Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2195
  • Last Modified:

How do I disable Open SMTP Relay on Exchange 2007 Hub Transport Server

My organization is actively being used as a spam relay.  I tried to remove Anonymous User permissions from the Receive connectors and we stopped receiving email outside the domain.  The Exchange server is set up as Hub Transport and is the only SMTP gateway.  Really need to plug the hole that the spammers are using and allow legitimate email to get through.
Please help, don't want the company to be blacklisted.
0
Rich9999
Asked:
Rich9999
  • 16
  • 14
  • +2
1 Solution
 
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
Why do you believe you are a open relay?    Anonymous is set to allow the outside world to send to you as you might of found.

Test if you are really a open relay:

http://www.spamhelp.org/shopenrelay/

You can install the anti spam agents:  http://www.petri.co.il/install-anti-spam-exchange-2007.htm

0
 
cmccallCommented:
In Exchange 2007, you almost have to deliberately set it up to be an open relay.  There are two places where you have to configure this.  You have the receive connector settings (Server Configuration -> Hub Transport) where you specify what IPs and connection types you will receive for.  You also have Accepted Domains (Organization Configuration -> Hub Transport).  In this section, you should only have domains that you are actually responsible for.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
To me is sounds like you have a spam issue and not a open relay.    Which you need to get some type of anti-spam solution in place, i.e. Anti-Spam Agents, MX Logic, Barracuda, etc...
0
 
Rich9999Author Commented:
I ran http://www.mxtoolbox.com/ and this site is saying that we may be an Open relay.
0
 
aslamsurveCommented:
Implement the Anti-spam agents on the Exchange 2007 server
http://support.microsoft.com/kb/555924
0
 
Rich9999Author Commented:
Anti-spam agents are implemented.  Going through the settings on the send connector found * listed for the accepted domain.  If I remove that, will I still be able to send email from our domain?
0
 
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
That is fine...users in your org can send to any domain through this connector.
0
 
Rich9999Author Commented:
Sorry the address space has * listed for the SMTP.   Accepted domains has a list of domains our company deals with.
0
 
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
Setting up Exchange 2007 Hub as a open relay you will have to take a few steps.    

Example:  http://msexchangeteam.com/archive/2006/12/28/432013.aspx   but for the Remote Network Settings you have it set to 0.0.0.0 - 255.255.255.255  I doubt you have done this...
0
 
Rich9999Author Commented:
We are also using 3Com Tipping Point as a firewall/anti-spam solution.
0
 
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
Under Accepted Domains these should be all the domains that you are accepting email for...that your Exchange 2007 is the authoritative email server for those domains.   Are the MX records for those domain pointing to your public IP for Exchange?
0
 
Rich9999Author Commented:
Where would I check this?  Settings you have it set to 0.0.0.0 - 255.255.255.255  I doubt you have done this...

Actually we are not the authoritative email server for the domains listed.  These are companies that were added before I started working here.  I think they were having problems receiving email from the companies listed.
0
 
Rich9999Author Commented:
Client an d Default receive connectors have 0.0.0.0 - 255.255.255.255 listed under network.  What should it list?
0
 
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
Do you only have Client and Default recieve connectors?    if you do your fine.

Go to http://www.spamhelp.org/shopenrelay/ and plug in your mail server IP...does it pass or fail the open relay.    

0
 
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
Don't modify the default receive connectors!

I bet your not a open relay...only receiving spam.
0
 
Rich9999Author Commented:
Went to the link and tested our site and the connection times out.  I know we are not just receiving spam.
We are being used to send spam.

The following organization rejected your message: mxh16.hichina.com.

  _____  

Sent by Microsoft Exchange Server 2007







Diagnostic information for administrators:

Generating server: our.server

michael@sharingsh.com
mxh16.hichina.com #553 RP:RDN http://www.net.cn/service/faq/youx/mailsy/200905/3781.html ##

Original message headers:

Received: from cipvdipvpc8 (119.96.211.156) by our.server (our IP)
 with Microsoft SMTP Server id 8.1.375.2; Mon, 6 Jul 2009 12:45:34 -0500
From: Ctaip <ubiov@ISP relay address>
To: michael <michael@sharingsh.com>
Subject: =?GB2312?B?W1BvdGVudGlhbCBTUEFNXVRQTc+1zbPKtcqptcTG37Tzsr3W6DBYUw==?=
Date: Tue, 7 Jul 2009 02:01:11 +0800
MIME-Version: 1.0
Content-Type: text/plain; charset="GB2312"
Content-Transfer-Encoding: base64
X-Priority: 3
Message-ID: <64dbe7e6-d2ed-4d53-9bfb-0ce8d811b08d@our.server>
Return-Path: ubiov@IPS relay
Received-SPF: None (our.server: ubiov@ISP relay does not
 designate permitted sender hosts)
This is an example of what was trying to be sent from our server.
0
 
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
Someone could be spoofing your domain.    To help this out setup a SPF record.


http://www.spamhelp.org/shopenrelay/   times out?

Are you 218.244.146.246?  
0
 
Rich9999Author Commented:
We are 207.179.200.38.  Not sure what you mean by a SPF record.
0
 
Rich9999Author Commented:
In addition our ISP let us know that alot of spam was being sent from our connection.
0
 
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
Ouch you are a relay....

220 ales.air-land.com Microsoft ESMTP MAIL Service ready at Tue, 7 Jul 2009 09:4
8:15 -0500
helo test.com
250 ales.air-land.com Hello [66.93.241.144]
mail from:test@test.com
250 2.1.0 Sender OK
rcpt to:hello@me.com
250 2.1.5 Recipient OK


0
 
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
Run
get-receiveconnector *Default* | get-adpermission | fl > permissions.txt
 
Open the permissions.txt file and check whether ANONYMOUS has the ms-Exch-SMTP-Accept-Any-Recipient permission. If so, I suggest you either remove that permission, or simply delete and recreate the SMTP Receive connector.

0
 
Rich9999Author Commented:
Anonymous does have the permission.  Looking for the command to revoke the permission.
0
 
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
Example:

remove-adpermission "Client <servername>" -user "NT Authority\Authenticated Users" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
0
 
Rich9999Author Commented:
Should "Client <servername>" be set to the exchange server? tried that and the command won't run.  sorry for being such a newb.
0
 
Rich9999Author Commented:
Also, shouldn't it be NT Authority\Anonymous logon?
0
 
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
Correct
0
 
Rich9999Author Commented:
I have tried the commands in the attached image, what amd I doing wrong.
shell-errors.jpg
0
 
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
This might be quicker and cleaner to delete and recreate the two receive connectors.
0
 
Rich9999Author Commented:
I think it is fixed now, I found this command

Get-ReceiveConnector "Default Exchange1" | Add-AD Permission -User "NT AUTHORITY\ANONYMOUS LOGON" -deny -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

And re-ran the mxlookup and the server is no longer showing as an Open Relay.
0
 
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
Your are correct...no more relay:

220 ales.air-land.com Microsoft ESMTP MAIL Service ready at Tue, 7 Jul 2009 11:3
4:53 -0500
helo test.com
250 ales.air-land.com Hello [66.93.241.144]
mail from:test@test.com
250 2.1.0 Sender OK
rcpt to:nogo@haha.com
550 5.7.1 Unable to relay
:


Now test inbound and outbound email flow (like to/from Gmail)...to ensure nothing was messed up in the process.    
0
 
Rich9999Author Commented:
Thank you for the excellent support.
0
 
Rich9999Author Commented:
Email flo is working, tested to/from my gmail account.  Again thank you the excellent assistance you have given me.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 16
  • 14
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now