Navigation
Install the app
How to install the app on iOS
Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
More options
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
What is SMTP Relaying and how to control it?
Security
What is SMTP Relaying and how to control it?
by
compgirlfhredi
Posted
(Edited
)
Controlling SMTP Relaying with Microsoft Exchange
What Is Relaying?
If you've ever received unwanted spam in your mailbox, then you know what relaying is: use a server to accept then resend mail to recipients on another server. In the simplest case, alice@a.com connects to the SMTP server at b.com and uses it to deliver a message to charlie@c.com. Note that isn't the same as Alice using her own organization's SMTP server. A more practical example: if you're on the road with your laptop you'll probably have a dial-up connection that assigns you an IP address outside your normal network. If your SMTP server accepts messages from you for delivery to third parties (addressees not on your own mail server), that's relaying; a server that has relaying turned on will accept mail for recipients in other domains, then attempts redelivering it.
================================================================================================
Why You Should Care
In some cases, relaying is desirable, like when you're traveling and want to use your regular Exchange server as an SMTP host. However, it's important to couple relaying with restrictions and authentication; if you don't, spammers will be able to use your relay to send out spam messagesùyou'll get the blame, because the messages will appear to have originated from your server! Apart from the community benefit of helping to stop spam, configuring your Exchange server's relay settings properly offers the benefit that it keeps you from being a spam injection point, saving you bandwidth and lots of potential hassles.
================================================================================================
What to Do About It
There are separate configuration processes for Exchange 5.5 and Exchange 2000. In both cases, you'll be configuring the component that handles Internet mail to reject mail addressed to non-local recipients; there are some additional settings you can tweak to allow relaying with authentication or from particular IP addresses. But if your Exchange server is providing SMTP service to POP3 or IMAP4 clients, you'll have to turn on relaying in some fashion.
================================================================================================
Blocking relaying in Exchange 2000
Exchange 2000 has a very flexible set of anti-relaying features built in. You configure them at the SMTP virtual server level, so that you can set different relaying properties on different servers. One common use for this is in setting up two virtual servers: one with relaying disabled on port 25 for standard traffic, and another with authentication-based relaying turned on on a non-standard port number. Your remote clients can configure their mail clients to use the non-standard port; this approach neatly avoids the problem of spammers who scan for open relays.
The actual process of controlling relays is simple, but it varies slightly depending on whether you want to configure relaying for the SMTP virtual server or an SMTP connector. (If you don't know the difference between virtual servers and connectors, check out the Microsoft Knowledge Base article Q294736 .)
================================================================================================
Controlling SMTP virtual server relaying
1.Launch Exchange System Manager. Navigate to your SMTP virtual server (it's under Administrative Groups | yourAdminGroup | yourServerName | Protocols).
2.Right-click the virtual server and choose the Properties command.
3.Select the Access tab.
4.To restrict inbound SMTP connections to a particular address range (for example, if your POP3/IMAP4 clients are using a block of addresses via a VPN or dial-up connection), use the Connectionà button to specify which addresses may make SMTP connections. Note that the settings in the Connection dialog apply to all hosts that try to use this SMTP server.
To control SMTP relaying, click the Relaying button. In the Relay Restrictions dialog box, you can do the following:
1.To turn off all relaying from everywhere, select the "Only the list below" radio button, then leave the Computers list blank. This is the default setting.
2.To allow relaying from a single computer or block of network addresses, use the Add button to add the IP addresses or blocks that you want to be able to relay. You can also allow relaying by domain name instead of IP address, although there is a performance penalty if you do.
3.To block a specific set of IP addresses, select the "All except the list below" radio button, then use the Add button to add the specific computers or network addresses that you want to be able to relay.
To allow computers that authenticate to Exchange to relay, no matter what other restrictions are in place, make sure that the "Allow all computers which successfully authenticateà" checkbox is turned on.
================================================================================================
To turn off relaying completely
If you want to prohibit any SMTP relaying at all, make sure that the "Do not reroute incoming SMTP mail" radio button is selected. That's easy enough! You should probably have this turned on for servers inside your firewall that don't normally accept connections from outside clients.
