Solved

Lock down Relay and Authentication

Posted on 2007-03-27
5
225 Views
Last Modified: 2011-09-20
I had a domain that was hosted for me by another company with these addresses
<user>@Domain.com
I implemented my Exchange 2003 on a child domain and they have these addresses
of <user>@Child.Domain.com
I changed the public mx record to point to my Exchange IP and I created
<user>@Domain.com addresses for all users in AD. Everything is delivered
perfectly when Exchange is an Open Relay and I allow Anonymous Access but as
soon as I try and restrict my Relay or Disable Anonymous Access only my child
domain email addresses work. From an outsider they receive "550 5.7.1 Unable
to relay for " when sending to <user>@Domain.com but sent from the same
outsider and sending to <user>@Child.Domain.com the email is quick as a deer!
I know spammers will find me, if they haven't already, and use my Exchange to
spam people, so how do I go abouts locking down my Exchange environment?
0
Comment
Question by:Yago007
  • 3
  • 2
5 Comments
 
LVL 3

Expert Comment

by:itsireland
ID: 18802634
allowing anonymous access for the SMTP Protocol does not make your server an open relay server as long as you don't allow anyone outside of your domain to send OUT emails.

So on the SMTP protocol you can allow anonymous access in the "Access Control" --> "Authentication" button. This allows incoming emails from any server.

To prevent open relays do NOT allow unauthenticated users to Relay using the relay restrictions "RELAY" button. Users in your network with Outlook will autenticate so they will have access as long as you have no connector restrictions.

Not sure? Try one of the free "check for open relay" websites (one you trust) and they'll tell you whether you messed up your configuration or not.

Hope this helps.
0
 

Author Comment

by:Yago007
ID: 18803154
I have allowed anonymous access in the "Access Control" --> "Authentication" thank you for the clarification, but still when I change the Relay Restrictions to "Only the list below" and I have the "Allow all computers which successfully authenicate to relay regardles of the list above" checked, I get a "550 5.7.1 Unable to relay for <user>" from my gmail account. This is when I am emailing address <user>@Domain.com My other address <user>@Child.Domain.com works fine. I need both email addresses to work.
0
 
LVL 3

Accepted Solution

by:
itsireland earned 500 total points
ID: 18806760
You definately have to lock it down anyway. Otherwise you'll end up on block lists and the fun really starts.

It seems your domain configurtion is not set up properly. Did you set up a recipient policy for the domain? You will need domain settings for both the domain.com and the child.domain.com. Also, are there no delivery restrictions in the users mailbox settings?

0
 

Author Comment

by:Yago007
ID: 18810081
No i did not have a recipient policy for Domain.com. After i did that a couple of hours later I was able to lock down relaying. Thanks.
0
 
LVL 3

Expert Comment

by:itsireland
ID: 18810228
Good stuff!
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
In-place Upgrading Dirsync to Azure AD Connect
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question