Solved

Open relay on Exchange 2007 Hub-Transport

Posted on 2009-04-01
13
1,307 Views
Last Modified: 2012-05-06
Hi.
The theoretic question: - )

I have an Exchange organization with edges, hub-transport servers, client-access servers and mail-sorages. Now if some server (for example, antivirus) tries to send a mail via my hub-transport server it gets an error about authentification is required. Ok, I read about I can make an recieve connector and configure this connector as secured, all works well. But this is open relay for my server!
Antivirus server can authorize (how it was on Exchange 2003) but now it's a problem.

I want to know, antivirus server tries to send mail on myname@mydomain.com, where mydomain.com is configured as local mail suffix. But authentification is still required.

So is it true because authentification is required for sending email for antivirus server but not for recieving the mail for @mydomain.com
0
Comment
Question by:Master-Squirrel
  • 7
  • 6
13 Comments
 
LVL 65

Expert Comment

by:Mestha
ID: 24048925
Receiving email is different to sending email.

If the domain the message is being sent to is one on the list of domains Exchange knows it is responsible for, then the email will be received without authentication being required, because the server is not relaying. That should apply to your AV product as well.

The only time authentication would be required is to relay email through the server to an external recipient, that is because it is a relay attempt.

Therefore you AV product should not require authentication to send email to your server IF it is sending to internal recipients.

Simon.
0
 

Author Comment

by:Master-Squirrel
ID: 24049678
Well, thanks for your answer but meanwhile the authentification is required for send for mydomain.
I try to send email to Distribution Group Mygroup@mydomain.com

I gues it's because AV client try to send a mail via Exchange. We talk here about sending from Exchange at first, and about recieving via Exchange at second.

Here is my options on default recieve connector:

Permission Groups:
Anonymous, Exchange users, Exchange Servers
Legacy Exchange Servers

Authentification:
Transport Layer Security, Basic Authentification with  Offer basic authentification only after TLS, Exchange Server authentification, Integrated Windows authentification
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24052272
You didn't mention that it was a group.

By default on Exchange 2007 groups are set to require that all senders are authenticated. That isn't relaying settings, just authentication in general. You could turn off the requirement to authenticate and your server would be able to send email to the group.

Simon.
0
 

Author Comment

by:Master-Squirrel
ID: 24058802
Thanks, but it's open relay for my server!

I try to explain what I mean.
If I switch off authentification on my connector (Specify Externallu Secured checkbox) I can send a mail as in my organization as in outside. But If I switch on an authentification so my mail can't go anywhere. If authentification is on, any attempt to send a mail via this connector finish with NDR Authentification required!
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24063520
Which connector are you referring to? Send or Receive?
Externally secured will turn the server in to an open relay because Exchange is expecting another server to be responsible for authentication. If the connector is exposed to the internet then you have a problem.

The authentication settings I am referring to are on the group, not the connector.

Simon.
0
 

Author Comment

by:Master-Squirrel
ID: 24071753
Well, I configure recieve connector. When I entered some name in this connector as FQDN of my exchange I get this message when I try to connect to this connector. So I decided this is in use when I try to send a mail from my AV server.

I use this connector only gor inside servers so I sould not have a problem.

Let's see so:
When my AV soft tries to send a mail via Exchange what type of connector is in use? Send or recieve.
I see that recieve connector is in use, because If I change the authentification method to externall secured on RECIEVE connector all works fine. But If I use all types of others methods I get an auth error.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:Master-Squirrel
ID: 24071759
"The authentication settings I am referring to are on the group, not the connector. "

Look ath http://www.quantumsoftware.com.au/Support/KB/Images/Exchange2007ReceiveConnectorPropertiesNetwork.gif

I see only one authentification settings tab.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24071939
That is a screenshot of the connector, not the group.
Groups in Exchange 2007 are set to require that all senders are authenticated by default, as I have already said. If you have an external server that you want to send to a group then you need to turn off that requirement in the properties of the group under Mail Flow Settings, Mail Delivery Restrictions.  

Simon.
0
 

Author Comment

by:Master-Squirrel
ID: 24076427
Well, I have an INTERNAL server that should send a mail to @mydomain.com
I read about groups in Exchange 2007 and found out that there is one right - ms-Exch-SMTP-Accept-Any-Recipient

As I understood If I configure some group for my recieve connector that has such right so the mail that recieved on this connector will be send to any recipient not depending @mydomain.com or @external.domain

If so, this is an answer,-)
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24077676
If the server is NOT an Exchange server, then as far as Exchange is concerned, it is an EXTERNAL server, not an internal server. Internal servers are only other Exchange servers.

Simon.
0
 

Author Comment

by:Master-Squirrel
ID: 24084592
Ok. last question fo close this theme If you don't mind...
i have an recieve connector for one my internal server (that is external for exchange as you said).

When I use this connector in cmd I type:
HELO ...
MAIL FROM
RCPT TO:<name@externaldomain.com>

and get an error that sending for external recipients is prohibited, but I can send a mail to internal domain.

Why?

0
 
LVL 65

Accepted Solution

by:
Mestha earned 125 total points
ID: 24087073
Sending to an external recipient is relaying. Therefore you have to either authenticate or be on a list of IP addresses that is allowed to relay. I personally tend to get other SMTP systems that are sending email to external recipients to send their email via the ISPs SMTP Server. Do that a lot with UPS devices, so that the notifications can get out.

Simon.
0
 

Author Closing Comment

by:Master-Squirrel
ID: 31565666
Thanks - )
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now