mercman2000
asked on
SMTP working great, incoming messages are not delivered
We had quite a problem with spammers recently. Thanks to everyone that helped me, that has stopped dead in its tracks. We now have a new problem. When I send a message, it reaches its destination without any problem. However, when I attempt to send from a remote server to this one, the message does not ever reach this server.
For the SMTP settings, what I changed was turning off anonymous access and only allowing connections from the 192.168.0.0 subnet. I undid this for a few hours and thankfully we were not being used as a relay again, but a message I sent from both hotmail and netscape did not reach me, despite those settings being off. It's back to the way it was. I have reset the server, stopped and started the POP3 service, and even deleted and re-created the SMTP connector. As a last resort, I was going to unmount the store, backup the database, re-install exchange completely, then reconnect the mailboxes, but I don't want to go that route just quite yet.
We are running Windows 2000 Server, Service Pack 3. Microsoft Exchange Server 2000, Service Pack 3 as well. All the latest security related patches have been applied that I know of.
Local delivery, going from this domain to this domain, does not have a problem. I can send a message from myself to my boss and it's available in his inbox immediately. It's when I try to send from not this domain that I have a problem. Port 110 is open on the router, telnetting to 192.168.1.4 110 works fine. I have not tried to telnet to the port from outside as of yet.
Until I get the chance to run an external telnet test, is there any other kind of diagnostic I can perform to try to figure out why it isn't working?
For the SMTP settings, what I changed was turning off anonymous access and only allowing connections from the 192.168.0.0 subnet. I undid this for a few hours and thankfully we were not being used as a relay again, but a message I sent from both hotmail and netscape did not reach me, despite those settings being off. It's back to the way it was. I have reset the server, stopped and started the POP3 service, and even deleted and re-created the SMTP connector. As a last resort, I was going to unmount the store, backup the database, re-install exchange completely, then reconnect the mailboxes, but I don't want to go that route just quite yet.
We are running Windows 2000 Server, Service Pack 3. Microsoft Exchange Server 2000, Service Pack 3 as well. All the latest security related patches have been applied that I know of.
Local delivery, going from this domain to this domain, does not have a problem. I can send a message from myself to my boss and it's available in his inbox immediately. It's when I try to send from not this domain that I have a problem. Port 110 is open on the router, telnetting to 192.168.1.4 110 works fine. I have not tried to telnet to the port from outside as of yet.
Until I get the chance to run an external telnet test, is there any other kind of diagnostic I can perform to try to figure out why it isn't working?
So mercman what settings do u have enabled on ur smtp authentication?If it is anything but annonymous it wont work.
ASKER
Exactly what won't work if it's not anonymous?
Incoming mail? I reverted to the original authentication settings then sent a message externally, and I failed to get it. The server was wide open for an hour. From what you are saying, I have to have my SMTP port wide open, letting anyone that wants to rape the port have their way with my server. Why, might I ask, do I have to have anonymous external access to a service that is designed to send mail, when it's receiving mail I'm having trouble with? I don't think you fully understand my problem.
Incoming mail? I reverted to the original authentication settings then sent a message externally, and I failed to get it. The server was wide open for an hour. From what you are saying, I have to have my SMTP port wide open, letting anyone that wants to rape the port have their way with my server. Why, might I ask, do I have to have anonymous external access to a service that is designed to send mail, when it's receiving mail I'm having trouble with? I don't think you fully understand my problem.
Sorry mercman i spoke too soon.Pleas diregard my comment.
Mercman, you enable anonymous connections inbound, because no one in the outside world will authenticate with you, unless you give them an account and password to do so. It would actively refuse the connection it you have it set to authenticate, and the incoming connection isn't authorized. that's why front end servers are a great thing, you can authenticate the session between FE and BE.
Port 110 is POP3, and has no effect on whether or not your server is able to receive email in this case. this is about SMTP. Out of the box, Exchange 2000 is closed for relay, so if you were open for relay at all, it's because something changed after the initial install. I have my server set for all 3 methods of authentication, Anon, TLS, and integrated windows. I'm pretty sure I'm not an open relay. Feel free to try and telnet to my server and check it out if you want.
So if you would, share with us what you're seeing, and the current settings of your SMTP VS, and/or SMTP connector if you have one, we'll be glad to take a look.
