dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3780
share rss forum feed


devicemanage
Premium
join:2002-03-16
Chalfont, PA

[Exchange] Exchange 2007 Prevent Open Relay

I was wondering if there was an article I could look out describing the process of locking down an 2007 exchange server from becoming an open relay? Thanks...
--
»www.devicemanager.net


Matt3
All noise, no signal.
Premium
join:2003-07-20
Jamestown, NC
kudos:12
said by devicemanage:

I was wondering if there was an article I could look out describing the process of locking down an 2007 exchange server from becoming an open relay? Thanks...
Exchange 2003/2007 are closed by default. Thank god.

You can verify here: »www.abuse.net/relay.html


devicemanage
Premium
join:2002-03-16
Chalfont, PA
I must have opened it some how. How could I have done such a thing - bad!
--
»www.devicemanager.net


Matt3
All noise, no signal.
Premium
join:2003-07-20
Jamestown, NC
kudos:12
said by devicemanage:

I must have opened it some how. How could I have done such a thing - bad!
Do you know how to close it?


devicemanage
Premium
join:2002-03-16
Chalfont, PA
No, need some help - I've so far disabled the send connector while I have been researching it. Just dont want to get us black listed somewhere...
--
»www.devicemanager.net


Matt3
All noise, no signal.
Premium
join:2003-07-20
Jamestown, NC
kudos:12
said by devicemanage:

No, need some help - I've so far disabled the send connector while I have been researching it. Just dont want to get us black listed somewhere...
This should help: »msexchangeteam.com/archive/2006/···013.aspx

It's an article on allowing relaying, but you should be able to figure out what to lock down to disable it again.


devicemanage
Premium
join:2002-03-16
Chalfont, PA
Thanks for dropping that link man, I was looking at the send connector the whole time. Thank you thank you!
--
»www.devicemanager.net


Leathal
Premium
join:2002-02-09
canada
kudos:2
reply to devicemanage
there are sites on the internet that test to see if your mail servers relay is open or closed.


devicemanage
Premium
join:2002-03-16
Chalfont, PA

1 edit
Well I am testing with »www.spamhelp.org/shopenrelay/ and stuck with all the defaults in exchange 07. We do use dyndns and mailhop on port 2525 and they do some light spam filtering. I have a second line of defense but did not get around to installing it. Looking at some of the tools the dyndns offers I see that our outgoing mail is off the charts, could these be ndr's?

Either way looking at the link above it appears I am right on. The receive connect, default, needs to have anonymous permissions enabled or I can not receive mail. Any other ideas?
--
»www.devicemanager.net


Leathal
Premium
join:2002-02-09
canada
kudos:2

1 edit
you need to run the tests on your domain or MX name to make sure the relay open.

Yes you need anonymous connections enabled otherwise the servers coming into your network won't be able to send any email through.

The default settings which don't enable relay on the receive connector are:

Permission Groups (tab)

Enable:
Anonymous users
Exchange users
Exchange servers
Legacy Exchange Servers

Authentication (tab)

Enable:
Transport Layer Security (TLS)
Basic Authentication
Offer Basic authentication only after starting TLS
Exchange Server authentication
Intergrated Windows authenication

We also use have added a bunch of servers to your anti-spam in the Exchange server which cuts down on about 98% of the spam we get without them.

Anti-spam -> IP Block List Providers

Providers:
dns.rfc-ignorant.org
sbl-xbl-spamhaus.org
bl.spamcop.net
dnsbl.sorbs.net
list.dsbl.org

All other settings are default.


devicemanage
Premium
join:2002-03-16
Chalfont, PA
Thanks Lethal, I will add those servers as well. However my setting match yours to the "T". Last night I installed out SMSMSE and it seem to cut down on the outgoing mail a great deal over night. I'll keep an eye on it for a few days.

I am passing on all the open relay tests out there so who knows.

Thanks to everyone else for helping out - really appreciate it.
--
»www.devicemanager.net