Exchange 5.5 accepting mail for non-existant users.

[DistressedDes]

Hi,

I have a live exchange 5.5 server. Until now it has been protected only by a firewall. I now wish to use a mail relay with anti-spam/anti-virus protection. I have built a linux/postfix/spamassassin relay for the job. However I have a snag.

One of the settings for postfix allows it to query the exchange server to establish if the destination user exists. Apparantly it does this be initiating an smtp conversation with the internal server and depending of the return from a RCPT call, determines if the user exists.

My problem is that no matter what username i enter, the exchange server returns a 250 OK signal to. Thankfully, it will only accept the domain name it is supposed to (ie no relaying), but ANY username is accepted. I know this is probably a security measure (i.e. failing to confirm the existance of any specific addresses), but now that it's moving back from the internet with the relay taking the public facing role, I just wnat exchange to reject any username that doesn't exist, then the relay can reject the mail before it hits exchange.

Ideas welcome

Thanks

 

[zbnet]

The usual way to do this is to cache a list of valid addresses on the front end box, an update it every few hours. This is known as recipient filtering. You can configure a scheduled export from Exchange to export a list of valid smtp addresses.

 

[DistressedDes]

Thanks zbnet,

I have looked at the export, and done a manual walk-through of creating the list from exchange and importing it to postfix, but this other method would appear to offer more flexibility.

Although the method you mentioned may well end up being the answer, I was wondering if there is a setting in exchange 5.5 that turns this feature on or off (ie. that will force a hard 550 error for non existant users).

Thanks

 

[zbnet]

I know doing a dynamic lookup of each incoming email's destination address sounds like a good idea, but generally it's not. In a directory harvest attack, you could receive literally tens of thousands of incoming emails - in this scenario you don't want to be handing the load back to Exchange, the whole idea is to have the front-end server filter out the rubbish for you so that Exchange can be more efficient.

If you're bothered about the latency of new addresses, set you cache rebuild time to something like 60 minutes (we do ours every 4 hours, and this works fine for us).

 

[DistressedDes]

Thanks,

I'm currently looking at

http://www.unixwiz.net/techtips/postfix-exchange-users.html

Is this the procedure you use?

 

[zbnet]

Not exactly - most of the 5.5 customers I support have an ADC, so we do a custom LDAP query to pick up the smtp addresses from AD; but the principle's the same!

 

[DistressedDes]

Thanks zbnet,

Doesn't the LDAP query mean you have to bring another computer (ie the ADC) into the equation, thereby introducing another possible point of failure?

Anyway, thanks for your time. I'll try the procedure outlined above and see how I get on.

Cheers

 

[zbnet]

Not really; if the lookup fails because the DC that it's pointing to is down then the only side effect is that new mailboxes don't make it to the recipient list (the previous version stays cached on the front-end server) - the number of people thus affected is very small, and in any case if one of the DCs is down (doesn't happen very often) you can be sure we're working on it as a priority.