Recipe 7.19. Controlling Mail RelayingProblemYou need to configure which systems are allowed to relay mail through your Exchange server. SolutionUsing a graphical user interfaceYou can control relay access at the virtual server level or at the SMTP connector level. This is how you do it at the virtual server:
Here is how you control relay access at the SMTP connector:
DiscussionOne of the big improvements in Exchange 2000 and Exchange Server 2003 is that it no longer is an open relay out of the box. Controlling relaying is an important feature because there are times when you need to allow a subset of accounts or users to relay messages through the server. You can control relaying at the level of both the SMTP virtual server and the SMTP connector. Controlling relaying at the SMTP connector allows you to specify rules for an entire group of bridgehead servers at once. The relay permissions on an SMTP connector apply to all address spaces handled by the connector, so if you have multiple address spaces listed and need to permit relaying for only one of them, you will need to move that address space to a new SMTP connector (see Recipe 7.4 for details). The connector relay settings override the relay settings for any associated SMTP virtual servers. Setting the relay options on the virtual server allows you to enable or disable authenticated relay. Any authenticated user account will be able to relay through the virtual server; because this setting is enabled by default, spammers have taken to locating Exchange servers and running password attacks on known and likely accounts using SMTP authentication. See Recipe 11.2 for more details on this attack, how to detect it, and how to prevent it. Unless you absolutely need to allow authenticated user relay, disable this setting on every Internet-facing virtual server. See AlsoRecipe 7.1 for creating new SMTP virtual servers, Recipe 7.4 for creating new SMTP connectors, and Recipe 10.2 for SMTP authentication |