Learn how to a build a cloud-first strategyRegister Now


should I disable authentication onmy smtp virtual server?

Posted on 2009-04-29
Medium Priority
Last Modified: 2012-05-06
I have recently started turning off smtp relaying on your main exchange server (uncheck allow all computers which successfully authenticate to relay regardless of the list above). I also read this post in the MS IMF guide:
Helping to Secure Your Gateway SMTP Virtual Servers
Dictionary attacks are brute force attacks that use common words as possible passwords to discover valid passwords for well-known accounts, such as the administrator account. Malicious users attempt dictionary attacks to gain access to computers.
To help protect your SMTP gateway servers from possible dictionary attacks, you can disable all forms of authentication on your inbound SMTP virtual servers that accept Internet mail. Because no authentication is permitted, malicious users cannot use dictionary attacks to discover passwords and authenticate to your computer to relay mail or perform other unauthorized actions--
In Exchange System Manager, expand Servers, expand <your inbound Exchange server>, expand Protocols, and then expand SMTP.
2.      Right-click the inbound SMTP virtual server, and then click Properties.
3.      Click the Access tab, and then click Authentication.
4.      In Authentication, clear the Basic authentication and Integrated Windows Authentication check boxes.
Is this a good idea and when would you NOT want to do this?
LVL 17

Assisted Solution

by:Andres Perales
Andres Perales earned 400 total points
ID: 24266289
If you turn off authentication how will your users send email?  Your best bet is to enforce password security by training your users to use strong passwords for authentication!  Are you using a firewall?  Cisco firewalls use fixup which will insert another layer of protection for that smtp translation!

Assisted Solution

ccosby earned 400 total points
ID: 24266422
I agree with just using strong passwords on your accounts.

That information is more geared to large setups where you have multiple smtp virtual servers. If you are just running your normal single one I wouldn't worry about it.
LVL 65

Accepted Solution

Mestha earned 1200 total points
ID: 24268495
If you do not have any users sending email by SMTP then authenticated relaying can be turned off completely. It is not required for native Exchange clients to send email - so Outlook, OWA and Exchange ActiveSync. That would allow you to leave the authentication settings alone.

If you do turn off those two authentication settings, then they will need to be enabled again if you introduce a second Exchange server.

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.


Author Comment

ID: 24280808
The instruction i included state to disable it on INBOUND SMTP. Does this mean that outbound email will be fine. That is what I'm confused about. I know that I cannot disable authentication for outbound email. But they are talking about email coming in. Does this make a difference?
LVL 65

Expert Comment

ID: 24281238
You don't authenticate email when you are sending email out, unless you are using a smart host. Even then the smart host setting is set on the SMTP Connector.

The instructions look like they were written for a multiple site environment where there is an SMTP gateway being used - although if that was the case changing the authentication settings would actually cause a problem! The change would only apply on a single server deployment, but I have to say it is not something I have ever done or seen done.


Author Comment

ID: 24281429
ok.... I guess I will leave it alone. I have been using Microsoft's Intelligent Messaging FIlter on SBS servers for spam control and it has been quite successfull. I downloaded the tech file from Microsoft that explains how to configure IMF and that is where they talk about disabling the inbound smtp authentication. If anyone is interested I have attached the file and the reference is on page 10 and 11. for now I guess I will leave it alone....

Author Closing Comment

ID: 31576257
I am awarding points for the input, i have determined not to mess with the smtp authentication other than turning off relaying for anyone regardless of the list above thanks

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
Exchange administrators are always vigilant about Exchange crashes and disasters that are possible any time. It is quite essential to identify the symptoms of a possible Exchange issue and be prepared with a proper recovery plan. There are multiple…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question