Open relay settings on Exchange server 3

[bdoub1eu]

I know there have been a few postings on open relay already so forgive me if this is redundant...Right now, the only setting on Internet Mail Service is: Reroute incoming SMTP mail and there are 5 of our domain names we use for email...and then on routing restrictions, we have checked on the option for: hosts and clients with these ip addresses and in the box below this option, there are no ip addresses listed. Is this the best method to prevent against open relay?

I have been getting undeliverable messages sent back to our administrator account because apparently someone is sending emails on behalf of our domain name. When these emails are not deliverable, a message is sent back to the user which doesn't exist on our domain and therefore the admin mailbox receives the undeliverable email...Sounds more like spoofing than relaying, but wanted to make sure...

So my question is:
1. Are my routing options selected correctly?
2. How do I prevent someone from sending emails on behalf our domain name?

Thanks so much for your help! This is a great site and I really appreciate your time in answering my questions!!

 

[bdoub1eu]

So does anyone know of any organization that is doing anything about spoofing? It seems someone is sending viruses on behalf of our domain name...We don't know this is taking place until we receive the undeliverable (Spammer sends email on behalf of us to xyz@company.com, no user xyz so the email server at company.com sends an email to us saying that their email was undeliverable...Although we never sent anything, the email server at company.com doesn't know that...It's just sending back to our domain).

It appears that people are sending virus's because many of the udr's have messages about virus's being removed...

We could always set a filter in our gateway to block udr's being sent to us, but we do want people to know when they really do send a legitimate email...Besides, that would only keep us from seeing the udr's...That doesn't stop people from sending them on behalf of our domain name...We could also change our email addresses from the standard first name, first letter of last name to something more difficult...But again, that's not stopping the problem...Any ideas?

 

[quell]

I'm having the same issues here. For the employees that are getting the NDR, I have had them change there password to something a little more complicated. This seems to slow the NDR's down but they still come in every once in a while. Also I still see emails sent out in the outbound que that are not from my domain. /me shakes his head. Dunno what else to do. Im looking into upgrading exchange or installing a the GFI gateway.

 

[rdroske]

Definitely should not see that in the Outbound Q and you will start to see some sites that reject email from you if you do.

Did you test your server at

http://www.ordb.org?

 

[tahoe2]

At the risk of being redundant, try this:

set routing to route the domain to inbound, click on restrictions, and choose Hosts and Clients with these IP addresses, and leave the field blank. This effectively shuts the relay door. You can test by typing the following at a command prompt:

telnet servername 25

where servername is the name of your Exchange server. The Exchange server will respond with a message similar to 220 host.domain.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2650.10) ready. Then enter the following commands. The commands are case-sensitive, and the punctuation (e.g., colons, angle brackets—< >) is important, so include all the marks.

1 type
HELO me
The server will respond with 250 OK and possibly identify your IP address and your host name.

2 type
MAIL FROM: someaddress@somedomain.com
Again, the server will respond with 250 OK.

3 type
RCPT TO: nobody@afakedomain.com
The server will respond with 550 Relaying prohibited.

Using a valid address from your GAL, enter
RCPT TO: thegaladdress@yourdomain
The IMS will reply with 250 OK when it accepts the address.

To close the session, type
QUIT


If you do not get the 550 RELAYING PROHIBITED message, you need to try again.

To stop the NDR's try this:

On the IMS, click the Internet Mail tab, then the notifications button. There you can set which notifications you want to receive.

Hope this helps,

Corie

 

[N0ktar]

PKI can help in resolving issues related to sender verification where a digital certificate can positively confirm your identity.
Putting in extra effort where it matters, the digitally signed emails get the job done.

 

[quell]

I did try out ordb.org: Address has been verified not to be an open relay
I do have the settings that tahoe2 recommended. Still seeing different domain names (other then my own) in the outbound que under originator.
Thank you all for you help and info. Will have to look up the cerificate issue. This will also prevent arp spoofing, i believe. I dont really see any draw backs to doing this other then a time consuming implementation. Anyway thanx for the help and good luck to bdoub1eu.

 

[azteuq]

Hi there, i'm new here.

So alright SMTP relaying is prohibited but :

If you open an MSDOS command :

Example

Type : telnet smtp.foo.com 25

220 smtp.foo.com
helo smtp.foo.com
250 OK
mail from: test@foo.com
250 OK - mail from <test@foo.com>
rcpt to: test2@foo.com
250 OK - Recipient <test2@foo.com>
data
354 Send data. End with CRLF.CRLF
helo
.
250 OK

This is not possible ?????? As I didn't have any mailboxes named test@foo.com and test2@foo.com

How to make an authentification via ESMTP. I tried several things like : IMC Connector / Connection / Authentification by host ?? but I don't understand anything
When I check this : all my network is safe / but noone can send me mails (as they required authentification)
Anyone has a clue / solution in order to help me
I want that users using the SMTP with @foo.com in the filed &quot;mail from&quot; use an authentification over a &quot;telnet session&quot;.

Thanks in advance
Sylvain

 

[Robnhood]

A quick way to test your email server to verify that it isn't an open relay is to:

telnet relay-test.mail-abuse.org

from your e-mail server

It might be listed above, but I didn't check.

Craig

http://www.SecurelySpeaking.com

 

[rdroske]

If foo.com is actually a domain name that you accept mail for then the scenario you described is not a problem. The IMC doesn't verify that the address being sent to is valid, just that the domain specified is one that you accept mail for. Otherwise lots of overhead, could be one IMC accepting for multiple exchange sites within an org etc.


You can't make all hosts that want to send mail to a valid domain that you are accepting mail for authenticate. How would they know the credentials?

Authentication is mainly used if you have pop3 clients that need to send mail through your server to other domains. You normally only require authentication if someone want to use you as a relay, not to send mail to your domain.

 

[yoshie]

Hey all,
We are using exchange 5.5 with the non specified ip work around to stop relaying. We are not listed as an open relay either, but I like to check myself every now and then. I use a site

http://members.iinet.net.au/~remmie/relay

as it will not list you if you happen to be relaying. One thing I have found strange is this test

To: &quot;test%test.test&quot;
From: spamtest@[mailserverip]
<<< 250 OK - Reset
>>>> MAIL FROM:
<<< 250 OK - mail from
>>>> RCPT TO:<&quot;test%test.test&quot;>
<<< 250 OK - Recipient <&quot;TEST%TEST.TEST&quot;>
>>>> DATA
<<< 354 Send data. End with CRLF.CRLF
>>>> MESSAGE
<<< 250 OK
SUCCESS

Note the address uses the '%' symbol instead of the normal '@' symbol ...
Is there a way to not accept anything other than the '@' symbol?

Cheers

Yosh.

 

[Coldfuzion]

This is a great point Yoshie.. I have also shut off open relay, and tested it using the telnet test and a few other web based tests.. yet, in using the one you list above, i also get a &quot;Succes&quot; when it tests using the %
Does this mean my server is still vulnerable for open relay?
Thanks.

J

 

[cmeagan656]

yoshie,

I just tried the test at the link you posted and this is what I got:

To: test%test.test@[mailserverip]
From: spamtest@[mailserverip]
<<< 250 ok
>>>> MAIL FROM:
<<< 250 invalid originator address converted to <>
>>>> RCPT TO:
<<< 551 relaying denied

I don't know of a way inside of Exchange to not accept anything other than the '@' symbol but we block relaying at our spam filter (XWall) so that the traffic doesn't even hit the exchange server.

 

[novistech]

The best way to stop someone from sending you *@mydomain.com which eventually will clog up your IMS is to get email filtering sofware or setup a virtual smtp but that will cost you some $$$. What I did was sign up with appriver.com and they will do all the filtering and virus scanning service for only 50.00 dollars a month. It is the best thing I've done for my exch 5.5. Before appriver I would receive thousands or emails send to *@mydomain.com.