Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Blocking External SMTP relay 1

Status
Not open for further replies.
Hungster

Hungster

IS-IT--Management
Mar 6, 2001
830
CA
Could some help me on the Exchange 5.5 on external people using my exchange 5.5 as a SMTP relay

i tried everything people told me to, but i still find crap showing up on the outgoing delivery box
the originator is <> to a ramdom e-mail which is not existed

any trick i should do beside shutting down the Do not re-route external mail

thanks
Hung
 
Sort by date Sort by votes
Zaper's link describes step #1 and #2 in detail, but does not mention step #3 from the original Tek-Tips post. I wonder if the originator of that post had some specific configuration that required his internal IP addresses in the &quot;Protocol&quot; tab. I have only applied steps #1 and #2 and I am relay rejecting all but test #8.

Me_tigger, since my Exchange server is set to accept all messages to &quot;@myserver.mycorp.com&quot; and then delete those without valid mailboxes (without notification to admin box too) I have no idea how to get it to pass the #8 test from mail-abuse.org. But allowing someone to fake a message from notname1@mycorp.com to notname2@mycorp.com, which is immediately deleted without notice doesn't seem to be so important to me...maybe I am wrong.

Alex
 
Upvote 0 Downvote
Alex - &quot;...Exchange server is set to accept all messages to &quot;@myserver.mycorp.com&quot; and then delete those without valid mailboxes (without notification to admin box too)&quot; How are you doing this? So if I send a message to non_gal_address@yourdomain.com Exchange does not send a non-delivery report (NDR)? Thanks so much.

Hung - Zapper's link is clear instruction on how to make the Exchange server relay-secure. It is better that Q279860 and Q196626.

All - We have a gateway virus protection server (Trend InterScan VirusWall). All incoming and outgoing external email goes thru this server. It is relay secure. Our Exchange 5.5 sp4 also is relay secure per &quot;Is your Exchange Server Relay-Secure?&quot;, Q279860 and Q196626. When I run relay-test.mail-abuse.org I pass all 19 relay tests.
As for the mail from: <> to: some external address in our case this is NDR which many are trying to go address that are invalid. So I believe seeing some mail from: <> is normal.

jim
 
Upvote 0 Downvote
Jim,

LJMoore found this in an Exchange FAQ...in &quot;Exchange Admin - Connections - IMS - Internet Mail tab - Notifications tab - deselect &quot;email address could not be found&quot;. This eliminated NDR reports for invalid mailboxes.

Alex
 
Upvote 0 Downvote
Several months back I was black listed by ordb.org for having an open relay. I took this very seriously and spent an entire day securing and testing my mail server (Exchange 5.5 SP4). After securing my server as detailed in the link on my previous post I submitted my server to ordb.org for testing. They reported back stating that I was no longer acting as an open relay.

This did not stop the accumulation of <> originator messages in my outbound queue. I have spent many hours looking for the <> originator. When looking at the &quot;Details&quot; they are always tagged as &quot;Host unreachable&quot;. I have come to the conclusion that <> originator is sometimes the Exchange Server itself.

So... Who is <> originator?

This is a pretty basic question, why doesn't somebody (like Microsoft perhaps) have the answer?

Good Luck
 
Upvote 0 Downvote
AlexIT - Thanks for the reply. I may of misunderstood your post. I was interested in not sending a NDR to the sender. The notifications dialog box is used to specify when, and under what conditions, the Internet Mail Service should notify the administrator of NDRs. The sender still gets a NDR. Not sending the RCPT a NDR would break the SMTP rfc but I believe some systems get around this by refusing the connection if the RCPT is not valid.

I know Exchange server (5.5 and 2000) doesn't perform directory lookup before accepting the message, which means email will be accepted if the domain name of the email address is correct regardless if the person is in the GAL.

Jim
 
Upvote 0 Downvote
After making your Exchange server relay secure don't forget to consider if your distribution list should be accessible from the to the outside. When you finally get off of the open-relay lists it seems that the next thing that happens is junk email is sent to the distribution lists.

To make your distribution lists are only internal just remove the SMTP address of the distribution list. Distribution List Properties|E-mail Addresses then remove the SMTP address.

Also note any user that has access to the GAL including domain users can easily see what distribution list are accessible to the outside world.
 
Upvote 0 Downvote
Wow, you guys are right into these
i am taking Zaper's advise, being test thru ordb.com
and i noticed that the outbound has <> shows up as spamtest@(my IP)
so that means that <> does mean that relay is being used by spammers

This test is being tested under Reroute Incoming SMTP and Routing Restrictions >Hosts and Client with these IP addresses box checked with no ip in entered

Hung
 
Upvote 0 Downvote
Hung,

Also check to Require Authentication in Routing Restrictions, if you can without blocking your external users.

Alex
 
Upvote 0 Downvote
Hung - I am no exchange expert but here is my answer. All <> tells you is that the address is hidden. The header will give you more detail. <> could be from Bcc or a message that the exchange server is sending back because the RCPT was not in the GAL. So lets assume an ex-employee signed up for newsletters. Automated email usually are not configured to accept replies so the bounced message will be undeliverable by your exchange server and reside there for 3 days but exchange will try to send every 15 minutes for a non-urgent message (I recall this being the default settings but I am be wrong). You might say why not set it to try less often. This would be unacceptable because what if an email server that you are sending to is down or cannot accept and more incoming connections. You want your server to retry in a timely period. Message marked urgent and normal have different retry settings. So you might see alot of <> activity related to one message.

