I've been getting authenticated relay attacks on my exchange 2003 server. It's a single server setup, which, I know, is not ideal, but it's what fits in the budget. I know the basics of all of the settings for relaying but I have a few questions regarding it.
1. I know that I have to leave the checkbox checked that says allow all authenticated computers to relay. If I don't, nobody will be able to send mail. This network only has about 15 users. Should I name each IP address and specify that only those computers can relay? How will this affect OWA and Outlook anywhere users?
2. In Event Viewer, under security, what exact logon types am I looking for to see which user's account was comprimised?
3. Are there any other settings that I can lock down to help?