Exchange 2010 is maybe an open relay according to mxtoolbox

We're running several Exchange servers for different organizations (different sites and not link between)

One Exchange 2010 is maybe an open relay according to mxtoolbox, but another one is not.  The configuration for the send and receive connectors is the same for both.

We're running Exchange 2010 SP1 on the "maybe" open relay Exchange server.  

Thank you
quadrumaneAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shack-DaddyCommented:
Could you paste in a copy of the MXToolbox results, at least the part that gives you the "maybe" message? There are some potential false positives that you can get, and I'd like to see the results. You can munge them if you need to.
0
Alan HardistyCo-OwnerCommented:
Please have a read of my blog article for the command to close down your open relay, if indeed you are.
http://alanhardisty.wordpress.com/2010/07/12/how-to-close-an-open-relay-in-exchange-2007-2010/
You can test if you are actually an open relay on the following web site:
http://www.checkor.com/ 
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Shack-DaddyCommented:
BTW, it would be difficult for you to set up the server to be an open relay without resorting to PowerShell with the intent to specifically create that situation, so I doubt your server is really an open relay.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

quadrumaneAuthor Commented:
Ok I will send you the resulat.  The only thing i've done is setting up the send connector.  I read a lot of articles about open relay.  But I don't understand why so many articles are talking about closing open relay as it's not even opened by default in Exchange 2010 or 2010 SP1
0
quadrumaneAuthor Commented:
I must say there were a lot of "retrying" send  from strange domains  in the queue and it was spam.  But I guess it was stopped before it can be sent out.
0
quadrumaneAuthor Commented:

 May be an open relay.
 0 seconds - Good on Connection time
 5.382 seconds - Warning on Transaction time
 OK - 207.xxx.xxx.xxx resolves to mail.mydomain.com
 OK - Reverse DNS matches SMTP Banner

HELO please-read-policy.mxtoolbox.com
250 S1-XHBCA-001.mydomain.com Hello [64.20.227.133] [62 ms]
MAIL FROM: <supertool@mxtoolbox.com>
250 2.1.0 Sender OK [62 ms]
0
Shack-DaddyCommented:
As long as this doesn't say RCPT TO: <some address outside of your domain> followed by Recipient OK, then it's not an open relay. This just means that it's willing to have a conversation with outside mail senders.

What you were seeing in the queue were probably emails sent from the local "postmaster" account trying to tell remote servers that it couldn't deliver mail for them. Probably because some fake email addresses in your domain were used as sender addresses for some spam that went out in some other part of the internet, and your server had to deal with those bounces to non-existing addresses. Common to see.
0
Alan HardistyCo-OwnerCommented:
@quadrumane - Have you seen my earlier comment yet?
0
SteveCommented:
agreed. with the log shown above, this just shows it is accepting a message, its only an attempt to relagy if the sender AND recipient are not in your domain....

The relay is not related to the send connector though, its the recieve one. When you set up your receive connectors using the wizard in EMC, you specify what kind of servers you are setting up the receive connector for. if you select internal/custom you are allowing relays by default.

http://technet.microsoft.com/en-us/library/bb125159.aspx
See 3b, "intended use for this connector"

This is where relay is set!
0
quadrumaneAuthor Commented:
Yes I saw it.  But if Exchange is already not used as an open relay by default, why would you add this ?

The test I've done on the other open relay testing site has not seen it as an open relay
0
quadrumaneAuthor Commented:
Ok so the server is not incredibly slow all of a sudden because it's an open relay because it's not.  Now I have to deal with the w3wp.exe
0
quadrumaneAuthor Commented:
Here is the Exchange queue, just to make sure you see it.
queue-exchange.jpg
0
Alan HardistyCo-OwnerCommented:
@quadrumane
>>  But if Exchange is already not used as an open relay by default, why would you add this ? <<
You stated you could be an open relay and as this is a support site, I am offering you some support and a way to close down the Open Relay which you may or may not have.
If I am wasting my time trying to help you I have other things I can turn my attention to.
0
quadrumaneAuthor Commented:
Alan I'm not trying to waste your time.  I just want to understand why Microsoft seems to think we have nothing more to do in order to keep Exchange from being an open relay.  Before to follow your advice I want to make sure I get all the information.

I want to understand on the contrary, I'm sorry if you got me wrong it was not my intention.  

Thanks
0
Alan HardistyCo-OwnerCommented:
If you read my comment - I have given you the link to my blog site where the command to close an open relay can be found, I also linked you to a site where you can properly test to see if you are an open relay.
The suggestion is to test on the site I have linked you to and if that came back as an open relay, then you have the link to my blog and the command to close the open relay down.
Exchange is not an open relay by default, so if it is, it is because someone has been fiddling.
Also, if you are an open relay, it won't take spamers long to find you and you will pop up n various blacklsts sites, whcih you can check on www.mxtoolbox.com/blacklists.aspx.
If you are not listed - you are most likely not an open relay.
Tip for the future - if you have a question and more than one expert posts a comment / suggestion it would be nice to acknowledge all the experts / comments and not just focus on the first one that comes along to our aid, ignoring the others.
0
Shack-DaddyCommented:
Thanks for the picture of the queues--they look about what you'd expect them to look like if you are having minor issues with backscatter like I outlined earlier. Nothing to worry about, and not a lot you can do without using some additional local\hosted spam filtering products.
0
quadrumaneAuthor Commented:
Alan, advice taken.   I still don't understand why it is seen as an open relay on mxtoolbox but not on Checkor.  Maybe mxtoolbox is looking at the number or attempts to hack out the system.

Thanks
0
quadrumaneAuthor Commented:
Ok so as far as I understand, according to the picture I sent you,  I could have some problem with backscatter but Exchange won't be seens as an open realy.  Backscatter is the only one to ask for a payment to be unlisted.  

As  soon as I removed the send connector by the way both exchange got faster.  

Thanks
0
Alan HardistyCo-OwnerCommented:
If you are listed on backscatter.org, you are sending NDR messages to invalid recipients, so you need to filter recipients not on your server and then the onus is on the sender to produce the NDR message not you.
If you enable the Exchange Anti-Spam features you can enable recipient filtering.
http://technet.microsoft.com/en-us/library/bb123891.aspx
Failing that, I can recommend an alternative Anti-Spam product called Vamsoft ORF which costs $239 per server and is a one-off payment, not an annual renewal.  You can pay the $99 renewal fee if you want and keep the software up-to-date but you don't have to.
I use it on 95% of the servers I manage and support and it is brilliant software.  It will single-handedly take care of your spam / NDR issue.
0
SteveCommented:
Good. You are not an open relay. Thats progress.
You are sending ndrs to every spammer that sends you rubbish tho.
This is knows as an ndr attack or a backscatter attack as mentioned above.
Disable NDRs or reject email to unknown recipients and check if your queues calm down after a few days to confirm.
The send connector is slowing your system down by replying to EVERY junkmail received.  
0
quadrumaneAuthor Commented:
excellent !
0
quadrumaneAuthor Commented:
Thanks everyone, it helped me a lot.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.