Exchange 2003: SMTP Auth, Spam and RBLs - How to allow legit email

Posted on 2010-09-02
Medium Priority
Last Modified: 2012-06-21
Server = Exchange 2003 and Symantec Mail Security using RBL to reject 'known' spammers. Server is NOT an open relay.

Last week we had a compromised email account used to relay spam through our corporate server.  The spammers properly authenticated to the server, so the relay was allowed. I had everyone change their password as a precaution.

I have remote users that use broadband from home, hotels and such that cannot connect to our mail server if their originating IP is on the RBL.  If I add an exception to allow all email accounts from @ourdomain.com to bypass the RBL, then we are exposed to a degree I am not comfortable with.  

I have considered using a non traditional port number for them to send email to our server with a firewall proxy exception to allow all @ourdomain users to bypass the RBL, but I haven't been able to get it to function reliably.

Can anyone recommend a good solution for allowing authenticated users to access our server from RBL listed IP addresses that won't expose us unnecessarily to spamming risks?

I hope this makes sense.  I'm happy to clarify anything as needed.

Thanks in advance for your help.
Question by:CipherUser

Accepted Solution

rcombis earned 668 total points
ID: 33589013
Have you looked into using a VPN?

All your users would authenticate to the VPN and be "on" your local network so that authentication should not be a problem.

LVL 12

Assisted Solution

tgtran earned 668 total points
ID: 33589014
How's about setting up PPTP VPN and assign those clients with DHCP from designated private IP subnet.  Then allows authenticated users from that subnet to relay/send mail.


Assisted Solution

grandebob earned 664 total points
ID: 33589074
Why not switch to using RPC via HTTP? That lets your remote users connect to exchange without relying on pop/imap/smtp. It's more secure (uses https) because it is encrypted. You wouldn't have to allow any one to relay through your exchange server. Then you don't allow any one to relay mail through your server.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.


Author Comment

ID: 33589159
If using the VPN solution, would I need to specify a secondary virtual server and the allow relaying based on the vpn subnet?

A lot of our users use RPC over HTTPS, but I have some holdouts that insist on using POP3 or IMAP (which I do have secured).  If I implemented this solution for everyone, would that still allow the Macs that are using Entourage to fully function? How would that affect the Blackberry and iPhone users?  The iPhone uses ActiveSync and the Blackberry users are using the Internet redirector from RIMM as we do not run a Blackberry server.

Expert Comment

ID: 33589244

Active sync would not be affected, but BB users who rely on IMAP/SMTP would be if you restricted those services. But it would be easier on you to allow *.blackberry.net or the major cell provider's networks to access your SMTP server and not every one else. To my knowledge, Entorage supports Active sync/RPC via HTTPs with the newer versions, but not very well. Mail.app in snow leopard supports Active sync/RPC via HTTPs. It would be easy to allow POP/IMAP/SMTP access from inside your network and not from the Internet if that would help you out.

Author Comment

ID: 33589490

Are you suggesting that I allow all the major cell carriers to relay or bypass the RBL?  I'm not sure I'm comfortable with either.

Expert Comment

ID: 33589541
I wouldn't allow them carte blanch, but with their IP's and authentication, you would be fairly safe.

The best solution is to install a Blackberry Professional server, or transition users to EAS devices. Both cost money.

It sounds like your real issue at the base of your problem is IT sprawl. with so many devices connecting over so many different protocols, it's difficult, if not impossible to protect and secure them in a cost effective manner.

Author Comment

ID: 33589728
Can anyone offer a solution to implement until (if) I can get everyone on RPC over HTTPS and/or Active Sync devices?

Is there any merit to allowing relaying only if the user connects to a non-standard port AND authenticates?  Wouldn't most spam attacks be aimed at port 25?


Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Upgrading from older Exchange server to the latest Exchange server can be tiresome, error-prone and risky, without being a seasoned exchange server administrators. It can become even problematic if you're an organization that runs on tight timeline…
After a recent Outlook migration from a 2007 to 2010 environment, some issues with Distribution List owners were realized. In this article, I explain how that was rectified.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question