Solved

Lock down Relay and Authentication

Posted on 2007-03-27
5
229 Views
Last Modified: 2011-09-20
I had a domain that was hosted for me by another company with these addresses
<user>@Domain.com
I implemented my Exchange 2003 on a child domain and they have these addresses
of <user>@Child.Domain.com
I changed the public mx record to point to my Exchange IP and I created
<user>@Domain.com addresses for all users in AD. Everything is delivered
perfectly when Exchange is an Open Relay and I allow Anonymous Access but as
soon as I try and restrict my Relay or Disable Anonymous Access only my child
domain email addresses work. From an outsider they receive "550 5.7.1 Unable
to relay for " when sending to <user>@Domain.com but sent from the same
outsider and sending to <user>@Child.Domain.com the email is quick as a deer!
I know spammers will find me, if they haven't already, and use my Exchange to
spam people, so how do I go abouts locking down my Exchange environment?
0
Comment
Question by:Yago007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 3

Expert Comment

by:itsireland
ID: 18802634
allowing anonymous access for the SMTP Protocol does not make your server an open relay server as long as you don't allow anyone outside of your domain to send OUT emails.

So on the SMTP protocol you can allow anonymous access in the "Access Control" --> "Authentication" button. This allows incoming emails from any server.

To prevent open relays do NOT allow unauthenticated users to Relay using the relay restrictions "RELAY" button. Users in your network with Outlook will autenticate so they will have access as long as you have no connector restrictions.

Not sure? Try one of the free "check for open relay" websites (one you trust) and they'll tell you whether you messed up your configuration or not.

Hope this helps.
0
 

Author Comment

by:Yago007
ID: 18803154
I have allowed anonymous access in the "Access Control" --> "Authentication" thank you for the clarification, but still when I change the Relay Restrictions to "Only the list below" and I have the "Allow all computers which successfully authenicate to relay regardles of the list above" checked, I get a "550 5.7.1 Unable to relay for <user>" from my gmail account. This is when I am emailing address <user>@Domain.com My other address <user>@Child.Domain.com works fine. I need both email addresses to work.
0
 
LVL 3

Accepted Solution

by:
itsireland earned 500 total points
ID: 18806760
You definately have to lock it down anyway. Otherwise you'll end up on block lists and the fun really starts.

It seems your domain configurtion is not set up properly. Did you set up a recipient policy for the domain? You will need domain settings for both the domain.com and the child.domain.com. Also, are there no delivery restrictions in the users mailbox settings?

0
 

Author Comment

by:Yago007
ID: 18810081
No i did not have a recipient policy for Domain.com. After i did that a couple of hours later I was able to lock down relaying. Thanks.
0
 
LVL 3

Expert Comment

by:itsireland
ID: 18810228
Good stuff!
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question