I'm trying to determine the proper way to configure our Exchange sever so that it is not an open relay. We have some internal servers that need to relay and do not authenticate.
Currently, we have 'Only the list below' checked and we defined the IP address (mask) for the ranger of all our internal computers. We also have allow all computers which successfully authenticate to relay regardless of the list above.
1. Should we uncheck allow all computers which successfully authenticate to relay regardless of the list above so that not just any computer internal or external can user our mail server as an SMTP relay?
2. Should we limit the in the Computers section those servers that use our mail server to relay? I assume that clients don't need to be listed here.
3. Under the Authentication section, we have Anonymous access, Basic authentication and Integrated Windows Authentication checked. I have noticed that our clients when launching Outlook need to enter their credentials. Is this because Basic authentication is checked?
2. Yes, I would do that. With the authentication checkbox selected, you don't have to list all of your domain computers in order for users to be able to send email. You only need to list any computers that need to relay WITHOUT authentication.
3. No. If Outlook is requiring users to log on, it is because of the Outlook settings in the users' Outlook profiles on the workstations, not because of these Exchange settings. Check the users' Outlook profile properties, on the Security tab, and make sure that they are set for Password Authentication and that the "Always prompt for logon credentials" box is not checked.