================================================================================================
To allow some kinds of relaying
First, you have to turn on relaying by selecting the "Reroute incoming SMTP mail (required for POP3/IMAP4 support)" radio button. Once you've done that, there are two primary mechanisms for controlling relaying:
1.The Routing list shows which domains your server will accept SMTP mail for. For example, ratest.com and huntsville.ratest.com are listed as inbound, meaning that the IMS will accept mail and attempt to deliver it locally. The robichaux.net domain is explicitly listed as a relay domain; that means that it was manually added (using the Add... button) as a domain for which I want to accept SMTP mail, no matter what.
2.The Addà, Edità, and Remove buttons let you change which domains appear in the Routing list, as well as what the IMS will do with mail for those domains: block it, accept it for relaying, or treat it as inbound mail.
The Routing Restrictions button is where you can do what most administrators want to do: allow legitimate clients to relay while blocking spammers. By default, all of the controls in this dialog are turned off; you'll have to set the specific restrictions you want to enforce.
1.If you want any client who logs on (e.g. for POP3 or IMAP4 access) to be able to relay, check the "Hosts and clients that successfully authenticate" checkbox. Note that by requiring SMTP authentication in conjunction with this option, you can allow SMTP serversùnot just clientsùto relay through your server.
2.To allow specified IP addressesùinternal or externalùto relay, check the "Hosts and clients with these IP addresses" checkbox, then use the Add, Edit, and Remove buttons to build the list of IP addresses from which you want to accept relay traffic. Remember that this checkbox controls relaying when you have selected the radio dial for "Reroute incoming SMTP ..." in the Routing tab. You should normally check this box; doing so will prevent relaying. If you leave it unchecked, your server is open for relay.
3.If you want to allow relaying only from clients that connect to a particular IP address on your server, check the "Hosts and clients connecting to these internal addresses" checkbox.
4.To stop a particular group of hosts or clients from ever relaying mail, put their IP addresses and netmasks in the "Specify the hosts and clients that can NEVER route mail" list.
================================================================================================
Where to Learn More
1.You can check your servers to see if they're open relays by using a tool like Sam Spade . Some other tools are mentioned in Microsoft Knowledge Base article Q249266 .
2.Microsoft Knowledge Base KB article Q260973 discusses the fine points of setting up SMTP connectors to allow mail relaying by domain, instead of by client address.
3.If you're not sure whether to use an SMTP virtual server or SMTP connector, Microsoft Knowledge Base KB article Q265293 may help clear things up.
4.If you actually want to set up a relay host, you can. For example, you might need to do this if you have a single set of SMTP gateway servers that internal hosts need to pass message traffic to. Be careful, and refer to Microsoft Knowledge Base article Q293800 before you do so.
5.The Internet Mail Consortium has a fascinating report of some experiments they did to see how many relay hosts there are on the Internet.
All information in this work is provided "as -is".
================================================================================================
On another note:
Also, 'Administrator' is the most common admin name on the planet by far. Change it to something else like "Terpsichore" or "Harpsichord", and chances are 'they' won't even get a chance to play 'go fish' with the password.
Another thing you should do is make sure you admin password is complex. Don't use a word, think of a phrase you'll always remember, preferably something you can put numbers and caps in, and make it 8 words or longer if you can. Something like "When I eat burritos for lunch, I get to spend the night in the can". Then, just use the first letter of each of the words to form the password, which in this case would end up being WIeb4lIg2stnitc. No way anyone's gonna guess that, or find it in any dictionary, no matter the language. Even you won't be able to remember it. But, you'll remember the phrase easily if you choose well, so you can always rebuild the password in your head as needed. And, remember: No writing it down, EVER!
Another thing you should do is go into the admin area and change the number of tries on password before the system locks down (3 is a good number), and set a longish reset time (30 minutes is good) between lockout failure retries. This keeps persistent attacks from returning any fruit nearly forever."
===============================================================================================
PROGRAMS I HAVE FOUND USEFUL
0-Code E-Mail Address Encoder v1.2 [575k] W98/2k/XP FREE
http://www.mywebattack.com/gnomeapp.php?id=107125
0-Code E-Mail Address Encoder is a tool for webmasters that can help reduce spam by converting your posted e-mail address to a JavaScript function that cannot be read by e-mail extraction robots. If a visitor clicks on the e-mail (mailto) link on your website, it will work as usual, but spam robots will not be able to extract the address from the link. No coding required, just enter your e-mail, preview the result and copy/paste the code into your pages.
