Exchange 2010 Open Relay problem

Hi All

I have set up a Receive Connector in Exchange 2010 for our connection to Postini, it is supposedly locked down to the range of IP addresses assigned to us from Postini. The problem I have is that I can connect to it via telnet and successfully send a message from an external PC connected to an ADSL connection so it is effectively an open relay.

According to what I have read this is practically impossible, so my question is does anyone have any idea why Exchange is ignoring the IP Address range restriction that is in place on this connector?

Thanks
Ed
BobhardyoyoAsked:
Who is Participating?
 
BobhardyoyoAuthor Commented:
The problem has been resolved

The network settings for the external side of the Receive connector were not set correctly.  Thank you Microsoft for making things complicated!

Thanks to all of you who tried to assist.
0
 
shauncroucherCommented:
First thing to do is disable the connector or stop outside access to it, otherwise it won't take long until you are blacklisted.

Following this, you can troubleshoot the problem.

Do you have just one receive connector? If so, remove ALL IP restrictions and just add a LAN IP address and test it this way. It's easier to test using LAN IP's.

Once happy, add the outside IP range and open to the internet again.

Shaun
0
 
BobhardyoyoAuthor Commented:
Hi Shaun

Thanks for the feedback, access is restricted to one external IP Address on our firewall so no connections outside of our control are allowed.

We have 3 connectors, two MS default connections and the one I have set up to allow connections from Postini.  This connection is supposed to be limited to connections from Postini IP address range but I am able to telnet from our external test PC and successfully send a message to an internal recipient.  

Thanks
Ed
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
shauncroucherCommented:
Ensure that the header of the connector you have setup matches the connector in question on the server.

You can change the FQDN in the receive connector properties, and then during telnet you can see if the FQDN is presented.

It may be that you are connecting to anohter connector without realising it.

If not then can you run Get-ReceiveConnector <Name of connector> from Exchange management shell and post results.

Shaun
0
 
tigermattCommented:

Hi Ed,

Are you sure it is the Postini connector you are connecting to when initiating the telnet session? It's possible you are picking up one of the other two connectors you say are present. Compare the SMTP greeting in the Postini connector and the telnet session, and see if they match.

Is the server actually acting as an open relay? When you do a telnet test, will it relay mail from the external PC to an external email address (such as a Gmail/Yahoo address?). If a receive connector, such as one of the default ones, is enabled, the server will always accept mail for any domain it controls.

If all your mail is routed via Postini, you might consider simply locking down the inbound port 25 in your firewall to the IP address(es), rather than rely on Exchange's receive connectors. The traffic will then never reach Exchange.

-Matt
0
 
BobhardyoyoAuthor Commented:
Hi Matt

I'm not connecting to Postini, I am connecting directly to my exchange server from a remote connection.  The connection is setup so that it should only accept connections from Postini's range of IP addresses, however it accepts from an external ADSL line we control and I am able to use the telnet "mail from" command to submit mail to local recipients and it will attempt to send to external recipients.

@Shaun

I am definitely connecting to the right connector, confirmed by changing the FQDN.

Thanks
Ed
0
 
abhi_akCommented:
Hi Ed,
Do you mean that you are able to telnet on port 25 of your exchange server. In that case its correct, its by design, either the Mail from: or RCPT To: should be from the internal domain for the mail to pass thru.

However, when you pass on the mail from very try abc@abc.com and then when you specify rcpt to : try def@def.com this should fail and should return you a message saying Relay Not Allowed.

In that case you have blocked the Relay successfully, however if you try the same scenario from the Range of IP's which are from the Allow list (Postini List in your case) You would be allowed to perform the above scenario.

let me know if this clears your doubt or if you have any further questions.

Regards,
Abhi
0
 
abhi_akCommented:
Also external world will always connect on to your IP where MX is pointing and as per my understanding this IP should belong to postini.
0
 
BobhardyoyoAuthor Commented:
Hi Abhi

The Exchange 2010 receive connector is restricted to a range of external IP Addresses.  I can telnet from an IP address outside of that range and successfully submit a mail.

I have an Exchange 2003 server set up in the same way which I cannot access via telnet from anywhere outside of the range of IP addresses that are allowed to connect.

I am trying to establish why on a connector that is supposedly restricted to a specific IP Address range I can connect from an IP Address outside of that range.

Thanks
Ed
0
 
tigermattCommented:

Glad you got it sorted.

However, does all your email go via Postini? If so, it would be more practical (and safer) to filter the port 25 traffic to their set of IP addresses at your firewall. The traffic then never reaches your Exchange Server, so it closes up a potential (albeit minor) layer of attack.

-Matt
0
 
abhi_akCommented:
Gr8 that you got it sorted... :) As always Microsoft... :)
0
 
BobhardyoyoAuthor Commented:
@Matt

This is just a test box at the moment, once we move to a live server we more than likely will block that connector to everyone but Postini.

Cheers
Ed
0
 
dunbaritCommented:
We had to run the following command on the edgeserver in addition to allowing the IP Range to relay from Postini.

Get-ReceiveConnector "EDGESERVERNAME\Default internal receive connector EDGESERVERNAME" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

Now it works
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.