Eldata
asked on
Open Relay on Exchange 2007
This really has me puzzled. Since a couple of weeks we are using new Exchange 2007 servers. Everywhere I look it tells me it is virtually impossible to turn an Exchange 2007 server into an open relay by accident, but somehow we seem to have one.
We're getting email rejected by spamfilters telling us that we have a open relay.
If I do a telnet to the external IP address it seems I can send email from another domain, so this points to an open relay as well.
In the Exchange configuration on the properties of the Hub Transport the is no checkmark for "Externally Secured" on any of the receive connectors.
In the "Accepted Domains" there is no wildcard ("*"), only the domain names that we accept email for.
Does anyone know what else could be causing the open relay?
For security we use a Cisco ASA 5505 firewall, could that have anything to do with it?
We're getting email rejected by spamfilters telling us that we have a open relay.
If I do a telnet to the external IP address it seems I can send email from another domain, so this points to an open relay as well.
In the Exchange configuration on the properties of the Hub Transport the is no checkmark for "Externally Secured" on any of the receive connectors.
In the "Accepted Domains" there is no wildcard ("*"), only the domain names that we accept email for.
Does anyone know what else could be causing the open relay?
For security we use a Cisco ASA 5505 firewall, could that have anything to do with it?
ASKER
Sorry, the link you provided was broken, but from a similar website (njabl.org) it told me we had an open relay. (Not anymore, I requested removal which they duly did).
These are the Telnet commands I used from an external machine:
220 mail.owndomain.nl Microsoft ESMTP MAIL Service ready at Mon, 20 Apr 2009
16:05:43 +0200
ehlo gmail.com
250-mail.owndomain.nl Hello [89.1xx.xx.xxx]
250-SIZE 10485760
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH
250-8BITMIME
250-BINARYMIME
250 CHUNKING
mail from:username@gmail.com
250 2.1.0 Sender OK
rcpt to:username@hotmail.com
250 2.1.5 Recipient OK
These are the Telnet commands I used from an external machine:
220 mail.owndomain.nl Microsoft ESMTP MAIL Service ready at Mon, 20 Apr 2009
16:05:43 +0200
ehlo gmail.com
250-mail.owndomain.nl Hello [89.1xx.xx.xxx]
250-SIZE 10485760
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH
250-8BITMIME
250-BINARYMIME
250 CHUNKING
mail from:username@gmail.com
250 2.1.0 Sender OK
rcpt to:username@hotmail.com
250 2.1.5 Recipient OK
Hi
sorry the link should have been www.abuse.net/relay.html
in powershell can you run
Get-AcceptedDomain
sorry the link should have been www.abuse.net/relay.html
in powershell can you run
Get-AcceptedDomain
ASKER
This is the reply:
Mail relay testing
This host was recently tested with an anonymous test.
The host appeared to accept a test message for relay
The result from "Get-AcceptedDomain" is the same as in the management console.
Only valid domains that we use and no wildcard.
Mail relay testing
This host was recently tested with an anonymous test.
The host appeared to accept a test message for relay
The result from "Get-AcceptedDomain" is the same as in the management console.
Only valid domains that we use and no wildcard.
ASKER
Did the registered user test on abuse.net as well, and we got the email.
So we may assume there really is an open relay here...
So we may assume there really is an open relay here...
Hi
check the permissions on the "external" send and receive connectors.
server conf-> hub ->auth make sure that external secured is not set
org cong > hub -> make sure that exteral secured is not set (using smarthost)
check the permissions on the "external" send and receive connectors.
server conf-> hub ->auth make sure that external secured is not set
org cong > hub -> make sure that exteral secured is not set (using smarthost)
ASKER
On the receive connectors "External Secured" is not set.
On the Send connector I can't find this setting. When I open the properties for Outgoing SMTP I see four tabs: "General", "address space", "network" and source server".
On "Network" there only is a check for "Use domain name system (DNS) "MX" records to route mail automatically".
On the Send connector I can't find this setting. When I open the properties for Outgoing SMTP I see four tabs: "General", "address space", "network" and source server".
On "Network" there only is a check for "Use domain name system (DNS) "MX" records to route mail automatically".
Hi
whats your exchange 2007 topology, Single server?
whats your exchange 2007 topology, Single server?
ASKER
No, two clustered mailbox servers, two redundant hub transport/client access servers
Hi
From memory when setting up our ASA, there was an option to configure accepted domains, but I am fairly sure that that was for the security context module, which the cannot be installed into the ASA 5505.
however I will check.
Any other SMTP/mail aware S/W configured on the Hubs?
Have you tried to run a best practices analyzer, it might provide some insight
microsoft exchange -> finalize deployment ->
From memory when setting up our ASA, there was an option to configure accepted domains, but I am fairly sure that that was for the security context module, which the cannot be installed into the ASA 5505.
however I will check.
Any other SMTP/mail aware S/W configured on the Hubs?
Have you tried to run a best practices analyzer, it might provide some insight
microsoft exchange -> finalize deployment ->
ASKER
We are using Forefront antivirus, apart from that there is nothing else on the servers.
Ran, the best practices analyzer, didn't show up anything about misconfigurations.
Ran, the best practices analyzer, didn't show up anything about misconfigurations.
There is a difference between the email being accepted and the email actually being delivered. Have you actually tried an open relay telnet to test to an external email address that you control (Hotmail, Yahoo, Gmail etc).
Simon.
Simon.
ASKER
Mestha: yes we have, and email is actually being delivered.
There really is an open relay problem.
There really is an open relay problem.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That is a third one to on to the list of how to turn Exchange 2007 in to an open relay!
Hadn't heard of that one.
Simon.
Hadn't heard of that one.
Simon.
Hi
Glad you got it fixed, and thanks for the update.
Happy hunting
Glad you got it fixed, and thanks for the update.
Happy hunting
when you telnet to the external IP and send an email from an external domain, are you sending this email to a internal recipient or to an another external email address i.e. your gmail account?
what results do you get from
http://verify.abuse.net/cgi-bin/relaytest
yes the ASA can "proxy" communications to the SMTP port, but this should not cause an issue?