Solved

How do I disable Open SMTP Relay on Exchange 2007 Hub Transport Server

Posted on 2009-07-07
33
2,036 Views
Last Modified: 2013-11-30
My organization is actively being used as a spam relay.  I tried to remove Anonymous User permissions from the Receive connectors and we stopped receiving email outside the domain.  The Exchange server is set up as Hub Transport and is the only SMTP gateway.  Really need to plug the hole that the spammers are using and allow legitimate email to get through.
Please help, don't want the company to be blacklisted.
0
Comment
Question by:Rich9999
  • 16
  • 14
  • +2
33 Comments
 
LVL 12

Expert Comment

by:florin_s
ID: 24794152
0
 
LVL 20

Expert Comment

by:EndureKona
ID: 24794163
Why do you believe you are a open relay?    Anonymous is set to allow the outside world to send to you as you might of found.

Test if you are really a open relay:

http://www.spamhelp.org/shopenrelay/

You can install the anti spam agents:  http://www.petri.co.il/install-anti-spam-exchange-2007.htm

0
 
LVL 6

Expert Comment

by:cmccall
ID: 24794209
In Exchange 2007, you almost have to deliberately set it up to be an open relay.  There are two places where you have to configure this.  You have the receive connector settings (Server Configuration -> Hub Transport) where you specify what IPs and connection types you will receive for.  You also have Accepted Domains (Organization Configuration -> Hub Transport).  In this section, you should only have domains that you are actually responsible for.
0
 
LVL 20

Expert Comment

by:EndureKona
ID: 24794243
To me is sounds like you have a spam issue and not a open relay.    Which you need to get some type of anti-spam solution in place, i.e. Anti-Spam Agents, MX Logic, Barracuda, etc...
0
 

Author Comment

by:Rich9999
ID: 24794249
I ran http://www.mxtoolbox.com/ and this site is saying that we may be an Open relay.
0
 
LVL 7

Expert Comment

by:aslamsurve
ID: 24794348
Implement the Anti-spam agents on the Exchange 2007 server
http://support.microsoft.com/kb/555924
0
 

Author Comment

by:Rich9999
ID: 24794393
Anti-spam agents are implemented.  Going through the settings on the send connector found * listed for the accepted domain.  If I remove that, will I still be able to send email from our domain?
0
 
LVL 20

Expert Comment

by:EndureKona
ID: 24794403
That is fine...users in your org can send to any domain through this connector.
0
 

Author Comment

by:Rich9999
ID: 24794416
Sorry the address space has * listed for the SMTP.   Accepted domains has a list of domains our company deals with.
0
 
LVL 20

Expert Comment

by:EndureKona
ID: 24794422
Setting up Exchange 2007 Hub as a open relay you will have to take a few steps.    

Example:  http://msexchangeteam.com/archive/2006/12/28/432013.aspx   but for the Remote Network Settings you have it set to 0.0.0.0 - 255.255.255.255  I doubt you have done this...
0
 

Author Comment

by:Rich9999
ID: 24794448
We are also using 3Com Tipping Point as a firewall/anti-spam solution.
0
 
LVL 20

Expert Comment

by:EndureKona
ID: 24794449
Under Accepted Domains these should be all the domains that you are accepting email for...that your Exchange 2007 is the authoritative email server for those domains.   Are the MX records for those domain pointing to your public IP for Exchange?
0
 

Author Comment

by:Rich9999
ID: 24794496
Where would I check this?  Settings you have it set to 0.0.0.0 - 255.255.255.255  I doubt you have done this...

Actually we are not the authoritative email server for the domains listed.  These are companies that were added before I started working here.  I think they were having problems receiving email from the companies listed.
0
 

Author Comment

by:Rich9999
ID: 24794509
Client an d Default receive connectors have 0.0.0.0 - 255.255.255.255 listed under network.  What should it list?
0
 
LVL 20

Expert Comment

by:EndureKona
ID: 24794521
Do you only have Client and Default recieve connectors?    if you do your fine.

Go to http://www.spamhelp.org/shopenrelay/ and plug in your mail server IP...does it pass or fail the open relay.    

0
 
LVL 20

Expert Comment

by:EndureKona
ID: 24794533
Don't modify the default receive connectors!

I bet your not a open relay...only receiving spam.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:Rich9999
ID: 24794603
Went to the link and tested our site and the connection times out.  I know we are not just receiving spam.
We are being used to send spam.

The following organization rejected your message: mxh16.hichina.com.

