Solved

Trying to better lock down Default Virtual Server SMTP Authentication settings

Posted on 2006-06-20
4
491 Views
Last Modified: 2008-02-01
I am trying to understand how to better lock down exchange server 2003. I don’t have any POP3 or IMAP users so I don’t have the need for any users to relay mail. All of my exchange users are using Outlook in exchange mode only. Keeping this in mind can I safely disable "Basic authentication" and "Integrated Windows Authentication" under the Default Virtual Server SMTP Authentication settings?

Also from my understanding I will need to keep “Anonymous access” enabled or otherwise other email servers will not be able to send mail to this server? Is this correct?

Thanks
0
Comment
Question by:illtbagu
  • 2
4 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 16946334
The first rule of Exchange - if you don't know, don't touch.
As such you shouldn't change the settings on the SMTP virtual server. Exchange is based on SMTP and making changes to the VS will break things - usually distribution groups.

If you don't have anyone who needs to relay through the server then simply disable the option to allow authenticated users to relay through the server.

Simon.
0
 
LVL 1

Author Comment

by:illtbagu
ID: 16947179
>The first rule of Exchange - if you don't know, don't touch.
For me that’s the rule for anything. I don't touch unless I know, that’s why I am asking and trying to further educate myself by people with EE Exchange expert certifications  like yourself : )

I have read that by default the Anonymous access, Basic authentication, and Integrated Windows Authentication are all selected. However I have read that this might be changed to further tighten the security of exchange. Microsoft published a document called "Microsoft Exchange Server Intelligent Message Filter (v2) Operations Guide" that basically is telling a whole different story
http://www.microsoft.com/downloads/details.aspx?familyid=b1218d8c-e8b3-48fb-9208-6f75707870c2&displaylang=en
On pages 9 and 10 of this document it is saying that for SMTP gateways (which I only have 1 exchange server and it is acting as an smtp gateway) I can disable the Basic authentication and Integrated Windows Authentication options.

However I did find another publication from Microsoft that is telling me what you are
http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3TransnRouting/0285bc67-0768-4994-a525-bec861177a4d.mspx?mfr=true
It states that “By default, the Anonymous access, Basic authentication, and Integrated Windows Authentication check boxes are selected. If you are using a single default virtual server, it is recommended that you use the default settings; this allows users to authenticate by using the most common methods.”

> If you don't have anyone who needs to relay through the server then
> simply disable the option to allow authenticated users to relay through the server.
Could you please tell me where this setting is at? Are you talking about the “Relay restrictions” in the “Default SMTP Virtual Server” properties? The setting I assume you are talking about is “Allow all computers that successfully authenticate to relay, regardless of the list above”

Thanks for your expert advise!
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 16947217
You are not running a gateway machine.
A gateway machine is a separate machine that acts as the gateway to other machines. A single server configuration does not count as a gateway.

You have the setting I was referring to correct. It is enabled by default and can be safely turned off. Don't confuse wanting to relay.

Simon.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question