to relay, then you also need to check your authentication setup to see what it TAKES for someone to authenticate. Assuming this server talks to the rest of the world, you *have* to have anonymous access for the rest of the world to log in and send you mail.

By enabling anonymous as a type of authentication and then allowing all authenticated users to relay, you just re-enabled relaying for anyone. If you disable anonymous access, the rest of the world can't send you email.

The *only* way to do this is with 2 separate IP's/interfaces. You can then setup 2 virtual servers, one on each IP and a connector between the two. Only *THEN* will you get this "poof" magic to fix your problem.


(in reply to Guest)
Post #: 7
RE: How to stop others from using my server as relay. - 10.Jan.2002 6:45:00 PM   
Digitalcandy

 

Posts: 197
Joined: 2.Jul.2001
From: Orange County, CA
Status: offline
TheAdmin brings up a good point. If your settings look like this;

then your still allowing your server to be used as a "spam" relay.

Two network cards is a good choice, however you will need to make sure your POP3 clients are directed to the correct NIC. Tricky to do if your email server is behind some sort of firewall.


(in reply to Guest)
Post #: 8
RE: How to stop others from using my server as relay. - 12.Jan.2002 2:05:00 AM   
koggen

 

Posts: 980
Joined: 31.Oct.2001
From: Göteborg - Sweden
Status: offline
Hi all!

I must say I'm a bit confused. I use the exact same settings as DigitalCandy posted (and have always done). I have tested my servers frequently with ordb.org and orbz.org and according to those sites NONE of my servers allow relay! These sites actually try to send email (not just analyze SMTP server responses) and I therefore feel that the results are quite accurate.

Does really “Allow anonymous access” count as an authentication? Cause if I check “Allow all computers which successfully authenticate…” I cannot send IMAP through my Exchange server. Surely if anonymous access would count as authentication I should be able to use Outlook in IMAP mode and send SMTP without specifying a valid user account. In other words, as far as I can make out my servers behave EXACTLY as supposed. Anonymous access means anyone can mail my server, and I cannot relay unless I authenticate. What are we missing here?


Regards,

Johan


(in reply to Guest)
Post #: 9
RE: How to stop others from using my server as relay. - 14.Jan.2002 8:41:00 PM   
adukart

 

Posts: 148
Joined: 30.Nov.2001
From: Dickinson, ND
Status: offline
I am really confused about this. If I don't set my authentication to anonymous then I can't send or recieve e-mail. So I set authentication to anonymous and changed the relay to only the list below with noting in the list and did not check the allow all computers.... I am just wondering what this is doing then.
Johan, you say that you can not relay unless you authenticate but if I have set authentication to anonymous then does that mean anyone can authenticate? Do I have it set up the way you are talking about? I think I do but not sure. Thanks for the information.

Amy


(in reply to Guest)
Post #: 10
RE: How to stop others from using my server as relay. - 14.Jan.2002 11:08:00 PM   
koggen

 

Posts: 980
Joined: 31.Oct.2001
From: Göteborg - Sweden
Status: offline
Hi Amy and the rest of you!

The setup I run is the following:

* Exchange 2000 with single SMTP Virtual Server.
* Server receives Internet mail directly and has therefore “Anonymous Access” enabled.
* Users can use the server to relay (by means of POP3 or IMAP) if they authenticate, which is why “Allow all computers…” is checked.
* The only computers IP:s on “Only the list below” are servers that require relay (i.e. web server with mail component).
* Server has SSL certificate, but secure channel is not required as this can potentially create problems for remote mail servers that send mail to us (all remote servers do not support encryption, plus, we have issued our own certificate which means that the certificate normally is not trusted by remote servers).

This setup enables us to:

* Send and receive Internet e-mail from any domain.
* Remote users using POP3 or IMAP have to provide correct credentials before relay is allowed.
* Server is NOT listed at http://www.ordb.org or http://orbz.org (server has been submitted several times to really make sure no relay of email is possible). These sites actually try to send email so you can see the results in your SMTP log files as well.

I have tested to:

1) Relay mail from home (through IMAP) without authentication, resulting in RELAY PROHIBITED (550 5.7.1 unable to relay for etc).
2) Relay mail from home with authentication, but with a bogus user name and password, resulting in server requiring correct credentials.
3) Relay mail from home with correct credentials, resulting in proper behavior e.g. delivery of the mail.

So, Amy, back to your question. In my experience the settings you have applied allows incoming email (because of the anonymous access setting), but also prevents relay from trusted users as you didn’t check the “Allow all computers…”!

