Close the relay in Exchange 5.5 3

[astelling]

We have a permanent dial-up & experienced spamming via the open relay of Exchange 5.5 with an internet mail connector.
Six web searches later (& nearly bowing to MS's configuration charge of $300).LOL
These are 3 steps into closing that hole.

>:O> 1: IMS (Internet Mail Service) CONNECTOR Properties
Select *Reroute incoming SMTP mail for:
<enter all your domain names that are directed to this mail server as inbound>

>:O> 2: IMS CONNECTOR Properties
Routing restrictions:
Simply tick the second box 'Hosts & clients with these IP addresses'. Then (the bit MS don't tell you about) don't enter any IP addresses.

>:O> 3: PROTOCOL Properties
I entered in this order of priority-
Accept/Reject:
Accept 192.168.1.0 255.255.255.0 (Internal IP range)
Accept <Own public Address & its SNM>
Reject 0.0.0.0 0.0.0.0

Then:
telnet mail-abuse.org
(on that server in case you are administering remotely)
& should pass all tests.

 

[Zelandakh]

Or just set do not reroute on your IMS...

 

[ProximitySteve]

Zel:
Per a lot of MS info, &quot;Do not reroute&quot; has holes in it; far better to route and set the restrictions Astelling has detailed.
-Steve

 

[bolasete]

ok,

i'm trying to follow these directions. i admit my questions are very dumb ones, but i'll take the heat of the embarassment.

1. when you are accepting your own public address in step three, what address do you mean exactly. is this the public ip address of the mail server?

2. what subnet mask should be used for the ip address of the public mail server?

3. does the dns name of the mail server have to be separately added to be accepted?

 

[AlexIT]

Add your Exchange server public IP and its own subnet mask i.e. 90.1.2.10 255.255.255.0 (just as it is in the router/modem/leased-line-terminal that connects you to the WAN.)

The UNC name for the server is not necessary because you have used its public address (in the line above.)

Alex

 

[BadDog]

Two questions on this:

1) If users are accessing email accounts from the Exchange Server from offsite, and through a different ISP, will they still be able to send email through an account on this mail server under the configuration specified here (in other words, will they still be able to relay through this server if they have an account on it even though they are not originating from a local IP address)? Currently the server is set to reuire authentication and that seems to work.

2) With regard to step 3, &quot;Protocol Properties&quot;, where is that information set? Is it under (drilling down) the domain, configuration, connections, IMS, Connections, accept connections?

Thanks.

 

[AlexIT]

Baddog,

1. If you have set your external clients IP and they have valid authentication on your domain they will still be albe to relay through your server as set above.

2. Protocol is not down in the IMS, it is up just under the servers, check protocol properties and you will find the accept/reject button.

Alex

 

[jscottd]

As per step #3 I went to protocol preferences and looked at the connections tab. Both options are greyed out, but 'Accept all connections' is checked. Do I have something set somewhere that is blocking me from setting this?

 

[robmicrofix]

Can I just add that you also need to be on service pack 2 before the &quot; only allow authenticated users to relay&quot; box appears.

 

[ilpadrino]

This thread is very good. But I have a question about wireless handhelds. My users with pocket pc type software can receive their POP3 email from my email servers. But they cannot send because I closed the relay a long time ago. Is there any way they can send email? Their external IP's may be different everytime they connect to that wireless ISP.

thanks in advance, joe.