We help IT Professionals succeed at work.

SMTP Open Relay Authentication

rose6060 asked
Last Modified: 2013-11-30
I'm trying to determine the proper way to configure our Exchange sever so that it is not an open relay.  We have some internal servers that need to relay and do not authenticate.

Currently, we have 'Only the list below' checked and we defined the IP address (mask) for the ranger of all our internal computers.  We also have allow all computers which successfully  authenticate to relay regardless of the list above.

1. Should we uncheck allow all computers which successfully  authenticate to relay regardless of the list above so that not just any computer internal or external can user our mail server as an SMTP relay?  

2. Should we limit the in the Computers section those servers that use our mail server to relay?  I assume that clients don't need to be listed here.

3. Under the Authentication section, we have Anonymous access, Basic authentication and Integrated Windows Authentication checked.  I have noticed that our clients when launching Outlook need to enter their credentials.  Is this because Basic authentication is checked?

Watch Question

Hypercat (Deb)President

1.  No, you don't need to do that, unless you want to restrict internal users from being able to relay through this server.  External users will not be authenticated, so they will not be able to relay.

2.  Yes, I would do that.  With the authentication checkbox selected, you don't have to list all of your domain computers in order for users to be able to send email.  You only need to list any computers that need to relay WITHOUT authentication.

3.  No. If Outlook is requiring users to log on, it is because of the Outlook settings in the users' Outlook profiles on the workstations, not because of these Exchange settings.  Check the users' Outlook profile properties, on the Security tab, and make sure that they are set for Password Authentication and that the "Always prompt for logon credentials" box is not checked.


So if I understand you correctly, if we uncheck 'allow all computers which successfully  authenticate to relay regardless of the list above' then our outlook clients (domain computers) won't be able to send mail or just use our mail server as a relay?  If it's the latter, then we should probably uncheck it.  And, we should limit the scope (#2) to only computers that need to relay WITHOUT authentication, or any computer that would need to use our mail server as a relay for that matter since we would uncheck allow all authenticated computers to relay.
This one is on us!
(Get your first solution completely free - no credit card required)


Thanks... I'll leave it checked if it will cause problems with clients.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.