Avatar of rose6060
 asked on

SMTP Open Relay Authentication

I'm trying to determine the proper way to configure our Exchange sever so that it is not an open relay.  We have some internal servers that need to relay and do not authenticate.

Currently, we have 'Only the list below' checked and we defined the IP address (mask) for the ranger of all our internal computers.  We also have allow all computers which successfully  authenticate to relay regardless of the list above.

1. Should we uncheck allow all computers which successfully  authenticate to relay regardless of the list above so that not just any computer internal or external can user our mail server as an SMTP relay?  

2. Should we limit the in the Computers section those servers that use our mail server to relay?  I assume that clients don't need to be listed here.

3. Under the Authentication section, we have Anonymous access, Basic authentication and Integrated Windows Authentication checked.  I have noticed that our clients when launching Outlook need to enter their credentials.  Is this because Basic authentication is checked?

Email ProtocolsExchange

Avatar of undefined
Last Comment

8/22/2022 - Mon
Hypercat (Deb)

1.  No, you don't need to do that, unless you want to restrict internal users from being able to relay through this server.  External users will not be authenticated, so they will not be able to relay.

2.  Yes, I would do that.  With the authentication checkbox selected, you don't have to list all of your domain computers in order for users to be able to send email.  You only need to list any computers that need to relay WITHOUT authentication.

3.  No. If Outlook is requiring users to log on, it is because of the Outlook settings in the users' Outlook profiles on the workstations, not because of these Exchange settings.  Check the users' Outlook profile properties, on the Security tab, and make sure that they are set for Password Authentication and that the "Always prompt for logon credentials" box is not checked.

So if I understand you correctly, if we uncheck 'allow all computers which successfully  authenticate to relay regardless of the list above' then our outlook clients (domain computers) won't be able to send mail or just use our mail server as a relay?  If it's the latter, then we should probably uncheck it.  And, we should limit the scope (#2) to only computers that need to relay WITHOUT authentication, or any computer that would need to use our mail server as a relay for that matter since we would uncheck allow all authenticated computers to relay.
Hypercat (Deb)

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

Thanks... I'll leave it checked if it will cause problems with clients.
Your help has saved me hundreds of hours of internet surfing.