  _____  

Sent by Microsoft Exchange Server 2007







Diagnostic information for administrators:

Generating server: our.server

michael@sharingsh.com
mxh16.hichina.com #553 RP:RDN http://www.net.cn/service/faq/youx/mailsy/200905/3781.html ##

Original message headers:

Received: from cipvdipvpc8 (119.96.211.156) by our.server (our IP)
 with Microsoft SMTP Server id 8.1.375.2; Mon, 6 Jul 2009 12:45:34 -0500
From: Ctaip <ubiov@ISP relay address>
To: michael <michael@sharingsh.com>
Subject: =?GB2312?B?W1BvdGVudGlhbCBTUEFNXVRQTc+1zbPKtcqptcTG37Tzsr3W6DBYUw==?=
Date: Tue, 7 Jul 2009 02:01:11 +0800
MIME-Version: 1.0
Content-Type: text/plain; charset="GB2312"
Content-Transfer-Encoding: base64
X-Priority: 3
Message-ID: <64dbe7e6-d2ed-4d53-9bfb-0ce8d811b08d@our.server>
Return-Path: ubiov@IPS relay
Received-SPF: None (our.server: ubiov@ISP relay does not
 designate permitted sender hosts)
This is an example of what was trying to be sent from our server.
0
 
LVL 20

Expert Comment

by:EndureKona
ID: 24794636
Someone could be spoofing your domain.    To help this out setup a SPF record.


http://www.spamhelp.org/shopenrelay/   times out?

Are you 218.244.146.246?  
0
 

Author Comment

by:Rich9999
ID: 24794658
We are 207.179.200.38.  Not sure what you mean by a SPF record.
0
 

Author Comment

by:Rich9999
ID: 24794727
In addition our ISP let us know that alot of spam was being sent from our connection.
0
 
LVL 20

Expert Comment

by:EndureKona
ID: 24794735
Ouch you are a relay....

220 ales.air-land.com Microsoft ESMTP MAIL Service ready at Tue, 7 Jul 2009 09:4
8:15 -0500
helo test.com
250 ales.air-land.com Hello [66.93.241.144]
mail from:test@test.com
250 2.1.0 Sender OK
rcpt to:hello@me.com
250 2.1.5 Recipient OK


0
 
LVL 20

Expert Comment

by:EndureKona
ID: 24794806
Run
get-receiveconnector *Default* | get-adpermission | fl > permissions.txt
 
Open the permissions.txt file and check whether ANONYMOUS has the ms-Exch-SMTP-Accept-Any-Recipient permission. If so, I suggest you either remove that permission, or simply delete and recreate the SMTP Receive connector.

0
 

Author Comment

by:Rich9999
ID: 24795105
Anonymous does have the permission.  Looking for the command to revoke the permission.
0
 
LVL 20

Accepted Solution

by:
EndureKona earned 500 total points
ID: 24795131
Example:

remove-adpermission "Client <servername>" -user "NT Authority\Authenticated Users" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
0
 

Author Comment

by:Rich9999
ID: 24795326
Should "Client <servername>" be set to the exchange server? tried that and the command won't run.  sorry for being such a newb.
0
 

Author Comment

by:Rich9999
ID: 24795342
Also, shouldn't it be NT Authority\Anonymous logon?
0
 
LVL 20

Expert Comment

by:EndureKona
ID: 24795377
Correct
0
 

Author Comment

by:Rich9999
ID: 24795469
I have tried the commands in the attached image, what amd I doing wrong.
shell-errors.jpg
0
 
LVL 20

Expert Comment

by:EndureKona
ID: 24795610
This might be quicker and cleaner to delete and recreate the two receive connectors.
0
 

Author Comment

by:Rich9999
ID: 24795735
I think it is fixed now, I found this command

Get-ReceiveConnector "Default Exchange1" | Add-AD Permission -User "NT AUTHORITY\ANONYMOUS LOGON" -deny -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

And re-ran the mxlookup and the server is no longer showing as an Open Relay.
0
 
LVL 20

Expert Comment

by:EndureKona
ID: 24795769
Your are correct...no more relay:

220 ales.air-land.com Microsoft ESMTP MAIL Service ready at Tue, 7 Jul 2009 11:3
4:53 -0500
helo test.com
250 ales.air-land.com Hello [66.93.241.144]
mail from:test@test.com
250 2.1.0 Sender OK
rcpt to:nogo@haha.com
550 5.7.1 Unable to relay
:


Now test inbound and outbound email flow (like to/from Gmail)...to ensure nothing was messed up in the process.    
0
 

Author Closing Comment

by:Rich9999
ID: 31600575
Thank you for the excellent support.
0
 

Author Comment

by:Rich9999
ID: 24795833
Email flo is working, tested to/from my gmail account.  Again thank you the excellent assistance you have given me.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now