none
Open Relay

    Question

  • Hi all,

    I have installed a testing exchange server 2010 SP1 with the mailbox, hub, & CAS server roles installed, and i'm testing all types of connections (MAPI, RPC over HTTP, POP3, & IMAP).

    I have checked the anonymous users in the HUB default receive connectors (port 25) -in order to be able to receive emails from external domains-, & in the authentication i have checked TLS, Basic authentication, Exchange server authentication, & Integrated Windows authentication.

    I have the anti-spam agents installed on the HUB server

    i have created a send connector with address space " * "

    Then, I have configured a client (outlook 2007) with POP3, and in the outgoing server i unchecked that my server requires authentication -just for testing-, and i have found that it is able to send emails!! and the same applies to IMAP !!

    However, when i go to http://www.testexchangeconnectivity.com. & Use the Inbound SMTP E-mail test, i get the following:

    Testing the MX mail.domain.com for open relay by trying to relay to user Admin@TestExchangeConnectivity.com.

    The Open Relay test passed. This mx isn't an open relay.

    Additional Details

    The open relay test message delivery failed, which is a good thing.
    The exception detail:
    Exception details:
    Message: Mailbox unavailable. The server response was: 5.7.1 Unable to relay
    Type: System.Net.Mail.SmtpFailedRecipientException
    Stack trace:
    at System.Net.Mail.SmtpTransport.SendMail(MailAddress sender, MailAddressCollection recipients, String deliveryNotify, SmtpFailedRecipientException& exception)
    at System.Net.Mail.SmtpClient.Send(MailMessage message)
    at Microsoft.Exchange.Tools.ExRca.Tests.SmtpOpenRelayTest.PerformTestReally()

    When i go back to the HUB receiver connector and Uncheck the anonymous users, i'm then not to able to send emails without authenticating, but also i can't receive emails from external domains.

    How can i stop my server from being an open relay\how to force my users to authenticate before sending emails when using POP\IMAP, while still be able to receive emails from the external domains?



    Sunday, February 19, 2012 3:42 PM

Answers

  • Even if i created a new receive connector using port 25  using a specific local ip address and checking to accept anonymous, leaving the default connector as is, the issue is not solved still people can send from non-mapi clients while not authenticated.

    It would be recommended the new receive connector utilize a restricted IP list to avoid this situation.

    Microsoft Premier Field Engineer, Exchange
    MCSA 2000/2003
    MCTS: Win Server 2008 AD, Configuration MCTS: Win Server 2008 Network Infrastructure, Configuration
    MCITP: Enterprise Messaging Administrator 2010
    Former Microsoft MVP, Exchange Server

    NOTICE: My posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, February 20, 2012 2:44 PM
  •  

    Hi ,

    Exchange Server need to create send connector for internet. So that it can send to internet.

    Exchange Server receive mail from internet, it need to receive connector and the receive connector choose allow “Anonymous users”. And it need to MX record and A record point to Exchange in public DNS. Of course, we need to IP of public network.

    NOTE: If in production environment, Exchange Server face in public network is quite un-security, so we’d better have Edge Server and TMG/ISA to protect it.

    Overview of the Edge Transport Server Role:

    http://technet.microsoft.com/en-us/library/bb124701.aspx

    Installing Forefront TMG:

    http://technet.microsoft.com/en-us/library/cc441440.aspx


    Wendy

    Tuesday, February 21, 2012 9:25 AM
  • Well the problem is that i dont have the ability to install an edge server.

    You dont an Exchange Edge server - it can be any secure SMTP gateway  on premises or one in the cloud  - Forefront , Postini etc...

    Tuesday, February 21, 2012 2:23 PM

All replies

  • The default submission port for non-mapi clients is 587. The default client recieve connector is already set for that.

    Have your POP3/IMAP clients authenticate and submit on port 587.

    The general recommendation is to leave the default receive connectors alone and create a new receive connector for anonymous connections that will also accept messages from the internet. ( It's also recommended to not accept messages directly from the internet to the Exchange Server- rather have a Edge/external SMTP gateway for anti-spam/anti-virus and recipient filtering and then send messages from that to the Exchange Server - then configure a anonymous receive connector on the hub that only accepts from that SMTP gateway)

    http://technet.microsoft.com/en-us/library/aa996395.aspx

    Understanding Receive Connectors

    Sunday, February 19, 2012 4:39 PM
  • I have checked the anonymous users in the HUB default receive connectors (port 25) -in order to be able to receive emails from external domains-, & in the authentication i have checked TLS, Basic authentication, Exchange server authentication, & Integrated Windows authentication.



