Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Exchange 2010 Open Relay problem

Posted on 2010-01-04
14
Medium Priority
?
6,850 Views
Last Modified: 2013-11-30
Hi All

I have set up a Receive Connector in Exchange 2010 for our connection to Postini, it is supposedly locked down to the range of IP addresses assigned to us from Postini. The problem I have is that I can connect to it via telnet and successfully send a message from an external PC connected to an ADSL connection so it is effectively an open relay.

According to what I have read this is practically impossible, so my question is does anyone have any idea why Exchange is ignoring the IP Address range restriction that is in place on this connector?

Thanks
Ed
0
Comment
Question by:Bobhardyoyo
  • 5
  • 3
  • 2
  • +2
13 Comments
 
LVL 27

Expert Comment

by:shauncroucher
ID: 26170266
First thing to do is disable the connector or stop outside access to it, otherwise it won't take long until you are blacklisted.

Following this, you can troubleshoot the problem.

Do you have just one receive connector? If so, remove ALL IP restrictions and just add a LAN IP address and test it this way. It's easier to test using LAN IP's.

Once happy, add the outside IP range and open to the internet again.

Shaun
0
 

Author Comment

by:Bobhardyoyo
ID: 26170320
Hi Shaun

Thanks for the feedback, access is restricted to one external IP Address on our firewall so no connections outside of our control are allowed.

We have 3 connectors, two MS default connections and the one I have set up to allow connections from Postini.  This connection is supposed to be limited to connections from Postini IP address range but I am able to telnet from our external test PC and successfully send a message to an internal recipient.  

Thanks
Ed
0
 
LVL 27

Expert Comment

by:shauncroucher
ID: 26170523
Ensure that the header of the connector you have setup matches the connector in question on the server.

You can change the FQDN in the receive connector properties, and then during telnet you can see if the FQDN is presented.

It may be that you are connecting to anohter connector without realising it.

If not then can you run Get-ReceiveConnector <Name of connector> from Exchange management shell and post results.

Shaun
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
LVL 58

Expert Comment

by:tigermatt
ID: 26170567

Hi Ed,

Are you sure it is the Postini connector you are connecting to when initiating the telnet session? It's possible you are picking up one of the other two connectors you say are present. Compare the SMTP greeting in the Postini connector and the telnet session, and see if they match.

Is the server actually acting as an open relay? When you do a telnet test, will it relay mail from the external PC to an external email address (such as a Gmail/Yahoo address?). If a receive connector, such as one of the default ones, is enabled, the server will always accept mail for any domain it controls.

If all your mail is routed via Postini, you might consider simply locking down the inbound port 25 in your firewall to the IP address(es), rather than rely on Exchange's receive connectors. The traffic will then never reach Exchange.

-Matt
0
 

Author Comment

by:Bobhardyoyo
ID: 26170852
Hi Matt

I'm not connecting to Postini, I am connecting directly to my exchange server from a remote connection.  The connection is setup so that it should only accept connections from Postini's range of IP addresses, however it accepts from an external ADSL line we control and I am able to use the telnet "mail from" command to submit mail to local recipients and it will attempt to send to external recipients.

@Shaun

I am definitely connecting to the right connector, confirmed by changing the FQDN.

Thanks
Ed
0
 
LVL 5

Expert Comment

by:abhi_ak
ID: 26171010
Hi Ed,
Do you mean that you are able to telnet on port 25 of your exchange server. In that case its correct, its by design, either the Mail from: or RCPT To: should be from the internal domain for the mail to pass thru.

However, when you pass on the mail from very try abc@abc.com and then when you specify rcpt to : try def@def.com this should fail and should return you a message saying Relay Not Allowed.

In that case you have blocked the Relay successfully, however if you try the same scenario from the Range of IP's which are from the Allow list (Postini List in your case) You would be allowed to perform the above scenario.

let me know if this clears your doubt or if you have any further questions.

Regards,
Abhi
0
 
LVL 5

Expert Comment

by:abhi_ak
ID: 26171017
Also external world will always connect on to your IP where MX is pointing and as per my understanding this IP should belong to postini.
0
 

Author Comment

by:Bobhardyoyo
ID: 26171040
Hi Abhi

The Exchange 2010 receive connector is restricted to a range of external IP Addresses.  I can telnet from an IP address outside of that range and successfully submit a mail.

I have an Exchange 2003 server set up in the same way which I cannot access via telnet from anywhere outside of the range of IP addresses that are allowed to connect.

I am trying to establish why on a connector that is supposedly restricted to a specific IP Address range I can connect from an IP Address outside of that range.

Thanks
Ed
0
 

Accepted Solution

by:
Bobhardyoyo earned 0 total points
ID: 26171757
The problem has been resolved

The network settings for the external side of the Receive connector were not set correctly.  Thank you Microsoft for making things complicated!

Thanks to all of you who tried to assist.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 26172630

Glad you got it sorted.

However, does all your email go via Postini? If so, it would be more practical (and safer) to filter the port 25 traffic to their set of IP addresses at your firewall. The traffic then never reaches your Exchange Server, so it closes up a potential (albeit minor) layer of attack.

-Matt
0
 
LVL 5

Expert Comment

by:abhi_ak
ID: 26178073
Gr8 that you got it sorted... :) As always Microsoft... :)
0
 

Author Comment

by:Bobhardyoyo
ID: 26178489
@Matt

This is just a test box at the moment, once we move to a live server we more than likely will block that connector to everyone but Postini.

Cheers
Ed
0
 

Expert Comment

by:dunbarit
ID: 34095568
We had to run the following command on the edgeserver in addition to allowing the IP Range to relay from Postini.

Get-ReceiveConnector "EDGESERVERNAME\Default internal receive connector EDGESERVERNAME" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

Now it works
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to effectively resolve the number one email related issue received by helpdesks.
Exchange database can often fail to mount thereby halting the work of all users connected to it. Finding out why database isn’t mounting is crucial and getting the server back online. Stellar Phoenix Mailbox Exchange Recovery is a champion product t…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question