Link to home
Start Free TrialLog in
Avatar of rose6060
rose6060

asked on

SMTP Open Relay Authentication

I'm trying to determine the proper way to configure our Exchange sever so that it is not an open relay.  We have some internal servers that need to relay and do not authenticate.

Currently, we have 'Only the list below' checked and we defined the IP address (mask) for the ranger of all our internal computers.  We also have allow all computers which successfully  authenticate to relay regardless of the list above.

1. Should we uncheck allow all computers which successfully  authenticate to relay regardless of the list above so that not just any computer internal or external can user our mail server as an SMTP relay?  

2. Should we limit the in the Computers section those servers that use our mail server to relay?  I assume that clients don't need to be listed here.

3. Under the Authentication section, we have Anonymous access, Basic authentication and Integrated Windows Authentication checked.  I have noticed that our clients when launching Outlook need to enter their credentials.  Is this because Basic authentication is checked?

Thanks!
Avatar of Hypercat (Deb)
Hypercat (Deb)
Flag of United States of America image
1.  No, you don't need to do that, unless you want to restrict internal users from being able to relay through this server.  External users will not be authenticated, so they will not be able to relay.

2.  Yes, I would do that.  With the authentication checkbox selected, you don't have to list all of your domain computers in order for users to be able to send email.  You only need to list any computers that need to relay WITHOUT authentication.

3.  No. If Outlook is requiring users to log on, it is because of the Outlook settings in the users' Outlook profiles on the workstations, not because of these Exchange settings.  Check the users' Outlook profile properties, on the Security tab, and make sure that they are set for Password Authentication and that the "Always prompt for logon credentials" box is not checked.
Avatar of rose6060
rose6060

ASKER

So if I understand you correctly, if we uncheck 'allow all computers which successfully  authenticate to relay regardless of the list above' then our outlook clients (domain computers) won't be able to send mail or just use our mail server as a relay?  If it's the latter, then we should probably uncheck it.  And, we should limit the scope (#2) to only computers that need to relay WITHOUT authentication, or any computer that would need to use our mail server as a relay for that matter since we would uncheck allow all authenticated computers to relay.
ASKER CERTIFIED SOLUTION
Avatar of Hypercat (Deb)
Hypercat (Deb)
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of rose6060
rose6060

ASKER

Thanks... I'll leave it checked if it will cause problems with clients.