    This isn't recommended. It is recommended to leave the default receive connector alone and create a new receive connector used only for Internet mail.

    Microsoft Premier Field Engineer, Exchange
    MCSA 2000/2003
    MCTS: Win Server 2008 AD, Configuration MCTS: Win Server 2008 Network Infrastructure, Configuration
    MCITP: Enterprise Messaging Administrator 2010
    Former Microsoft MVP, Exchange Server

    NOTICE: My posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, February 20, 2012 4:21 AM
  • Kindly note that when i setup a non-mapi client the default settings for SMTP is port 25 which doesn't require authentication now since i have checked anonymous users, but when i switch them to port 587 (not the default port that the client is setup with) it does require authentication since it doesn't allow for anonymous users.

    But this means that when a client is setup by default it won't require authentication & this is what i want to solve, so any idea on how to solve it.

    Monday, February 20, 2012 8:49 AM
  • Even if i created a new receive connector using port 25  using a specific local ip address and checking to accept anonymous, leaving the default connector as is, the issue is not solved still people can send from non-mapi clients while not authenticated.
    Monday, February 20, 2012 8:51 AM
  • Even if i created a new receive connector using port 25  using a specific local ip address and checking to accept anonymous, leaving the default connector as is, the issue is not solved still people can send from non-mapi clients while not authenticated.

    It would be recommended the new receive connector utilize a restricted IP list to avoid this situation.

    Microsoft Premier Field Engineer, Exchange
    MCSA 2000/2003
    MCTS: Win Server 2008 AD, Configuration MCTS: Win Server 2008 Network Infrastructure, Configuration
    MCITP: Enterprise Messaging Administrator 2010
    Former Microsoft MVP, Exchange Server

    NOTICE: My posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, February 20, 2012 2:44 PM
  • If my understanding is right, if i used a restricted range of IPs, This would mean that i won't be able to receive emails from external domains except from the IPs which i have defined, which means that if i don't know which IP is hotmail using for example, then i won't be able to receive any emails from hotmail & so forth !!!

    And one more thing, what is the idea behind creating a new receive connector that uses the same port (Port 25)?, while all what i need to do on the default connector is to check anonymous users?.

    Monday, February 20, 2012 7:32 PM
  • If my understanding is right, if i used a restricted range of IPs, This would mean that i won't be able to receive emails from external domains except from the IPs which i have defined, which means that if i don't know which IP is hotmail using for example, then i won't be able to receive any emails from hotmail & so forth !!!

    And one more thing, what is the idea behind creating a new receive connector that uses the same port (Port 25)?, while all what i need to do on the default connector is to check anonymous users?.

    This goes back to my original post. You should have a SMTP gateway that accepts mail anonymously from the internet and then routes to the Hubs. That would allow you set the network range on your anonymouse receive connector to just the gateways - its really a best practice. - Otherwise, you run into the issue you are seeing now.

    Creating a new receive connector is always recommended so you leave the built-in ones as is.

    Monday, February 20, 2012 7:45 PM
  • Well the problem is that i dont have the ability to install an edge server.
    Tuesday, February 21, 2012 8:27 AM
  •  

    Hi ,

    Exchange Server need to create send connector for internet. So that it can send to internet.

    Exchange Server receive mail from internet, it need to receive connector and the receive connector choose allow “Anonymous users”. And it need to MX record and A record point to Exchange in public DNS. Of course, we need to IP of public network.

    NOTE: If in production environment, Exchange Server face in public network is quite un-security, so we’d better have Edge Server and TMG/ISA to protect it.

    Overview of the Edge Transport Server Role:

    http://technet.microsoft.com/en-us/library/bb124701.aspx

    Installing Forefront TMG:

    http://technet.microsoft.com/en-us/library/cc441440.aspx


    Wendy

    Tuesday, February 21, 2012 9:25 AM
  • Well the problem is that i dont have the ability to install an edge server.

    You dont an Exchange Edge server - it can be any secure SMTP gateway  on premises or one in the cloud  - Forefront , Postini etc...

    Tuesday, February 21, 2012 2:23 PM