How Do I Block Open Relay on My Exchange Server 2010 ?
-
Thursday, June 14, 2012 10:00 AM
I have an Exchange Server 2010 (MB, HT, CAS) setup in my environment which is NAT'ed to a Public IP. We dont have an Edge Server in our environment but use a UTM instead. We have been blacklisted several times. I run the test exchange connectivity and found out that Open Relay wasn't enabled on my server, I also checked at http://www.checkor.com/ and got:
220 ******************************************************************************************************
HELO ortest.checkor.com
250 myexchange_name.domain.com Hello [8.23.224.110]
RSET
250 2.0.0 Resetting
MAIL FROM: test@checkor.com
250 2.1.0 Sender OK
RCPT TO: test1@checkor.com
550 5.7.1 Unable to relayBut then we have been having a lot of spam attacks. I suspect its coming in from some personal laptops on my network.
I tested this myself with one E-bill application on the LAN which was successful to send mails using our Exchange Server to remote domains, which made me doubt if the Exchange relay was really blocked as the two tests reported.
How can I mitigate this spam issue by effective settings on my Client and Default Receive Connectors. Both with the Permission Groups and also the Authentication.
Currently I have ALL the Options Checked EXCEPT Externally Secured Under the Authentication Tab on the Default and Client Receive Connector. On the Permission Groups I have ALL Options Checked EXCEPT Partners for both Default and Client Receive Connectors.
What am I not configuring correctly, and how can I block these malicious systems from sending out spam using my Exchange Server 2010 with the effective settings?
Thanks.
All Replies
-
Thursday, June 14, 2012 11:14 AM
By default authenticateds users are allowed to relay mail on your Exchange server.
Have you set any permission on your receive connectors other than from GUI?
Lasse Pettersson http://anewmessagehasarrived.blogspot.com
-
Thursday, June 14, 2012 3:53 PM
No I haven't set any additional settings on the receive connector.
-
Friday, June 15, 2012 8:18 AMModerator
Hello Nukunu,
If you haven't done any change on Exchange Server, the open relay setting is disabled on Exchange Server.
You can use this command to check the setting on receive connector:
Get-ReceiveConnector| get-ADpermission -user "NT AUTHORITY\ANONYMOUS LOGON" | Where {$_.ExtendedRights -like "Ms-Exch -SMTP-Accept-Any-Recipient"}
Thanks,
Evan
Evan Liu
TechNet Community Support
- Marked As Answer by Evan LiuModerator Friday, June 29, 2012 10:31 AM
-
Friday, June 15, 2012 8:31 AM
Hello Evan,
It never returned any results when I run the Get-ReceiveConnector command.
Thanks.
-
Friday, June 15, 2012 10:02 AM
Your Exch server may not be the issue. It may be the clients have had their credentials compromised as you can see your Exch server doesnt seem to be an open relay and with the default config it's not an open relay.
May need to ask your clients to change their passwords or set in AD to force users to change passwords if you can't track down to a specific client/user.
Sukh
-
Friday, June 15, 2012 10:06 AMModerator
Hello Evan,
It never returned any results when I run the Get-ReceiveConnector command.
Thanks.
This means your Exchange Server don't have open relay.
Thanks,
Evan
Evan Liu
TechNet Community Support
-
Friday, June 15, 2012 12:30 PM
We have been enforcing password policies on the domain thus users change their passwords after 30 days. Some users log on to the domain and some don't.
Is there a way I can monitor the connections that send out spam mails from any of the exchange logs?. I want to pin it down to IP address and the sender address.
Thanks.
-
Friday, June 15, 2012 12:35 PM
You can start off my checking Message Tracking logs to see if the spam is sent from OLK, or up the logging on the connectors if the spam is being sent via a telnet connection, check both of these logs to start you off.
You can use Exmon to check for any unsual activity from a client but may not narrow this down.
Sukh
- Marked As Answer by Evan LiuModerator Friday, June 29, 2012 10:31 AM
-
Friday, June 15, 2012 12:36 PM
Turn on protocollogging on your receive and sendconnectors. They will give you information about what's going on.
http://technet.microsoft.com/en-us/library/aa997624.aspx
http://technet.microsoft.com/en-us/library/bb124531.aspx -
Friday, June 15, 2012 1:18 PM
Hello Sukh,
Can you please explain further into detail. I don't understand the first line "sent from OLK" do you mean Outlook?
I have already turned logging on both Send and Receive Connectors. Do I check from the Protocol Log folder or the Message Tracking folder.
Please help me with a link on how to check for SPAM broadcast.
Thanks.
-
Friday, June 15, 2012 1:49 PM
Yes, Outlook. Check all logs for connectors and Message Tracking. I dont have link which shows how to track this down.
Depending on the amount of SPAM being sent, you may be able to get some help from your network team. In addition to this, you can lock down port 587/25 from the client PC's to elminate that.
Sukh
-
Friday, June 15, 2012 10:10 PM
you can read both SMTP connector logging and message tracking logging to get more information about whats going on.
Bu is suspect a client is doing SMTP authentication and by this is allowed to relay, or sending from outlook. possibly caused by a virus.
Lasse Pettersson http://anewmessagehasarrived.blogspot.com
- Marked As Answer by Evan LiuModerator Friday, June 29, 2012 10:31 AM
.png)