===============================================================================================
"MX Logic (http://www.mxlogic.com/)
is a managed e- mail firewall service providing unequaled spam and virus protection. They handle the Bayesian and heuristic updates, virus patches, etc. It has a killer administration interface that makes it quick to manage, no matter how many users you have. The spam filter catches 95% plus of all spam, and you can choose from one to three virus packages (McAfee, Sophos, & Trend Micro) that catch EVERYTHING. It can be integrated with any external domain (other than AOL, EarthLink, etc.), as you just need to reroute the MX record to point to MX's servers. And opposed to other managed services, it is not a Store and Forward system, so security is not an issue.
"It's effortless, extremely competent and is $1 to $2.50 per e-mail address per month, depending on the virus protection package you choose! Why would you do anything else? We are the most active MX Logic partner; we fully believe in it and would recommend this to our mothers! (And we have!)
"Throw out the client-based spam garbage and utilize a true system."
================================================================================================
ServerFiles.com
http://www.serverfiles.com/
This site has refocused as a Server software directory for Network administrators & IT professionals. They list networking and server software for Windows 2003, Windows 2000 & NT. This site is significantly different from other download / software sites in that it does not focus on single-user software. This site contains the real deal - the listings are complete, descriptive and much more comprehensive than most.
================================================================================================
PostCast Server v2.5.24 [14.0M] W9x/2k/XPFREE
http://www.postcastserver.com/
{SMTP server} Send e-mails directly from your computer instead of
the ISP's SMTP server. The program supports all e-mail programs
and the PC can connect to it through the LAN, Internet, or the
computer where it's installed. PostCast offers a few advantages
over an ISP's SMTP server: faster message delivery, increased
privacy, flexibility, and no worries about the ISP server being
down to stop you from sending and receiving messages. When
starting the program for the first time, a wizard goes through the
setup and it works immediately - at least it did for me. The
interface is similar to Microsoft Outlook and it includes a log of
track of the SMTP activities. You can customize the program's look
and feel as well as the messages. Be your own e-postal carrier.
What Is Relaying?
If you've ever received unwanted spam in your mailbox, then you know what relaying is: use a server to accept then resend mail to recipients on another server. In the simplest case, alice@a.com connects to the SMTP server at b.com and uses it to deliver a message to charlie@c.com. Note that isn't the same as Alice using her own organization's SMTP server. A more practical example: if you're on the road with your laptop you'll probably have a dial-up connection that assigns you an IP address outside your normal network. If your SMTP server accepts messages from you for delivery to third parties (addressees not on your own mail server), that's relaying; a server that has relaying turned on will accept mail for recipients in other domains, then attempts redelivering it.
================================================================================================
Why You Should Care
In some cases, relaying is desirable, like when you're traveling and want to use your regular Exchange server as an SMTP host. However, it's important to couple relaying with restrictions and authentication; if you don't, spammers will be able to use your relay to send out spam messagesùyou'll get the blame, because the messages will appear to have originated from your server! Apart from the community benefit of helping to stop spam, configuring your Exchange server's relay settings properly offers the benefit that it keeps you from being a spam injection point, saving you bandwidth and lots of potential hassles.
================================================================================================
What to Do About It
There are separate configuration processes for Exchange 5.5 and Exchange 2000. In both cases, you'll be configuring the component that handles Internet mail to reject mail addressed to non-local recipients; there are some additional settings you can tweak to allow relaying with authentication or from particular IP addresses. But if your Exchange server is providing SMTP service to POP3 or IMAP4 clients, you'll have to turn on relaying in some fashion.
================================================================================================
Blocking relaying in Exchange 2000
Exchange 2000 has a very flexible set of anti-relaying features built in. You configure them at the SMTP virtual server level, so that you can set different relaying properties on different servers. One common use for this is in setting up two virtual servers: one with relaying disabled on port 25 for standard traffic, and another with authentication-based relaying turned on on a non-standard port number. Your remote clients can configure their mail clients to use the non-standard port; this approach neatly avoids the problem of spammers who scan for open relays.
