• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 512
  • Last Modified:

should I disable authentication onmy smtp virtual server?

I have recently started turning off smtp relaying on your main exchange server (uncheck allow all computers which successfully authenticate to relay regardless of the list above). I also read this post in the MS IMF guide:
Helping to Secure Your Gateway SMTP Virtual Servers
Dictionary attacks are brute force attacks that use common words as possible passwords to discover valid passwords for well-known accounts, such as the administrator account. Malicious users attempt dictionary attacks to gain access to computers.
To help protect your SMTP gateway servers from possible dictionary attacks, you can disable all forms of authentication on your inbound SMTP virtual servers that accept Internet mail. Because no authentication is permitted, malicious users cannot use dictionary attacks to discover passwords and authenticate to your computer to relay mail or perform other unauthorized actions--
In Exchange System Manager, expand Servers, expand <your inbound Exchange server>, expand Protocols, and then expand SMTP.
2.      Right-click the inbound SMTP virtual server, and then click Properties.
3.      Click the Access tab, and then click Authentication.
4.      In Authentication, clear the Basic authentication and Integrated Windows Authentication check boxes.
Is this a good idea and when would you NOT want to do this?
3 Solutions
Andres PeralesCommented:
If you turn off authentication how will your users send email?  Your best bet is to enforce password security by training your users to use strong passwords for authentication!  Are you using a firewall?  Cisco firewalls use fixup which will insert another layer of protection for that smtp translation!
I agree with just using strong passwords on your accounts.

That information is more geared to large setups where you have multiple smtp virtual servers. If you are just running your normal single one I wouldn't worry about it.
If you do not have any users sending email by SMTP then authenticated relaying can be turned off completely. It is not required for native Exchange clients to send email - so Outlook, OWA and Exchange ActiveSync. That would allow you to leave the authentication settings alone.

If you do turn off those two authentication settings, then they will need to be enabled again if you introduce a second Exchange server.

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

williamstechnologygroupAuthor Commented:
The instruction i included state to disable it on INBOUND SMTP. Does this mean that outbound email will be fine. That is what I'm confused about. I know that I cannot disable authentication for outbound email. But they are talking about email coming in. Does this make a difference?
You don't authenticate email when you are sending email out, unless you are using a smart host. Even then the smart host setting is set on the SMTP Connector.

The instructions look like they were written for a multiple site environment where there is an SMTP gateway being used - although if that was the case changing the authentication settings would actually cause a problem! The change would only apply on a single server deployment, but I have to say it is not something I have ever done or seen done.

williamstechnologygroupAuthor Commented:
ok.... I guess I will leave it alone. I have been using Microsoft's Intelligent Messaging FIlter on SBS servers for spam control and it has been quite successfull. I downloaded the tech file from Microsoft that explains how to configure IMF and that is where they talk about disabling the inbound smtp authentication. If anyone is interested I have attached the file and the reference is on page 10 and 11. for now I guess I will leave it alone....
williamstechnologygroupAuthor Commented:
I am awarding points for the input, i have determined not to mess with the smtp authentication other than turning off relaying for anyone regardless of the list above thanks
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now