Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Unauthorized user logged into the SMTP server.

Posted on 2004-10-11
Medium Priority
Last Modified: 2008-02-01
I'm getting single named, unauthorized users in my Exchange 2003 SMTP connector for long periods of time.  I have, Anonymous, Basic Authentication, and Integrated Windows Authentication enables in my default SMTP settings.  what can I do to kill these user without killing all of my email.
Question by:dmalford
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
LVL 15

Expert Comment

ID: 12274331
What is your smtp server doing? Like is it just there to receive email from other hosts, or is it there to  relay email for your domain?

Can you fill us in on some of the other settings - relay restrictions, if certain users are granted access or denied access, if relaying is enabled for domain.com or * or anything?

Probably the simplest measure you can take is to uncheck the "allow computers which authenticate to relay regardless of the list above" - that will stop anyone with a valid user/pass from relaying. It will however, stop authorised users from sending email via SMTP. If they send via Outlook (using exchange) or Outlook Web Access they'll be fine, but Outlook Express, Eudora et al will be hamstrung.

Expert Comment

ID: 12274376
Sounds like an open relay issue.

Go here to test your relay http://www.ordb.org/submit/
Post your results and more info re settings on SMTP server.

Author Comment

ID: 12277101
The server has not been listed as an open relay and has passed the required tests.
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 15

Expert Comment

ID: 12277298
From your description I discounted the OR theory - I think you need to force a password policy on the domain, and force all users to change their passwords and/or (preferably 'and') remove the authenticated relay from the Virtual SMTP server.

Oh, and an expert tip - try not to respond only to the last comment. You're more likely to get follow-up advice if you respond to each suggestion in turn.

Expert Comment

ID: 12281715
I think forcing a password policy on the domain is not the way to go!

You will not be able to recieve e-mail from anyone who does not log in to your server meaning e-mail flow into your organization will stop. This can be very bad for business.  

So here is what you can do.

1: Ignore it since it really does not hurt anything other than a small amount of bandwidth.

2: Go into your exchange system manager Expand Administrative Groups-First Administrative Group-"your Server Name"-Protocols-SMTP-Current Sessions

    Once you find affending user right click on the connection,write down the IP address , and Terminate it.

You can block this user in your SMTP settings:

To do this you can right click on your Default SMTP connection and click on properties.

Once you do this click on the Access Tab and then find Connection Control. Click on the Connection Button.

You will see the following.
                                    It will ask you to "select which computers may access this virtual server"
                                     You want to have the radio button "All except the list below checked"
                                     and below "Computers" you can add in the IP address of the offending connection.

Now you have blocked the offending connection.
LVL 15

Expert Comment

ID: 12281875
Falcon - there is nothing wrong with my suggestion. It will still allow inbound mail to the SMTP server, but it will prevent anyone using a stolen login and password from relaying through the server.

You do not need any form of relaying enabled to send mail to an SMTP server. None, nada, nix. You do not need a valid user/pass to send email to a domain. Spammers will use BRUTE FORCE methods to attempt to relay via SMTP servers - I've seen them doing it.

Blocking individual IP's is a waste of time and resources - spammers rarely use the same IP twice.

The only downside to removing authenticated relaying is that authorised users will be unable to send email using from a non-MAPI mail client, such as those I have already listed. dmalford has not chosen to fill us in on if that is required or not, but if it is then he has NO choice but to force a system-wide password change, and enforce a secure password policy.

I would suggest the password policy change as a matter of course - who knows what passwords have been hacked? Do you really think it is wise that he proceed with at least one compromised password in the system?

Expert Comment

ID: 12282008
I was thinking you where talking about forcing a password policy for the SMTP relay virtual server. My bad, hey we all make mistakes right! Especially when the wife calls.  I aggree with you that this person needs to force a password policy on the domain.

I would also highly suggest clearing the "allow users who authenticate to relay regardless of the list above". The way to find this is

in the SMTP properties under the access tab and the the relay tab.

Accepted Solution

Snodlander earned 1500 total points
ID: 12282723
Rather than blocking access to the SMTP virtual server via IP for each individual anomaly that shows up. You should be allowing ONLY machines with local IP addresses (or, in the case of multiple subnets, machines with a name *.yourdomain.com) to access your SMTP server. Deny everyone else even if authenticated by other means. As administrator you should be privy to knowing who exactly should be able to access your server, at least in terms of IP Addresses and Domain Name.
LVL 15

Expert Comment

ID: 14328471
I think my answer is the best, but Snodlander also has a valid response in #12282723

I would not argue if you decide to Delete/No refund as abandoned, either.

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
how to add IIS SMTP to handle application/Scanner relays into office 365.
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question