• Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Reason to limit internal relay IP's

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2003] >> Server Security >> Reason to limit internal relay IP's Page: [1]
Message << Older Topic   Newer Topic >>
Reason to limit internal relay IP's - 4.May2012 1:57:58 AM   


Posts: 20
Joined: 9.Apr.2009
Status: offline

We're using new HRM software since a few weeks, which will send the salary slips per mail to the private mail addresses of our users.
In the software we are able to set the ip address of our internal (exchange 2003) mailserver so that server will be used to send the mails.

This HRM software is installed on all our Terminal servers (where other software is present as well and users are presented a full desktop) and when people try to send the salary slips they get a "550 5.7.1 unable to relay" error message.
This is logical since we only allow relaying for certain (as little as possible) internal IP addresses and our Terminal servers are not among that list.

So for a quick fix I added all Terminal server IP's to the allow relay list on the Exchange server and the salary slips were sent.

However, me and my collegue are pretty sure this is not a good (secure) solution so we asked the developer if they could provide us with an option to send these emails through a specific server (we also have 2 batch servers running with the same HRM software that can run specific tasks and we'd like to use these for email, which limits the IP addresses to add to 2 instead of 30)

Now the developer of the HRM software acts like we have insane security settings on our network and wants to hear good reasons for not adding all Terminal servers to the allowed relay list before they consider adding that option.

Of course there's the reason of a virus outbreak, but I was wondering if there is a document somewhere that I can point them to that explains why you should try to limit the number of internal relay IP's.
For us as system administrators it's common sense, for developers apparently it is not.

Hope someone can help me convince them.
Thanks in advance!

Post #: 1
RE: Reason to limit internal relay IP's - 4.May2012 2:43:53 PM   


Posts: 8232
Joined: 7.Jan.2004
From: California, USA
Status: offline
Does this mean that the Client software generates the Email and not a server-based application? Does that software support installation/execution on a Terminal Server?

Tell the software guy that Email admins need to be able to control what sends out Email. Allowing a Terminal Server to send Email allows any application on that server to send Email. Are they willing to vouch for everything else installed/running on that server?



Dean T. Uemura
Microsoft MVP - Exchange (2007-2011)

(in reply to nightraider)
Post #: 2
RE: Reason to limit internal relay IP's - 7.May2012 3:55:04 AM   


Posts: 20
Joined: 9.Apr.2009
Status: offline
Those are exactly our thoughts.

Indeed it seems like the application generates the e-mail and then tells the Exchange server to send it to an external address, which will count as relaying for the Exchange server.

Of course we have limited the systems that are allowed to send e-mail to the outside world on our firewall and antivirus appliance as well, but I don't really want to let any application on the terminal servers send mails except for Outlook (which will use Exchange anyway).

(in reply to uemurad)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2003] >> Server Security >> Reason to limit internal relay IP's Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts

Follow TechGenix on Twitter