D
Port 110 is POP3, and has no effect on whether or not your server is able to receive email in this case. this is about SMTP. Out of the box, Exchange 2000 is closed for relay, so if you were open for relay at all, it's because something changed after the initial install. I have my server set for all 3 methods of authentication, Anon, TLS, and integrated windows. I'm pretty sure I'm not an open relay. Feel free to try and telnet to my server and check it out if you want.
So if you would, share with us what you're seeing, and the current settings of your SMTP VS, and/or SMTP connector if you have one, we'll be glad to take a look.
D
ASKER
Ok, now we are getting somewhere.
220 allmine.kidego.net Welcome to kidego's world. Spammers' efforts are fruitless! Thu, 20 Nov 2003 21:24:34 -0500
helo
250 allmine.kidego.net Hello [xxx.xxx.xxx.xxx]
MAIL FROM: someuser@domain.net
250 2.1.0 someuser@domain.net....Sen
RCPT TO: this@email.com
550 5.7.1 Unable to relay for this@email.com
QUIT
I tried, and you are not an open relay. We don't have front end or back end. We're a college with limited money and resources. We can't afford a setup like you are talking about.
God, I am about to pull my hair out. I worked on nothing but this for a month straight, 14 hours per day. I am on the brink of insanity. Vahik, I'm sorry I snapped at you. I've just been under a considerable amount of stress from all this, as you can understand.
In ours, the spammer is doing RCPT TO: blahblah@net.net and the little #$^&^$# gets in. I turn off anonymous access, and he spends quite a bit of time hacking into the server, and now he had a valid AUTH string to get in, so there goes basic auth.
Ok. Anonymous is on, I went into the connector, no, went into SMTP virtual server properties, turned on anon access and basic auth, removed the ip access range, went into the connector, turned off relaying in the address space, saved, telnetted into the port 25 on the server, and I get what I got when I did rcpt to on yours.
No relaying? Ok, now I have a new question, yay! i'm getting e-mail now, but that's not my question. What if this guy that has a good AUTH login returns? Can he still use the server to relay, because he has valid username/pass?? I'm guessing no, because i turned off relaying completely in the connector.
I should have came here earlier. I'm going to go cry in a corner now. I'll be back later.
220 allmine.kidego.net Welcome to kidego's world. Spammers' efforts are fruitless! Thu, 20 Nov 2003 21:24:34 -0500
helo
250 allmine.kidego.net Hello [xxx.xxx.xxx.xxx]
MAIL FROM: someuser@domain.net
250 2.1.0 someuser@domain.net....Sen
RCPT TO: this@email.com
550 5.7.1 Unable to relay for this@email.com
QUIT
I tried, and you are not an open relay. We don't have front end or back end. We're a college with limited money and resources. We can't afford a setup like you are talking about.
God, I am about to pull my hair out. I worked on nothing but this for a month straight, 14 hours per day. I am on the brink of insanity. Vahik, I'm sorry I snapped at you. I've just been under a considerable amount of stress from all this, as you can understand.
In ours, the spammer is doing RCPT TO: blahblah@net.net and the little #$^&^$# gets in. I turn off anonymous access, and he spends quite a bit of time hacking into the server, and now he had a valid AUTH string to get in, so there goes basic auth.
Ok. Anonymous is on, I went into the connector, no, went into SMTP virtual server properties, turned on anon access and basic auth, removed the ip access range, went into the connector, turned off relaying in the address space, saved, telnetted into the port 25 on the server, and I get what I got when I did rcpt to on yours.
No relaying? Ok, now I have a new question, yay! i'm getting e-mail now, but that's not my question. What if this guy that has a good AUTH login returns? Can he still use the server to relay, because he has valid username/pass?? I'm guessing no, because i turned off relaying completely in the connector.
I should have came here earlier. I'm going to go cry in a corner now. I'll be back later.
No problem MErcman, I did the same thing recently, sometimes the stress will eat us up. Now as far as a front end server goes, I have one at work that is nothing more than windows 2003 and the SMTP service in my DMZI have a 99$ spam filter on it, and it receives all my mail and forwards it to my domain internall by IP address. so, as far as expense goes, this is fairly light. If you think someone has hacked you, you can turn off unused accounts, especially the guest account.
