Hi all,
Need a bit of advice\opinions.
I recently was asked to look at an Exchange 2003 server (actually an SBS2003 server but this is purely E2K related so thought best to post here) that was being used as a relay. External checks from places like MXToolbox showed that the server wasn't set up as an open relay so I jumped onto the server to have a look at how it's been configured.
First thing I checked was the queues and there were lots of spurious emails from random addresses going outbound to random addresses. Not good.
Next I checked the relay setup on the smtp vs and sure enough the server wasn't configured as an open relay but the person that had configured it had set it to allow relaying from all machines on the subnet and had left the "Allow all computers that successfully authenticate to relay, regardless of the list above" option checked.
That being the case I figured that a system on the network probably had an issue (Virus, malware, blah) and as the exchange server allowed it it was using it to relay all over the place. I changed the allowed relay IP addresses to the IP address of the exchange server (and 127.0.0.1 for good measure), removed the config that allowed the entire subnet to relay and then unchecked the "allow all computers that successfully....." and sure enough after deleting the built up SPAM queues no more random emails appeared in the queue.
Now here's the thing. I enabled logging on the smtp vs to identify the client IP addresses that were accessing the smtp vs so I could find out where the problem was. Once I checked this all the traffic appeared to be coming from external IP addresses. I didn't expect this at all. Can anyone explain??
The only thing I can think of is that the "allow all computers that successfully....." check box was the cause but I was under the impression that this was valid only for systems that had a valid computer account in AD. Am I wrong here??
I can post a selection of the smtp log file if anyone needs but just was seeking clarification.
Cheers all.
R
Need a bit of advice\opinions.
I recently was asked to look at an Exchange 2003 server (actually an SBS2003 server but this is purely E2K related so thought best to post here) that was being used as a relay. External checks from places like MXToolbox showed that the server wasn't set up as an open relay so I jumped onto the server to have a look at how it's been configured.
First thing I checked was the queues and there were lots of spurious emails from random addresses going outbound to random addresses. Not good.
Next I checked the relay setup on the smtp vs and sure enough the server wasn't configured as an open relay but the person that had configured it had set it to allow relaying from all machines on the subnet and had left the "Allow all computers that successfully authenticate to relay, regardless of the list above" option checked.
That being the case I figured that a system on the network probably had an issue (Virus, malware, blah) and as the exchange server allowed it it was using it to relay all over the place. I changed the allowed relay IP addresses to the IP address of the exchange server (and 127.0.0.1 for good measure), removed the config that allowed the entire subnet to relay and then unchecked the "allow all computers that successfully....." and sure enough after deleting the built up SPAM queues no more random emails appeared in the queue.
Now here's the thing. I enabled logging on the smtp vs to identify the client IP addresses that were accessing the smtp vs so I could find out where the problem was. Once I checked this all the traffic appeared to be coming from external IP addresses. I didn't expect this at all. Can anyone explain??
The only thing I can think of is that the "allow all computers that successfully....." check box was the cause but I was under the impression that this was valid only for systems that had a valid computer account in AD. Am I wrong here??
I can post a selection of the smtp log file if anyone needs but just was seeking clarification.
Cheers all.
R
