Solved

Exchange 2003: SMTP Auth, Spam and RBLs - How to allow legit email

Posted on 2010-09-02
8
555 Views
Last Modified: 2012-06-21
Server = Exchange 2003 and Symantec Mail Security using RBL to reject 'known' spammers. Server is NOT an open relay.

Last week we had a compromised email account used to relay spam through our corporate server.  The spammers properly authenticated to the server, so the relay was allowed. I had everyone change their password as a precaution.

I have remote users that use broadband from home, hotels and such that cannot connect to our mail server if their originating IP is on the RBL.  If I add an exception to allow all email accounts from @ourdomain.com to bypass the RBL, then we are exposed to a degree I am not comfortable with.  

I have considered using a non traditional port number for them to send email to our server with a firewall proxy exception to allow all @ourdomain users to bypass the RBL, but I haven't been able to get it to function reliably.

Can anyone recommend a good solution for allowing authenticated users to access our server from RBL listed IP addresses that won't expose us unnecessarily to spamming risks?

I hope this makes sense.  I'm happy to clarify anything as needed.

Thanks in advance for your help.
0
Comment
Question by:CipherUser
8 Comments
 
LVL 7

Accepted Solution

by:
rcombis earned 167 total points
ID: 33589013
Have you looked into using a VPN?

All your users would authenticate to the VPN and be "on" your local network so that authentication should not be a problem.

0
 
LVL 12

Assisted Solution

by:tgtran
tgtran earned 167 total points
ID: 33589014
How's about setting up PPTP VPN and assign those clients with DHCP from designated private IP subnet.  Then allows authenticated users from that subnet to relay/send mail.

0
 
LVL 6

Assisted Solution

by:grandebob
grandebob earned 166 total points
ID: 33589074
Why not switch to using RPC via HTTP? That lets your remote users connect to exchange without relying on pop/imap/smtp. It's more secure (uses https) because it is encrypted. You wouldn't have to allow any one to relay through your exchange server. Then you don't allow any one to relay mail through your server.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:CipherUser
ID: 33589159
If using the VPN solution, would I need to specify a secondary virtual server and the allow relaying based on the vpn subnet?

A lot of our users use RPC over HTTPS, but I have some holdouts that insist on using POP3 or IMAP (which I do have secured).  If I implemented this solution for everyone, would that still allow the Macs that are using Entourage to fully function? How would that affect the Blackberry and iPhone users?  The iPhone uses ActiveSync and the Blackberry users are using the Internet redirector from RIMM as we do not run a Blackberry server.
0
 
LVL 6

Expert Comment

by:grandebob
ID: 33589244
Cipher-

Active sync would not be affected, but BB users who rely on IMAP/SMTP would be if you restricted those services. But it would be easier on you to allow *.blackberry.net or the major cell provider's networks to access your SMTP server and not every one else. To my knowledge, Entorage supports Active sync/RPC via HTTPs with the newer versions, but not very well. Mail.app in snow leopard supports Active sync/RPC via HTTPs. It would be easy to allow POP/IMAP/SMTP access from inside your network and not from the Internet if that would help you out.
0
 

Author Comment

by:CipherUser
ID: 33589490
Grandebob,

Are you suggesting that I allow all the major cell carriers to relay or bypass the RBL?  I'm not sure I'm comfortable with either.
0
 
LVL 6

Expert Comment

by:grandebob
ID: 33589541
I wouldn't allow them carte blanch, but with their IP's and authentication, you would be fairly safe.

The best solution is to install a Blackberry Professional server, or transition users to EAS devices. Both cost money.

It sounds like your real issue at the base of your problem is IT sprawl. with so many devices connecting over so many different protocols, it's difficult, if not impossible to protect and secure them in a cost effective manner.
0
 

Author Comment

by:CipherUser
ID: 33589728
Can anyone offer a solution to implement until (if) I can get everyone on RPC over HTTPS and/or Active Sync devices?

Is there any merit to allowing relaying only if the user connects to a non-standard port AND authenticates?  Wouldn't most spam attacks be aimed at port 25?

0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video discusses moving either the default database or any database to a new volume.

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now