Solved

Open relay on Exchange 2007 Hub-Transport

Posted on 2009-04-01
13
1,365 Views
Last Modified: 2012-05-06
Hi.
The theoretic question: - )

I have an Exchange organization with edges, hub-transport servers, client-access servers and mail-sorages. Now if some server (for example, antivirus) tries to send a mail via my hub-transport server it gets an error about authentification is required. Ok, I read about I can make an recieve connector and configure this connector as secured, all works well. But this is open relay for my server!
Antivirus server can authorize (how it was on Exchange 2003) but now it's a problem.

I want to know, antivirus server tries to send mail on myname@mydomain.com, where mydomain.com is configured as local mail suffix. But authentification is still required.

So is it true because authentification is required for sending email for antivirus server but not for recieving the mail for @mydomain.com
0
Comment
Question by:Master-Squirrel
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
13 Comments
 
LVL 65

Expert Comment

by:Mestha
ID: 24048925
Receiving email is different to sending email.

If the domain the message is being sent to is one on the list of domains Exchange knows it is responsible for, then the email will be received without authentication being required, because the server is not relaying. That should apply to your AV product as well.

The only time authentication would be required is to relay email through the server to an external recipient, that is because it is a relay attempt.

Therefore you AV product should not require authentication to send email to your server IF it is sending to internal recipients.

Simon.
0
 

Author Comment

by:Master-Squirrel
ID: 24049678
Well, thanks for your answer but meanwhile the authentification is required for send for mydomain.
I try to send email to Distribution Group Mygroup@mydomain.com

I gues it's because AV client try to send a mail via Exchange. We talk here about sending from Exchange at first, and about recieving via Exchange at second.

Here is my options on default recieve connector:

Permission Groups:
Anonymous, Exchange users, Exchange Servers
Legacy Exchange Servers

Authentification:
Transport Layer Security, Basic Authentification with  Offer basic authentification only after TLS, Exchange Server authentification, Integrated Windows authentification
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24052272
You didn't mention that it was a group.

By default on Exchange 2007 groups are set to require that all senders are authenticated. That isn't relaying settings, just authentication in general. You could turn off the requirement to authenticate and your server would be able to send email to the group.

Simon.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:Master-Squirrel
ID: 24058802
Thanks, but it's open relay for my server!

I try to explain what I mean.
If I switch off authentification on my connector (Specify Externallu Secured checkbox) I can send a mail as in my organization as in outside. But If I switch on an authentification so my mail can't go anywhere. If authentification is on, any attempt to send a mail via this connector finish with NDR Authentification required!
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24063520
Which connector are you referring to? Send or Receive?
Externally secured will turn the server in to an open relay because Exchange is expecting another server to be responsible for authentication. If the connector is exposed to the internet then you have a problem.

The authentication settings I am referring to are on the group, not the connector.

Simon.
0
 

Author Comment

by:Master-Squirrel
ID: 24071753
Well, I configure recieve connector. When I entered some name in this connector as FQDN of my exchange I get this message when I try to connect to this connector. So I decided this is in use when I try to send a mail from my AV server.

I use this connector only gor inside servers so I sould not have a problem.

Let's see so:
When my AV soft tries to send a mail via Exchange what type of connector is in use? Send or recieve.
I see that recieve connector is in use, because If I change the authentification method to externall secured on RECIEVE connector all works fine. But If I use all types of others methods I get an auth error.
0
 

Author Comment

by:Master-Squirrel
ID: 24071759
"The authentication settings I am referring to are on the group, not the connector. "

Look ath http://www.quantumsoftware.com.au/Support/KB/Images/Exchange2007ReceiveConnectorPropertiesNetwork.gif

I see only one authentification settings tab.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24071939
That is a screenshot of the connector, not the group.
Groups in Exchange 2007 are set to require that all senders are authenticated by default, as I have already said. If you have an external server that you want to send to a group then you need to turn off that requirement in the properties of the group under Mail Flow Settings, Mail Delivery Restrictions.  

Simon.
0
 

Author Comment

by:Master-Squirrel
ID: 24076427
Well, I have an INTERNAL server that should send a mail to @mydomain.com
I read about groups in Exchange 2007 and found out that there is one right - ms-Exch-SMTP-Accept-Any-Recipient

As I understood If I configure some group for my recieve connector that has such right so the mail that recieved on this connector will be send to any recipient not depending @mydomain.com or @external.domain

If so, this is an answer,-)
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24077676
If the server is NOT an Exchange server, then as far as Exchange is concerned, it is an EXTERNAL server, not an internal server. Internal servers are only other Exchange servers.

Simon.
0
 

Author Comment

by:Master-Squirrel
ID: 24084592
Ok. last question fo close this theme If you don't mind...
i have an recieve connector for one my internal server (that is external for exchange as you said).

When I use this connector in cmd I type:
HELO ...
MAIL FROM
RCPT TO:<name@externaldomain.com>

and get an error that sending for external recipients is prohibited, but I can send a mail to internal domain.

Why?

0
 
LVL 65

Accepted Solution

by:
Mestha earned 125 total points
ID: 24087073
Sending to an external recipient is relaying. Therefore you have to either authenticate or be on a list of IP addresses that is allowed to relay. I personally tend to get other SMTP systems that are sending email to external recipients to send their email via the ISPs SMTP Server. Do that a lot with UPS devices, so that the notifications can get out.

Simon.
0
 

Author Closing Comment

by:Master-Squirrel
ID: 31565666
Thanks - )
0

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
how to add IIS SMTP to handle application/Scanner relays into office 365.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question