I don't allow anything to relay. Also, I turned SMTP logging on, and I monitor the day's events. If I see an IP address that is constantly trying to get in, I block the ability for them to connect. You really should look at a front end server, be it Windows or Linux, to shield your internal domain and Exchange server. It's really worth it, and you look like a genius to your managers!
D
I don't allow anything to relay. Also, I turned SMTP logging on, and I monitor the day's events. If I see an IP address that is constantly trying to get in, I block the ability for them to connect. You really should look at a front end server, be it Windows or Linux, to shield your internal domain and Exchange server. It's really worth it, and you look like a genius to your managers!
D
Mercman no offense taken.I realized u were upset so that is why i asked u to diregard my comment so u could hear it from someone else.Kidego is much more patient than i am so points for him.
Now to ur real problem if u have someone who has valid user and password then u must make sure everyone changes their password at next logon and also enable complex password in ur active directory
(it has problems of its own with calles from folks who will forget their passwords but better than being spammed) untill this problem is
under control.U should wait untill kidego gives his opinion.
Now to ur real problem if u have someone who has valid user and password then u must make sure everyone changes their password at next logon and also enable complex password in ur active directory
(it has problems of its own with calles from folks who will forget their passwords but better than being spammed) untill this problem is
under control.U should wait untill kidego gives his opinion.
no vahik, you're right, change the password policy. Err on the side of caution. Vahik, go get your points I posted for you. :)
D
D
ASKER
They are back. It says it doesn't allow relaying, but in a matter of minutes, 200 queues have built up. They are relaying. Again.
Mercman unplug ur serevr now.I am bussy i will call back in a few minutes.DO NOT PANIC.
Ok do u allow pop3 or owa into ur server?If u do just disable pop3 server and if u have many users make sure whatever port u are using for owa is not forwarded to ur exchage server.Also go to ur smtp virtual server and make sure allow computers that authenticate regardless of list above is unchecked.Do these and call back.
ASKER
Now port 25 is completely closed on the server. i'm going to check the event logs.
Well mercman i got to go.Call back tomorrow if u still need help.Dont forget if u accept points go to kidego.Also make sure all the emails that are in ur queue are from outside and not from inside.It may be that one(or more) of ur clients(inside ur domain) are infected and are sending those emails.
Kidego thanks for the points but i wont take it.It is not neccessary since we have not solved this problem yet and no points are awarded.
Thanks again.
Kidego thanks for the points but i wont take it.It is not neccessary since we have not solved this problem yet and no points are awarded.
Thanks again.
block the IP address of the source of the spam. did you turn on SMTP logging yet, on the SMTP VS?
d
d
ASKER
The guy that was spamming has been blocked and remains blocked. He's portscanning right not trying to find an alternate way of entry. I'll keep an eye on trafficc from him and block him at the router if need be, but I don't like modifying the configuration on the router.
Another problem arises though.
Port 25 and 110 are open and responding to commands again. I removed the connector first, took the default server and put it up on port 65000, then disabled it. I created a new SMTP server, left anonymous access on as well as basic authentication. This being done, I created a connector for it and configured the external DNS servers as we had it setup before, then saved everything. SMTP is accepting messages to go out as well as messages to come in. They sit in the queue "Messages awaiting directory lookup". The queue has a constant state of "Retry", it'll be doing that in about 20 minutes or so. I try "force connection" via a right click, and the state changes to active, but when I refresh, it goes right back to Retry. When I force the connection, it seems like 8 or so messages disappear, but when it is refreshed, it is back to the original number, as if those messages had never left.
I'm going to have ethereal running while I try to force the connection, maybe that will shed some light on why they aren't going out. Until then, I have to go help an employee on an unrelated matter, so I'll be gone for a bit.
Thank you both for all of your help so far, you have been great.
Another problem arises though.
Port 25 and 110 are open and responding to commands again. I removed the connector first, took the default server and put it up on port 65000, then disabled it. I created a new SMTP server, left anonymous access on as well as basic authentication. This being done, I created a connector for it and configured the external DNS servers as we had it setup before, then saved everything. SMTP is accepting messages to go out as well as messages to come in. They sit in the queue "Messages awaiting directory lookup". The queue has a constant state of "Retry", it'll be doing that in about 20 minutes or so. I try "force connection" via a right click, and the state changes to active, but when I refresh, it goes right back to Retry. When I force the connection, it seems like 8 or so messages disappear, but when it is refreshed, it is back to the original number, as if those messages had never left.