Proper settings IMO (i.e. the way things work for my three exchange servers at different unrelated sites) are the following:

* Allow anonymous access to accept incoming internet email directly to the server
* Set “Only the list below” and check “Allow all computers…” (if users need to send mail by POP3 or IMAP)

You can find screenshots at http://www.sandqvist.pp.se/smtp if you need more help. The server shown uses a SMTP connector (which is not necessary in many cases) so skip that part if you don’t use one. The results are still the same.

Regards,

Johan

[ January 14, 2002: Message edited by: Johan Sandqvist ]


(in reply to Guest)
Post #: 11
RE: How to stop others from using my server as relay. - 15.Jan.2002 12:36:00 AM   
shadow07

 

Posts: 18
Joined: 26.Jun.2001
From: Aliso Viejo, CA
Status: offline
I would have to disagree with THE ADMIN. When you have checkmaked the option of ALLOW COMPUTERS TO RELAY IF AUTHENTICATED and leave ANONYMOUS ACCESS checked, this will not re-enable Spam Relaying. I ahve also tested this out, and I was unable to send email to other domains, except for the domain the Exchange server was hosting. Not until I was actually authenticated, was I able to relay without issue.

(in reply to Guest)
Post #: 12
RE: How to stop others from using my server as relay. - 4.Feb.2002 1:30:00 PM   
ijsz77

 

Posts: 9
Joined: 31.Jan.2002
From: the netherlands
Status: offline
I have anonymous access off, basic authentication on, and relay only for authenticated users, this works fine for sending out mail, spammers don't get through, bcoz they can't authenticate, BUT i also cannot receive mail from outside sources! while i can send from a certain address that is legit, i can't send mail to this address, is there a way to let exchange check the recipients name to check if they can send it in ?? Right now i can't protect my server, caus it's useless without being able to accept mail from outside!

(in reply to Guest)
Post #: 13
RE: How to stop others from using my server as relay. - 18.Feb.2002 9:10:00 PM   
randomfire

 

Posts: 1
Joined: 18.Feb.2002
From: nyc
Status: offline
I have the anonnymus checked so other mail servers can send mail to mine. In relay i have all except the list checked and i also have allow all authenticated checked. This allowa my server to be a relay server, i can send mail using this server from my home which is what we dont want because it can be and will be used as a relay server. I tried what people suggested, by having only the list checked and in that i added mu inetrnal ip address of the exchange server and the external nat's ipaddress also and then checked all authenticated users and tried it and even if i provide credetials it gives me cannot relay for 550.17 error so it is avoiding the relay but wont even allow to relay mail even if you provide credentials.

(in reply to Guest)
Post #: 14
RE: How to stop others from using my server as relay. - 26.Feb.2002 7:07:00 PM   
Digitalcandy

 

Posts: 197
Joined: 2.Jul.2001
From: Orange County, CA
Status: offline
Sorry, I have been gone a while. I haven't been paying attention to this thread.

Let me expand on the pictures I posted above.

quote:
The following is a direct quote from "Mastering Microsoft Exchange 2000 Server" by Barry Gerber found on page 533 to 534.

"The Relay Restrictions dialog box, which you open by clicking the Relay button, looks a lot like the Connection dialog box in Figure 13.9, (he is reffering to the second picture I posted). It has one additional field, Allow All Computers Which Successfully Authenticate to Relay, Regardless of the List Above. If anonymous authentication is permitted as per the dialog box shown in Figure 13.8, (he is reffering to the first picture I posted), leaving this option checked means that any e-mail client or SMTP host on the Internet can send messages through your SMTPVS. So, if this is your main SMTP host, deselect the Allow All Computers option."

I for one feel he did not explain this too well. I use POP3 for a couple of my users and do so by way of the settings in the pictures posted above. However, I get a lot of messages filling up the "BadMail" account everyday. I think this is spam mail attempting to send messages. I think they may connect and attempt to send messages because the anonymous access is allowed but delivery fails because they do not have any of my Domain's user credentials to authenticate with.

Maybe someone can expand on this idea.

[ February 26, 2002, 07:14 PM: Message edited by: Digitalcandy ]

(in reply to Guest)
Post #: 15
RE: How to stop others from using my server as relay. - 27.Feb.2002 4:50:00 PM   
Kevin Sanders

 

Posts: 7
Joined: 11.Oct.2001
From: Bath, UK
Status: offline
This is quite straight forward, navigate to the ACCESS tab on SMTPVS, click AUTHENTICATION and select "Anonymous access", "Basic authentication" and "Integrated Windows Authentication". This will allow the whole world to connect to your server and send you e-mail, so this is good. To stop them from using your server for relaying, which is bad, click RELAY and DESELECT "Allow all computers which successfully authenticate to relay, regardless of the list above". By deselecting this checkbox you will stop the relay.

(in reply to Guest)
Post #: 16

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2000] >> General >> How to stop others from using my server as relay. Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter