Recipe7.19.Controlling Mail Relaying

Recipe 7.19. Controlling Mail Relaying

Problem

You need to configure which systems are allowed to relay mail through your Exchange server.

Solution

Using a graphical user interface

You can control relay access at the virtual server level or at the SMTP connector level. This is how you do it at the virtual server:

1. Open the Exchange System Manager (Exchange System Manager.msc).

2. Expand the organization Administrative Groups target administrative group Servers target server Protocols SMTP.

3. Unless you need to permit authenticated SMTP users to relay through your server, uncheck the Allow all computers which successfully authenticate to relay, regardless of the list above checkbox. Leaving this checked can provide an avenue for stealth relay and password-discovery attacks.

4. If you wish to restrict a small group of computers from relaying through your virtual server (this is usually only suitable for a server on your internal network), select All except the list below. Otherwise, select Only the list below to permit relay only to the systems listed.

5. Click the Add button and add a single IP address, a group of IP addresses, or a domain name. Click OK.

6. When you have the correct entries in the list, click OK.

Here is how you control relay access at the SMTP connector:

1. Open the Exchange System Manager.

2. Expand the organization, Administrative Group, administrative group, Routing Groups, routing group, and Connectors containers.

3. Right-click the desired SMTP connector and click Properties. Click the Address Space tab.

4. If you wish to allow relaying through this routing group's bridgehead servers for the domains listed in the address space list, check the Allow messages to be relayed to these domains' checkbox.

5. Click OK.

Discussion

One of the big improvements in Exchange 2000 and Exchange Server 2003 is that it no longer is an open relay out of the box. Controlling relaying is an important feature because there are times when you need to allow a subset of accounts or users to relay messages through the server. You can control relaying at the level of both the SMTP virtual server and the SMTP connector.

Controlling relaying at the SMTP connector allows you to specify rules for an entire group of bridgehead servers at once. The relay permissions on an SMTP connector apply to all address spaces handled by the connector, so if you have multiple address spaces listed and need to permit relaying for only one of them, you will need to move that address space to a new SMTP connector (see Recipe 7.4 for details). The connector relay settings override the relay settings for any associated SMTP virtual servers.

Setting the relay options on the virtual server allows you to enable or disable authenticated relay. Any authenticated user account will be able to relay through the virtual server; because this setting is enabled by default, spammers have taken to locating Exchange servers and running password attacks on known and likely accounts using SMTP authentication. See Recipe 11.2 for more details on this attack, how to detect it, and how to prevent it. Unless you absolutely need to allow authenticated user relay, disable this setting on every Internet-facing virtual server.

See Also

Recipe 7.1 for creating new SMTP virtual servers, Recipe 7.4 for creating new SMTP connectors, and Recipe 10.2 for SMTP authentication