?
Solved

Trying to better lock down Default Virtual Server SMTP Authentication settings

Posted on 2006-06-20
4
Medium Priority
?
495 Views
Last Modified: 2008-02-01
I am trying to understand how to better lock down exchange server 2003. I don’t have any POP3 or IMAP users so I don’t have the need for any users to relay mail. All of my exchange users are using Outlook in exchange mode only. Keeping this in mind can I safely disable "Basic authentication" and "Integrated Windows Authentication" under the Default Virtual Server SMTP Authentication settings?

Also from my understanding I will need to keep “Anonymous access” enabled or otherwise other email servers will not be able to send mail to this server? Is this correct?

Thanks
0
Comment
Question by:illtbagu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 16946334
The first rule of Exchange - if you don't know, don't touch.
As such you shouldn't change the settings on the SMTP virtual server. Exchange is based on SMTP and making changes to the VS will break things - usually distribution groups.

If you don't have anyone who needs to relay through the server then simply disable the option to allow authenticated users to relay through the server.

Simon.
0
 
LVL 1

Author Comment

by:illtbagu
ID: 16947179
>The first rule of Exchange - if you don't know, don't touch.
For me that’s the rule for anything. I don't touch unless I know, that’s why I am asking and trying to further educate myself by people with EE Exchange expert certifications  like yourself : )

I have read that by default the Anonymous access, Basic authentication, and Integrated Windows Authentication are all selected. However I have read that this might be changed to further tighten the security of exchange. Microsoft published a document called "Microsoft Exchange Server Intelligent Message Filter (v2) Operations Guide" that basically is telling a whole different story
http://www.microsoft.com/downloads/details.aspx?familyid=b1218d8c-e8b3-48fb-9208-6f75707870c2&displaylang=en
On pages 9 and 10 of this document it is saying that for SMTP gateways (which I only have 1 exchange server and it is acting as an smtp gateway) I can disable the Basic authentication and Integrated Windows Authentication options.

However I did find another publication from Microsoft that is telling me what you are
http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3TransnRouting/0285bc67-0768-4994-a525-bec861177a4d.mspx?mfr=true
It states that “By default, the Anonymous access, Basic authentication, and Integrated Windows Authentication check boxes are selected. If you are using a single default virtual server, it is recommended that you use the default settings; this allows users to authenticate by using the most common methods.”

> If you don't have anyone who needs to relay through the server then
> simply disable the option to allow authenticated users to relay through the server.
Could you please tell me where this setting is at? Are you talking about the “Relay restrictions” in the “Default SMTP Virtual Server” properties? The setting I assume you are talking about is “Allow all computers that successfully authenticate to relay, regardless of the list above”

Thanks for your expert advise!
0
 
LVL 104

Accepted Solution

by:
Sembee earned 2000 total points
ID: 16947217
You are not running a gateway machine.
A gateway machine is a separate machine that acts as the gateway to other machines. A single server configuration does not count as a gateway.

You have the setting I was referring to correct. It is enabled by default and can be safely turned off. Don't confuse wanting to relay.

Simon.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question