Open relay on Exchange 2007 Hub-Transport

The theoretic question: - )

I have an Exchange organization with edges, hub-transport servers, client-access servers and mail-sorages. Now if some server (for example, antivirus) tries to send a mail via my hub-transport server it gets an error about authentification is required. Ok, I read about I can make an recieve connector and configure this connector as secured, all works well. But this is open relay for my server!
Antivirus server can authorize (how it was on Exchange 2003) but now it's a problem.

I want to know, antivirus server tries to send mail on, where is configured as local mail suffix. But authentification is still required.

So is it true because authentification is required for sending email for antivirus server but not for recieving the mail for
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Receiving email is different to sending email.

If the domain the message is being sent to is one on the list of domains Exchange knows it is responsible for, then the email will be received without authentication being required, because the server is not relaying. That should apply to your AV product as well.

The only time authentication would be required is to relay email through the server to an external recipient, that is because it is a relay attempt.

Therefore you AV product should not require authentication to send email to your server IF it is sending to internal recipients.

Master-SquirrelAuthor Commented:
Well, thanks for your answer but meanwhile the authentification is required for send for mydomain.
I try to send email to Distribution Group

I gues it's because AV client try to send a mail via Exchange. We talk here about sending from Exchange at first, and about recieving via Exchange at second.

Here is my options on default recieve connector:

Permission Groups:
Anonymous, Exchange users, Exchange Servers
Legacy Exchange Servers

Transport Layer Security, Basic Authentification with  Offer basic authentification only after TLS, Exchange Server authentification, Integrated Windows authentification
You didn't mention that it was a group.

By default on Exchange 2007 groups are set to require that all senders are authenticated. That isn't relaying settings, just authentication in general. You could turn off the requirement to authenticate and your server would be able to send email to the group.

Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Master-SquirrelAuthor Commented:
Thanks, but it's open relay for my server!

I try to explain what I mean.
If I switch off authentification on my connector (Specify Externallu Secured checkbox) I can send a mail as in my organization as in outside. But If I switch on an authentification so my mail can't go anywhere. If authentification is on, any attempt to send a mail via this connector finish with NDR Authentification required!
Which connector are you referring to? Send or Receive?
Externally secured will turn the server in to an open relay because Exchange is expecting another server to be responsible for authentication. If the connector is exposed to the internet then you have a problem.

The authentication settings I am referring to are on the group, not the connector.

Master-SquirrelAuthor Commented:
Well, I configure recieve connector. When I entered some name in this connector as FQDN of my exchange I get this message when I try to connect to this connector. So I decided this is in use when I try to send a mail from my AV server.

I use this connector only gor inside servers so I sould not have a problem.

Let's see so:
When my AV soft tries to send a mail via Exchange what type of connector is in use? Send or recieve.
I see that recieve connector is in use, because If I change the authentification method to externall secured on RECIEVE connector all works fine. But If I use all types of others methods I get an auth error.
Master-SquirrelAuthor Commented:
"The authentication settings I am referring to are on the group, not the connector. "

Look ath

I see only one authentification settings tab.
That is a screenshot of the connector, not the group.
Groups in Exchange 2007 are set to require that all senders are authenticated by default, as I have already said. If you have an external server that you want to send to a group then you need to turn off that requirement in the properties of the group under Mail Flow Settings, Mail Delivery Restrictions.  

Master-SquirrelAuthor Commented:
Well, I have an INTERNAL server that should send a mail to
I read about groups in Exchange 2007 and found out that there is one right - ms-Exch-SMTP-Accept-Any-Recipient

As I understood If I configure some group for my recieve connector that has such right so the mail that recieved on this connector will be send to any recipient not depending or @external.domain

If so, this is an answer,-)
If the server is NOT an Exchange server, then as far as Exchange is concerned, it is an EXTERNAL server, not an internal server. Internal servers are only other Exchange servers.

Master-SquirrelAuthor Commented:
Ok. last question fo close this theme If you don't mind...
i have an recieve connector for one my internal server (that is external for exchange as you said).

When I use this connector in cmd I type:
HELO ...

and get an error that sending for external recipients is prohibited, but I can send a mail to internal domain.


Sending to an external recipient is relaying. Therefore you have to either authenticate or be on a list of IP addresses that is allowed to relay. I personally tend to get other SMTP systems that are sending email to external recipients to send their email via the ISPs SMTP Server. Do that a lot with UPS devices, so that the notifications can get out.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Master-SquirrelAuthor Commented:
Thanks - )
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server Apps

From novice to tech pro — start learning today.