Solved

Trying to better lock down Default Virtual Server SMTP Authentication settings

Posted on 2006-06-20
4
493 Views
Last Modified: 2008-02-01
I am trying to understand how to better lock down exchange server 2003. I don’t have any POP3 or IMAP users so I don’t have the need for any users to relay mail. All of my exchange users are using Outlook in exchange mode only. Keeping this in mind can I safely disable "Basic authentication" and "Integrated Windows Authentication" under the Default Virtual Server SMTP Authentication settings?

Also from my understanding I will need to keep “Anonymous access” enabled or otherwise other email servers will not be able to send mail to this server? Is this correct?

Thanks
0
Comment
Question by:illtbagu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 16946334
The first rule of Exchange - if you don't know, don't touch.
As such you shouldn't change the settings on the SMTP virtual server. Exchange is based on SMTP and making changes to the VS will break things - usually distribution groups.

If you don't have anyone who needs to relay through the server then simply disable the option to allow authenticated users to relay through the server.

Simon.
0
 
LVL 1

Author Comment

by:illtbagu
ID: 16947179
>The first rule of Exchange - if you don't know, don't touch.
For me that’s the rule for anything. I don't touch unless I know, that’s why I am asking and trying to further educate myself by people with EE Exchange expert certifications  like yourself : )

I have read that by default the Anonymous access, Basic authentication, and Integrated Windows Authentication are all selected. However I have read that this might be changed to further tighten the security of exchange. Microsoft published a document called "Microsoft Exchange Server Intelligent Message Filter (v2) Operations Guide" that basically is telling a whole different story
http://www.microsoft.com/downloads/details.aspx?familyid=b1218d8c-e8b3-48fb-9208-6f75707870c2&displaylang=en
On pages 9 and 10 of this document it is saying that for SMTP gateways (which I only have 1 exchange server and it is acting as an smtp gateway) I can disable the Basic authentication and Integrated Windows Authentication options.

However I did find another publication from Microsoft that is telling me what you are
http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3TransnRouting/0285bc67-0768-4994-a525-bec861177a4d.mspx?mfr=true
It states that “By default, the Anonymous access, Basic authentication, and Integrated Windows Authentication check boxes are selected. If you are using a single default virtual server, it is recommended that you use the default settings; this allows users to authenticate by using the most common methods.”

> If you don't have anyone who needs to relay through the server then
> simply disable the option to allow authenticated users to relay through the server.
Could you please tell me where this setting is at? Are you talking about the “Relay restrictions” in the “Default SMTP Virtual Server” properties? The setting I assume you are talking about is “Allow all computers that successfully authenticate to relay, regardless of the list above”

Thanks for your expert advise!
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 16947217
You are not running a gateway machine.
A gateway machine is a separate machine that acts as the gateway to other machines. A single server configuration does not count as a gateway.

You have the setting I was referring to correct. It is enabled by default and can be safely turned off. Don't confuse wanting to relay.

Simon.
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
how to add IIS SMTP to handle application/Scanner relays into office 365.
This video discusses moving either the default database or any database to a new volume.

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question