Bobhardyoyo
asked on
Exchange 2010 Open Relay problem
Hi All
I have set up a Receive Connector in Exchange 2010 for our connection to Postini, it is supposedly locked down to the range of IP addresses assigned to us from Postini. The problem I have is that I can connect to it via telnet and successfully send a message from an external PC connected to an ADSL connection so it is effectively an open relay.
According to what I have read this is practically impossible, so my question is does anyone have any idea why Exchange is ignoring the IP Address range restriction that is in place on this connector?
Thanks
Ed
I have set up a Receive Connector in Exchange 2010 for our connection to Postini, it is supposedly locked down to the range of IP addresses assigned to us from Postini. The problem I have is that I can connect to it via telnet and successfully send a message from an external PC connected to an ADSL connection so it is effectively an open relay.
According to what I have read this is practically impossible, so my question is does anyone have any idea why Exchange is ignoring the IP Address range restriction that is in place on this connector?
Thanks
Ed
ASKER
Hi Shaun
Thanks for the feedback, access is restricted to one external IP Address on our firewall so no connections outside of our control are allowed.
We have 3 connectors, two MS default connections and the one I have set up to allow connections from Postini. This connection is supposed to be limited to connections from Postini IP address range but I am able to telnet from our external test PC and successfully send a message to an internal recipient.
Thanks
Ed
Thanks for the feedback, access is restricted to one external IP Address on our firewall so no connections outside of our control are allowed.
We have 3 connectors, two MS default connections and the one I have set up to allow connections from Postini. This connection is supposed to be limited to connections from Postini IP address range but I am able to telnet from our external test PC and successfully send a message to an internal recipient.
Thanks
Ed
Ensure that the header of the connector you have setup matches the connector in question on the server.
You can change the FQDN in the receive connector properties, and then during telnet you can see if the FQDN is presented.
It may be that you are connecting to anohter connector without realising it.
If not then can you run Get-ReceiveConnector <Name of connector> from Exchange management shell and post results.
Shaun
You can change the FQDN in the receive connector properties, and then during telnet you can see if the FQDN is presented.
It may be that you are connecting to anohter connector without realising it.
If not then can you run Get-ReceiveConnector <Name of connector> from Exchange management shell and post results.
Shaun
Hi Ed,
Are you sure it is the Postini connector you are connecting to when initiating the telnet session? It's possible you are picking up one of the other two connectors you say are present. Compare the SMTP greeting in the Postini connector and the telnet session, and see if they match.
Is the server actually acting as an open relay? When you do a telnet test, will it relay mail from the external PC to an external email address (such as a Gmail/Yahoo address?). If a receive connector, such as one of the default ones, is enabled, the server will always accept mail for any domain it controls.
If all your mail is routed via Postini, you might consider simply locking down the inbound port 25 in your firewall to the IP address(es), rather than rely on Exchange's receive connectors. The traffic will then never reach Exchange.
-Matt
ASKER
Hi Matt
I'm not connecting to Postini, I am connecting directly to my exchange server from a remote connection. The connection is setup so that it should only accept connections from Postini's range of IP addresses, however it accepts from an external ADSL line we control and I am able to use the telnet "mail from" command to submit mail to local recipients and it will attempt to send to external recipients.
@Shaun
I am definitely connecting to the right connector, confirmed by changing the FQDN.
Thanks
Ed
I'm not connecting to Postini, I am connecting directly to my exchange server from a remote connection. The connection is setup so that it should only accept connections from Postini's range of IP addresses, however it accepts from an external ADSL line we control and I am able to use the telnet "mail from" command to submit mail to local recipients and it will attempt to send to external recipients.
@Shaun
I am definitely connecting to the right connector, confirmed by changing the FQDN.
Thanks
Ed
Hi Ed,
Do you mean that you are able to telnet on port 25 of your exchange server. In that case its correct, its by design, either the Mail from: or RCPT To: should be from the internal domain for the mail to pass thru.
However, when you pass on the mail from very try abc@abc.com and then when you specify rcpt to : try def@def.com this should fail and should return you a message saying Relay Not Allowed.
In that case you have blocked the Relay successfully, however if you try the same scenario from the Range of IP's which are from the Allow list (Postini List in your case) You would be allowed to perform the above scenario.
let me know if this clears your doubt or if you have any further questions.
Regards,
Abhi
Do you mean that you are able to telnet on port 25 of your exchange server. In that case its correct, its by design, either the Mail from: or RCPT To: should be from the internal domain for the mail to pass thru.
However, when you pass on the mail from very try abc@abc.com and then when you specify rcpt to : try def@def.com this should fail and should return you a message saying Relay Not Allowed.
In that case you have blocked the Relay successfully, however if you try the same scenario from the Range of IP's which are from the Allow list (Postini List in your case) You would be allowed to perform the above scenario.
let me know if this clears your doubt or if you have any further questions.
Regards,
Abhi
Also external world will always connect on to your IP where MX is pointing and as per my understanding this IP should belong to postini.
ASKER
Hi Abhi
The Exchange 2010 receive connector is restricted to a range of external IP Addresses. I can telnet from an IP address outside of that range and successfully submit a mail.
I have an Exchange 2003 server set up in the same way which I cannot access via telnet from anywhere outside of the range of IP addresses that are allowed to connect.
I am trying to establish why on a connector that is supposedly restricted to a specific IP Address range I can connect from an IP Address outside of that range.
Thanks
Ed
The Exchange 2010 receive connector is restricted to a range of external IP Addresses. I can telnet from an IP address outside of that range and successfully submit a mail.
I have an Exchange 2003 server set up in the same way which I cannot access via telnet from anywhere outside of the range of IP addresses that are allowed to connect.
I am trying to establish why on a connector that is supposedly restricted to a specific IP Address range I can connect from an IP Address outside of that range.
Thanks
Ed
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Glad you got it sorted.
However, does all your email go via Postini? If so, it would be more practical (and safer) to filter the port 25 traffic to their set of IP addresses at your firewall. The traffic then never reaches your Exchange Server, so it closes up a potential (albeit minor) layer of attack.
-Matt
Gr8 that you got it sorted... :) As always Microsoft... :)
ASKER
@Matt
This is just a test box at the moment, once we move to a live server we more than likely will block that connector to everyone but Postini.
Cheers
Ed
This is just a test box at the moment, once we move to a live server we more than likely will block that connector to everyone but Postini.
Cheers
Ed
We had to run the following command on the edgeserver in addition to allowing the IP Range to relay from Postini.
Get-ReceiveConnector "EDGESERVERNAME\Default internal receive connector EDGESERVERNAME" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-R
Now it works
Get-ReceiveConnector "EDGESERVERNAME\Default internal receive connector EDGESERVERNAME" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-R
Now it works
Following this, you can troubleshoot the problem.
Do you have just one receive connector? If so, remove ALL IP restrictions and just add a LAN IP address and test it this way. It's easier to test using LAN IP's.
Once happy, add the outside IP range and open to the internet again.
Shaun