Lock down Relay and Authentication

I had a domain that was hosted for me by another company with these addresses
<user>@Domain.com
I implemented my Exchange 2003 on a child domain and they have these addresses
of <user>@Child.Domain.com
I changed the public mx record to point to my Exchange IP and I created
<user>@Domain.com addresses for all users in AD. Everything is delivered
perfectly when Exchange is an Open Relay and I allow Anonymous Access but as
soon as I try and restrict my Relay or Disable Anonymous Access only my child
domain email addresses work. From an outsider they receive "550 5.7.1 Unable
to relay for " when sending to <user>@Domain.com but sent from the same
outsider and sending to <user>@Child.Domain.com the email is quick as a deer!
I know spammers will find me, if they haven't already, and use my Exchange to
spam people, so how do I go abouts locking down my Exchange environment?
Yago007Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

itsirelandCommented:
allowing anonymous access for the SMTP Protocol does not make your server an open relay server as long as you don't allow anyone outside of your domain to send OUT emails.

So on the SMTP protocol you can allow anonymous access in the "Access Control" --> "Authentication" button. This allows incoming emails from any server.

To prevent open relays do NOT allow unauthenticated users to Relay using the relay restrictions "RELAY" button. Users in your network with Outlook will autenticate so they will have access as long as you have no connector restrictions.

Not sure? Try one of the free "check for open relay" websites (one you trust) and they'll tell you whether you messed up your configuration or not.

Hope this helps.
0
Yago007Author Commented:
I have allowed anonymous access in the "Access Control" --> "Authentication" thank you for the clarification, but still when I change the Relay Restrictions to "Only the list below" and I have the "Allow all computers which successfully authenicate to relay regardles of the list above" checked, I get a "550 5.7.1 Unable to relay for <user>" from my gmail account. This is when I am emailing address <user>@Domain.com My other address <user>@Child.Domain.com works fine. I need both email addresses to work.
0
itsirelandCommented:
You definately have to lock it down anyway. Otherwise you'll end up on block lists and the fun really starts.

It seems your domain configurtion is not set up properly. Did you set up a recipient policy for the domain? You will need domain settings for both the domain.com and the child.domain.com. Also, are there no delivery restrictions in the users mailbox settings?

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Yago007Author Commented:
No i did not have a recipient policy for Domain.com. After i did that a couple of hours later I was able to lock down relaying. Thanks.
0
itsirelandCommented:
Good stuff!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.