The actual process of controlling relays is simple, but it varies slightly depending on whether you want to configure relaying for the SMTP virtual server or an SMTP connector. (If you don't know the difference between virtual servers and connectors, check out the Microsoft Knowledge Base article Q294736 .)
================================================================================================
Controlling SMTP virtual server relaying
1.Launch Exchange System Manager. Navigate to your SMTP virtual server (it's under Administrative Groups | yourAdminGroup | yourServerName | Protocols).
2.Right-click the virtual server and choose the Properties command.
3.Select the Access tab.
4.To restrict inbound SMTP connections to a particular address range (for example, if your POP3/IMAP4 clients are using a block of addresses via a VPN or dial-up connection), use the Connectionà button to specify which addresses may make SMTP connections. Note that the settings in the Connection dialog apply to all hosts that try to use this SMTP server.
To control SMTP relaying, click the Relaying button. In the Relay Restrictions dialog box, you can do the following:
1.To turn off all relaying from everywhere, select the "Only the list below" radio button, then leave the Computers list blank. This is the default setting.
2.To allow relaying from a single computer or block of network addresses, use the Add button to add the IP addresses or blocks that you want to be able to relay. You can also allow relaying by domain name instead of IP address, although there is a performance penalty if you do.
3.To block a specific set of IP addresses, select the "All except the list below" radio button, then use the Add button to add the specific computers or network addresses that you want to be able to relay.
To allow computers that authenticate to Exchange to relay, no matter what other restrictions are in place, make sure that the "Allow all computers which successfully authenticateà" checkbox is turned on.
================================================================================================
To turn off relaying completely
If you want to prohibit any SMTP relaying at all, make sure that the "Do not reroute incoming SMTP mail" radio button is selected. That's easy enough! You should probably have this turned on for servers inside your firewall that don't normally accept connections from outside clients.
================================================================================================
To allow some kinds of relaying
First, you have to turn on relaying by selecting the "Reroute incoming SMTP mail (required for POP3/IMAP4 support)" radio button. Once you've done that, there are two primary mechanisms for controlling relaying:
1.The Routing list shows which domains your server will accept SMTP mail for. For example, ratest.com and huntsville.ratest.com are listed as inbound, meaning that the IMS will accept mail and attempt to deliver it locally. The robichaux.net domain is explicitly listed as a relay domain; that means that it was manually added (using the Add... button) as a domain for which I want to accept SMTP mail, no matter what.
2.The Addà, Edità, and Remove buttons let you change which domains appear in the Routing list, as well as what the IMS will do with mail for those domains: block it, accept it for relaying, or treat it as inbound mail.
The Routing Restrictions button is where you can do what most administrators want to do: allow legitimate clients to relay while blocking spammers. By default, all of the controls in this dialog are turned off; you'll have to set the specific restrictions you want to enforce.
1.If you want any client who logs on (e.g. for POP3 or IMAP4 access) to be able to relay, check the "Hosts and clients that successfully authenticate" checkbox. Note that by requiring SMTP authentication in conjunction with this option, you can allow SMTP serversùnot just clientsùto relay through your server.
2.To allow specified IP addressesùinternal or externalùto relay, check the "Hosts and clients with these IP addresses" checkbox, then use the Add, Edit, and Remove buttons to build the list of IP addresses from which you want to accept relay traffic. Remember that this checkbox controls relaying when you have selected the radio dial for "Reroute incoming SMTP ..." in the Routing tab. You should normally check this box; doing so will prevent relaying. If you leave it unchecked, your server is open for relay.
3.If you want to allow relaying only from clients that connect to a particular IP address on your server, check the "Hosts and clients connecting to these internal addresses" checkbox.
4.To stop a particular group of hosts or clients from ever relaying mail, put their IP addresses and netmasks in the "Specify the hosts and clients that can NEVER route mail" list.
================================================================================================
Where to Learn More
1.You can check your servers to see if they're open relays by using a tool like Sam Spade . Some other tools are mentioned in Microsoft Knowledge Base article Q249266 .
2.Microsoft Knowledge Base KB article Q260973 discusses the fine points of setting up SMTP connectors to allow mail relaying by domain, instead of by client address.
