[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 520
  • Last Modified:

Open Relay on Exchange 2007

This really has me puzzled. Since a couple of weeks we are using new Exchange 2007 servers. Everywhere I look it tells me it is virtually impossible to turn an Exchange 2007 server into an open relay by accident, but somehow we seem to have one.
We're getting email rejected by spamfilters telling us that we have a open relay.
If I do a telnet to the external IP address it seems I can send email from another domain, so this points to an open relay as well.
In the Exchange configuration on the properties of the Hub Transport the is no checkmark for "Externally Secured" on any of the receive connectors.
In the "Accepted Domains" there is no wildcard ("*"), only the domain names that we accept email for.
Does anyone know what else could be causing the open relay?
For security we use a Cisco ASA 5505 firewall, could that have anything to do with it?
0
Eldata
Asked:
Eldata
  • 8
  • 6
  • 2
1 Solution
 
suggestionstickCommented:
Hi

when you telnet to the external IP and  send an email from an external domain, are you sending this email to a internal recipient or to an another external email address i.e. your gmail account?

what results do you get from

http://verify.abuse.net/cgi-bin/relaytest

yes the ASA can "proxy" communications to the SMTP port, but this should not cause an issue?

 
0
 
EldataAuthor Commented:
Sorry, the link you provided was broken, but from a similar website (njabl.org) it told me we had an open relay. (Not anymore, I requested removal which they duly did).

These are the Telnet commands I used from an external machine:

220 mail.owndomain.nl Microsoft ESMTP MAIL Service ready at Mon, 20 Apr 2009
16:05:43 +0200
ehlo gmail.com
250-mail.owndomain.nl Hello [89.1xx.xx.xxx]
250-SIZE 10485760
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH
250-8BITMIME
250-BINARYMIME
250 CHUNKING
mail from:username@gmail.com
250 2.1.0 Sender OK
rcpt to:username@hotmail.com
250 2.1.5 Recipient OK


0
 
suggestionstickCommented:
Hi


sorry the link should have been www.abuse.net/relay.html

in powershell  can you run

Get-AcceptedDomain

0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
EldataAuthor Commented:
This is the reply:

Mail relay testing
This host was recently tested with an anonymous test.
The host appeared to accept a test message for relay

The result from "Get-AcceptedDomain" is the same as in the management console.
Only valid domains that we use and no wildcard.

0
 
EldataAuthor Commented:
Did the registered user test on abuse.net as well, and we got the email.
So we may assume there really is an open relay here...
0
 
suggestionstickCommented:
Hi


check the permissions on the  "external"  send and receive connectors.

server conf-> hub ->auth make sure that external secured is not set

org cong > hub -> make sure that exteral secured is not set  (using smarthost)



0
 
EldataAuthor Commented:
On the receive connectors "External Secured" is not set.
On the Send connector I can't find this setting. When I open the properties for Outgoing SMTP I see four tabs: "General", "address space", "network" and source server".
On "Network" there only is a check for "Use domain name system (DNS) "MX" records to route mail automatically".
0
 
suggestionstickCommented:
Hi

whats your exchange 2007 topology, Single server?
0
 
EldataAuthor Commented:
No, two clustered mailbox servers, two redundant hub transport/client access servers
0
 
suggestionstickCommented:
Hi

From memory when setting up our ASA, there was an option to configure accepted domains, but I am fairly sure that that was for the security context module, which the cannot be installed into the ASA 5505.

however I will check.

Any other SMTP/mail  aware S/W configured on the Hubs?

Have you tried to run a best practices analyzer, it might provide some insight

microsoft exchange -> finalize deployment ->




0
 
EldataAuthor Commented:
We are using Forefront antivirus, apart from that there is nothing else on the servers.
Ran, the best practices analyzer, didn't show up anything about misconfigurations.
0
 
MesthaCommented:
There is a difference between the email being accepted and the email actually being delivered. Have you actually tried an open relay telnet to test to an external email address that you control (Hotmail, Yahoo, Gmail etc).

Simon.
0
 
EldataAuthor Commented:
Mestha: yes we have, and email is actually being delivered.
There really is an open relay problem.
0
 
EldataAuthor Commented:
Gentlemen,
I spent an agreeable couple of hours with the man from Microsoft on the phone, and it seems we have solved the problem.
It had to do with the fact that the "Anonymous Logon" had "Submit Message To Any Recipient" rights, or in Exchange 2007 speak: ms-Exch-SMTP-Accept-Any-Recipient.
We needed ADSI Edit to change this, nothing we did in the management console or -shell helped.
One f***ing checkmark turns your Exchange 2007 server into an open relay, how about that?

Now we need to find the %@&! who made this configuration, because according to Microsoft this not a default setting.
Anyway FYI.
Thanks Mestha and suggestionstick for your ideas.
0
 
MesthaCommented:
That is a third one to on to the list of how to turn Exchange 2007 in to an open relay!

Hadn't heard of that one.

Simon.
0
 
suggestionstickCommented:
Hi


Glad  you got  it fixed, and thanks for the update.

Happy hunting
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

  • 8
  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now