I'm going to have ethereal running while I try to force the connection, maybe that will shed some light on why they aren't going out. Until then, I have to go help an employee on an unrelated matter, so I'll be gone for a bit.
Thank you both for all of your help so far, you have been great.
ASKER
It's all working now. I'm going to let the configuration ride for a week, see how it goes.
External DNS entries on your SMTP connector is a no-no. Exchange has a hard time finding itself to send mail, and you'll get a lot of random disappearing mail. Take DNS entries off the SMTP connector, and the virtual server as well, if you have them. Only configure DNS on the TCP/IP props on the Exchange server, and point it to your internal DNS server.
and you're welcome!
D
and you're welcome!
D
ouch.
Do you have a firewall?
also, do you know anything about linux?
Do you have a firewall?
also, do you know anything about linux?
ASKER
We are going to be switching over to Linux soon, so I hope that will resolve all of this.
He got in over the weekend. I've barred the IPs from accessing the server, and I setup relay restrictions so that anyone coming from 192.168.x.x is allowed to send mail. Anyone else, even if they authenticate, they are not allowed. My question now is this; will this stop external sources from sending in e-mail?
He got in over the weekend. I've barred the IPs from accessing the server, and I setup relay restrictions so that anyone coming from 192.168.x.x is allowed to send mail. Anyone else, even if they authenticate, they are not allowed. My question now is this; will this stop external sources from sending in e-mail?
ASKER
* I meant, is allowed to relay off the server. I know I don't want to turn it off completely, because there are a few other business that are partners with the college that use our server to send out their mail. This is, essentially, relaying. They are tied into the 192.168.x.x subnet, so I figure this is a safe step to take, but I'm not too sure if it's going to let legitimate people that want to send mail to us still connect, like the problem I was having originally.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can switch to linux for a relay agent type server.. just setup a workstation to relay mail to your exchange box.. that way you keep the features of exchange, but enable security at the internet side.. and you dont have to worry about users giving away a password, unless the haxor is connecting locally.
An awesome setup i use is postfix with spamassasin. Spamassassin, kill alot of external spam coming in(if you have that problem) and postfix acts at the MTA. In your case you could just setup postfix on a desktop and have it forward email to your exchange box. Postfix is VERY secure, its free, and its not very hard to configure. Postfix will just be handling your incoming email though... i wouldnt bother having it deal with the sending.. let exchange do that. Then just leave your exchange box hooked to the interet and deny anyone connection to it other than the postfix box.. that way if your linux box dies for any reason you can continue to get mail... also the postfix box will act as a mailbag if your exchange box crashes.... bottom line.. you get alot of benefits from a 2 tier solution.
www.postfix.org
I also would suggest running it on slackware, but if you are not to familiar with linux, go with red hat. With red hat you just select it as an installed server( you can even select spamassassin) during the installation of red hat.. then you just configure it later. I suggest slackware cause you can do some more customizing with it and its a closer build to unix than red hat. They have great tutorials on postfix setup on the postfix site along with some example scripts.
Final word on this.. postfix is not the only one out there, but i was built as a secure mail server, not transformed into one....
An awesome setup i use is postfix with spamassasin. Spamassassin, kill alot of external spam coming in(if you have that problem) and postfix acts at the MTA. In your case you could just setup postfix on a desktop and have it forward email to your exchange box. Postfix is VERY secure, its free, and its not very hard to configure. Postfix will just be handling your incoming email though... i wouldnt bother having it deal with the sending.. let exchange do that. Then just leave your exchange box hooked to the interet and deny anyone connection to it other than the postfix box.. that way if your linux box dies for any reason you can continue to get mail... also the postfix box will act as a mailbag if your exchange box crashes.... bottom line.. you get alot of benefits from a 2 tier solution.
www.postfix.org
I also would suggest running it on slackware, but if you are not to familiar with linux, go with red hat. With red hat you just select it as an installed server( you can even select spamassassin) during the installation of red hat.. then you just configure it later. I suggest slackware cause you can do some more customizing with it and its a closer build to unix than red hat. They have great tutorials on postfix setup on the postfix site along with some example scripts.
Final word on this.. postfix is not the only one out there, but i was built as a secure mail server, not transformed into one....