Jim
 
Upvote 0 Downvote
Yes, but most often the <> is found in the 'outbound' queue, not the 'inbound' queue. That would rule out the ex-employee theory.
 
Upvote 0 Downvote
ShackDaddy - No my ex-employee therory would be in the 'outbound' queue. The message was sent to the exchange server. The exchange server accepted the message. The server could not deliver the message to a mailbox so it must bounce it back to the sender. The sender is not accepting incoming mail so it sits on the exchange server in the 'outbound' queue.
 
Upvote 0 Downvote
Jim,

what i kind of agree with Alex because i had kept an eye on the outbound box and those <> has been stacking up with random e-mail
consistantly like
someone6456@777.net.sk
someone6458@777.net.sk
and on
or something like ***@yahoo.com

that's why i kind of believe this generated by spammers

Alex i can not find Require Authentication in Routing Restrictions, but i did test external e-mail work in and out perfectly

We do not have much people on e-mail, so this is fairly new, only 3 to 4 used to use it a year ago, so this e-mail server is a newly installed and configured

Hung
 
Upvote 0 Downvote
Can't really remember, but i will switch my mail server back and record it again

could you let me know what part am i looking for ?
MTS-ID or Message ID ?

Hung
 
Upvote 0 Downvote
Hung,

In the Routing Restrictions button of IMC, where you were in step #2 of Thread 10-98450, there is another choice than just &quot;These IP addresses&quot; (which you left blank per the thread.) By checking to &quot;Require Authentication&quot; now no one can reroute unless they can authenticate to the Exchange server. If you only have a few external users, and you can get to their boxes, choose this then go to your external users machines and turn on the option for &quot;my exchange server requires authentication.&quot;

Alex
 
Upvote 0 Downvote
hi,

i'm attempting to block realying on my exchange server. everytime i set routing restrictions to a set of internal ip addresses all mail delivery except internal mail is blocked.

any ideas as to what i'm doing wrong. i go into routing restrictions and choose &quot;specify ip addresses&quot; then i put in the internal ip range 192.168.1.0 with a mask 255.255.255.0 . i then change the mail clients to resolve the mail server by ip and not dns. this works for internal mail but all external mail returns a relay error.
 
Upvote 0 Downvote
Hello,

I have been sent a message from ordb.org saying that I am a spam relay. :(

I followed the steps from the ms kb, this thread, and the older thread. I then telnet to the relay-test and pass all but the 17th (kind of high?, is this a new test?). Here is that output:
:Relay test: #Test 17
>>> mail from: <spamtest@[emailserver's ip]>
<<< 250 OK - mail from <spamtest@[emailserver's ip]>
>>> rcpt to: <mail-abuse.org!nobody>
<<< 250 OK - Recipient <mail-abuse.org!nobody>

That is the only relay test that appeared to accept. Do you know how to close this final hole? How do I then get removed from the blacklist?

Thanks in advance,
Blacklisted
 
Upvote 0 Downvote
Alex,

i did it, and been testing it, it works
thanks so much, i have both box checked under routing restrictions...
both
Hosts and clients that successfully authenticate
Hosts and clients with these IP addresses

with blank ip
tested with ordb.org and i am secure, interesting that the junk mail are all going to China somewhere

i did a IP trace, almost all of them are going to the router at paix1.china-motion.com (198.32.176.104)


Hung
 
Upvote 0 Downvote
Blacklisted,

you have a few way of doing it
either change your ip or have it remove by ordb.com

Hung
 
Upvote 0 Downvote
< > is NDR.

To find out more go to your IMC, go to Diagnostic logging. Set to medium logging for all, or maximum if you like.

Logs are kept in th exchsvr\imc*\*
You will see your connections, what they send, where they send, what size it is, how long they stayed connected, IP address, their HELO EHLO etc.

Make sure to bump your App Event log size up too. Keep a close eye on things. You will see that those < > are NDR because they are trying to send an email to a SMTP address that does not exist.

To get around the < > NDR's I set up a Dead Letter Mailbox. This mailbox has the SMTP address of everyone that has been removed from my server this way things don't bounce like crazy.

Bounced emails to another server will ALSO list you on blacklists if you have excessive amounts.

Go Here: This is the one I used:
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Trevor Gryffyn
  • Locked
  • Question
Removed Accepted Domain, now can't email that (now external) domain
Replies
2
Views
160
AdrianGates
AdrianGates
intel233
  • Locked
  • Question
Mulitple SMTP
Replies
1
Views
86
markdmac
markdmac
kzn
  • Locked
  • Question
Allow internal lync users to communicate with external skype users say from gmail hotmail etc
Replies
0
Views
45
kzn
kzn
fortage
  • Locked
  • Question
Looking for relay events in SMTP Logs
Replies
0
Views
51
fortage
fortage
atverre
  • Locked
  • Question
Error incoming calls from external
Replies
1
Views
78
huddleto
huddleto

Part and Inventory Search

Sponsor

Back
Top