Solved

Trying to better lock down Default Virtual Server SMTP Authentication settings

Posted on 2006-06-20
4
494 Views
Last Modified: 2008-02-01
I am trying to understand how to better lock down exchange server 2003. I don’t have any POP3 or IMAP users so I don’t have the need for any users to relay mail. All of my exchange users are using Outlook in exchange mode only. Keeping this in mind can I safely disable "Basic authentication" and "Integrated Windows Authentication" under the Default Virtual Server SMTP Authentication settings?

Also from my understanding I will need to keep “Anonymous access” enabled or otherwise other email servers will not be able to send mail to this server? Is this correct?

Thanks
0
Comment
Question by:illtbagu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 16946334
The first rule of Exchange - if you don't know, don't touch.
As such you shouldn't change the settings on the SMTP virtual server. Exchange is based on SMTP and making changes to the VS will break things - usually distribution groups.

If you don't have anyone who needs to relay through the server then simply disable the option to allow authenticated users to relay through the server.

Simon.
0
 
LVL 1

Author Comment

by:illtbagu
ID: 16947179
>The first rule of Exchange - if you don't know, don't touch.
For me that’s the rule for anything. I don't touch unless I know, that’s why I am asking and trying to further educate myself by people with EE Exchange expert certifications  like yourself : )

I have read that by default the Anonymous access, Basic authentication, and Integrated Windows Authentication are all selected. However I have read that this might be changed to further tighten the security of exchange. Microsoft published a document called "Microsoft Exchange Server Intelligent Message Filter (v2) Operations Guide" that basically is telling a whole different story
http://www.microsoft.com/downloads/details.aspx?familyid=b1218d8c-e8b3-48fb-9208-6f75707870c2&displaylang=en
On pages 9 and 10 of this document it is saying that for SMTP gateways (which I only have 1 exchange server and it is acting as an smtp gateway) I can disable the Basic authentication and Integrated Windows Authentication options.

However I did find another publication from Microsoft that is telling me what you are
http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3TransnRouting/0285bc67-0768-4994-a525-bec861177a4d.mspx?mfr=true
It states that “By default, the Anonymous access, Basic authentication, and Integrated Windows Authentication check boxes are selected. If you are using a single default virtual server, it is recommended that you use the default settings; this allows users to authenticate by using the most common methods.”

> If you don't have anyone who needs to relay through the server then
> simply disable the option to allow authenticated users to relay through the server.
Could you please tell me where this setting is at? Are you talking about the “Relay restrictions” in the “Default SMTP Virtual Server” properties? The setting I assume you are talking about is “Allow all computers that successfully authenticate to relay, regardless of the list above”

Thanks for your expert advise!
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 16947217
You are not running a gateway machine.
A gateway machine is a separate machine that acts as the gateway to other machines. A single server configuration does not count as a gateway.

You have the setting I was referring to correct. It is enabled by default and can be safely turned off. Don't confuse wanting to relay.

Simon.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question