should I disable authentication onmy smtp virtual server?

Posted on 2009-04-29
Last Modified: 2012-05-06
I have recently started turning off smtp relaying on your main exchange server (uncheck allow all computers which successfully authenticate to relay regardless of the list above). I also read this post in the MS IMF guide:
Helping to Secure Your Gateway SMTP Virtual Servers
Dictionary attacks are brute force attacks that use common words as possible passwords to discover valid passwords for well-known accounts, such as the administrator account. Malicious users attempt dictionary attacks to gain access to computers.
To help protect your SMTP gateway servers from possible dictionary attacks, you can disable all forms of authentication on your inbound SMTP virtual servers that accept Internet mail. Because no authentication is permitted, malicious users cannot use dictionary attacks to discover passwords and authenticate to your computer to relay mail or perform other unauthorized actions--
In Exchange System Manager, expand Servers, expand <your inbound Exchange server>, expand Protocols, and then expand SMTP.
2.      Right-click the inbound SMTP virtual server, and then click Properties.
3.      Click the Access tab, and then click Authentication.
4.      In Authentication, clear the Basic authentication and Integrated Windows Authentication check boxes.
Is this a good idea and when would you NOT want to do this?
    LVL 17

    Assisted Solution

    by:Andres Perales
    If you turn off authentication how will your users send email?  Your best bet is to enforce password security by training your users to use strong passwords for authentication!  Are you using a firewall?  Cisco firewalls use fixup which will insert another layer of protection for that smtp translation!
    LVL 6

    Assisted Solution

    I agree with just using strong passwords on your accounts.

    That information is more geared to large setups where you have multiple smtp virtual servers. If you are just running your normal single one I wouldn't worry about it.
    LVL 65

    Accepted Solution

    If you do not have any users sending email by SMTP then authenticated relaying can be turned off completely. It is not required for native Exchange clients to send email - so Outlook, OWA and Exchange ActiveSync. That would allow you to leave the authentication settings alone.

    If you do turn off those two authentication settings, then they will need to be enabled again if you introduce a second Exchange server.


    Author Comment

    The instruction i included state to disable it on INBOUND SMTP. Does this mean that outbound email will be fine. That is what I'm confused about. I know that I cannot disable authentication for outbound email. But they are talking about email coming in. Does this make a difference?
    LVL 65

    Expert Comment

    You don't authenticate email when you are sending email out, unless you are using a smart host. Even then the smart host setting is set on the SMTP Connector.

    The instructions look like they were written for a multiple site environment where there is an SMTP gateway being used - although if that was the case changing the authentication settings would actually cause a problem! The change would only apply on a single server deployment, but I have to say it is not something I have ever done or seen done.


    Author Comment

    ok.... I guess I will leave it alone. I have been using Microsoft's Intelligent Messaging FIlter on SBS servers for spam control and it has been quite successfull. I downloaded the tech file from Microsoft that explains how to configure IMF and that is where they talk about disabling the inbound smtp authentication. If anyone is interested I have attached the file and the reference is on page 10 and 11. for now I guess I will leave it alone....

    Author Closing Comment

    I am awarding points for the input, i have determined not to mess with the smtp authentication other than turning off relaying for anyone regardless of the list above thanks

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Get an idea of what you should include in an email disclaimer with these Top 5 email disclaimer tips.
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now