3.If you're not sure whether to use an SMTP virtual server or SMTP connector, Microsoft Knowledge Base KB article Q265293 may help clear things up.
4.If you actually want to set up a relay host, you can. For example, you might need to do this if you have a single set of SMTP gateway servers that internal hosts need to pass message traffic to. Be careful, and refer to Microsoft Knowledge Base article Q293800 before you do so.
5.The Internet Mail Consortium has a fascinating report of some experiments they did to see how many relay hosts there are on the Internet.
All information in this work is provided "as -is".
================================================================================================
On another note:
Also, 'Administrator' is the most common admin name on the planet by far. Change it to something else like "Terpsichore" or "Harpsichord", and chances are 'they' won't even get a chance to play 'go fish' with the password.
Another thing you should do is make sure you admin password is complex. Don't use a word, think of a phrase you'll always remember, preferably something you can put numbers and caps in, and make it 8 words or longer if you can. Something like "When I eat burritos for lunch, I get to spend the night in the can". Then, just use the first letter of each of the words to form the password, which in this case would end up being WIeb4lIg2stnitc. No way anyone's gonna guess that, or find it in any dictionary, no matter the language. Even you won't be able to remember it. But, you'll remember the phrase easily if you choose well, so you can always rebuild the password in your head as needed. And, remember: No writing it down, EVER!
Another thing you should do is go into the admin area and change the number of tries on password before the system locks down (3 is a good number), and set a longish reset time (30 minutes is good) between lockout failure retries. This keeps persistent attacks from returning any fruit nearly forever."
===============================================================================================
PROGRAMS I HAVE FOUND USEFUL
0-Code E-Mail Address Encoder v1.2 [575k] W98/2k/XP FREE
http://www.mywebattack.com/gnomeapp.php?id=107125
0-Code E-Mail Address Encoder is a tool for webmasters that can help reduce spam by converting your posted e-mail address to a JavaScript function that cannot be read by e-mail extraction robots. If a visitor clicks on the e-mail (mailto) link on your website, it will work as usual, but spam robots will not be able to extract the address from the link. No coding required, just enter your e-mail, preview the result and copy/paste the code into your pages.
===============================================================================================
"MX Logic (http://www.mxlogic.com/)
is a managed e- mail firewall service providing unequaled spam and virus protection. They handle the Bayesian and heuristic updates, virus patches, etc. It has a killer administration interface that makes it quick to manage, no matter how many users you have. The spam filter catches 95% plus of all spam, and you can choose from one to three virus packages (McAfee, Sophos, & Trend Micro) that catch EVERYTHING. It can be integrated with any external domain (other than AOL, EarthLink, etc.), as you just need to reroute the MX record to point to MX's servers. And opposed to other managed services, it is not a Store and Forward system, so security is not an issue.
"It's effortless, extremely competent and is $1 to $2.50 per e-mail address per month, depending on the virus protection package you choose! Why would you do anything else? We are the most active MX Logic partner; we fully believe in it and would recommend this to our mothers! (And we have!)
"Throw out the client-based spam garbage and utilize a true system."
================================================================================================
ServerFiles.com
http://www.serverfiles.com/
This site has refocused as a Server software directory for Network administrators & IT professionals. They list networking and server software for Windows 2003, Windows 2000 & NT. This site is significantly different from other download / software sites in that it does not focus on single-user software. This site contains the real deal - the listings are complete, descriptive and much more comprehensive than most.
================================================================================================
PostCast Server v2.5.24 [14.0M] W9x/2k/XPFREE
http://www.postcastserver.com/
{SMTP server} Send e-mails directly from your computer instead of
the ISP's SMTP server. The program supports all e-mail programs
and the PC can connect to it through the LAN, Internet, or the
computer where it's installed. PostCast offers a few advantages
over an ISP's SMTP server: faster message delivery, increased
privacy, flexibility, and no worries about the ISP server being
down to stop you from sending and receiving messages. When
starting the program for the first time, a wizard goes through the
setup and it works immediately - at least it did for me. The
interface is similar to Microsoft Outlook and it includes a log of
track of the SMTP activities. You can customize the program's look
and feel as well as the messages. Be your own e-postal carrier.
Please Note: 1 is Bad, 10 is Good :-)
Part and Inventory Search
-
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.