?
Solved

Exchange 2003: SMTP Auth, Spam and RBLs - How to allow legit email

Posted on 2010-09-02
8
Medium Priority
?
560 Views
Last Modified: 2012-06-21
Server = Exchange 2003 and Symantec Mail Security using RBL to reject 'known' spammers. Server is NOT an open relay.

Last week we had a compromised email account used to relay spam through our corporate server.  The spammers properly authenticated to the server, so the relay was allowed. I had everyone change their password as a precaution.

I have remote users that use broadband from home, hotels and such that cannot connect to our mail server if their originating IP is on the RBL.  If I add an exception to allow all email accounts from @ourdomain.com to bypass the RBL, then we are exposed to a degree I am not comfortable with.  

I have considered using a non traditional port number for them to send email to our server with a firewall proxy exception to allow all @ourdomain users to bypass the RBL, but I haven't been able to get it to function reliably.

Can anyone recommend a good solution for allowing authenticated users to access our server from RBL listed IP addresses that won't expose us unnecessarily to spamming risks?

I hope this makes sense.  I'm happy to clarify anything as needed.

Thanks in advance for your help.
0
Comment
Question by:CipherUser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 7

Accepted Solution

by:
rcombis earned 668 total points
ID: 33589013
Have you looked into using a VPN?

All your users would authenticate to the VPN and be "on" your local network so that authentication should not be a problem.

0
 
LVL 12

Assisted Solution

by:tgtran
tgtran earned 668 total points
ID: 33589014
How's about setting up PPTP VPN and assign those clients with DHCP from designated private IP subnet.  Then allows authenticated users from that subnet to relay/send mail.

0
 
LVL 6

Assisted Solution

by:grandebob
grandebob earned 664 total points
ID: 33589074
Why not switch to using RPC via HTTP? That lets your remote users connect to exchange without relying on pop/imap/smtp. It's more secure (uses https) because it is encrypted. You wouldn't have to allow any one to relay through your exchange server. Then you don't allow any one to relay mail through your server.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:CipherUser
ID: 33589159
If using the VPN solution, would I need to specify a secondary virtual server and the allow relaying based on the vpn subnet?

A lot of our users use RPC over HTTPS, but I have some holdouts that insist on using POP3 or IMAP (which I do have secured).  If I implemented this solution for everyone, would that still allow the Macs that are using Entourage to fully function? How would that affect the Blackberry and iPhone users?  The iPhone uses ActiveSync and the Blackberry users are using the Internet redirector from RIMM as we do not run a Blackberry server.
0
 
LVL 6

Expert Comment

by:grandebob
ID: 33589244
Cipher-

Active sync would not be affected, but BB users who rely on IMAP/SMTP would be if you restricted those services. But it would be easier on you to allow *.blackberry.net or the major cell provider's networks to access your SMTP server and not every one else. To my knowledge, Entorage supports Active sync/RPC via HTTPs with the newer versions, but not very well. Mail.app in snow leopard supports Active sync/RPC via HTTPs. It would be easy to allow POP/IMAP/SMTP access from inside your network and not from the Internet if that would help you out.
0
 

Author Comment

by:CipherUser
ID: 33589490
Grandebob,

Are you suggesting that I allow all the major cell carriers to relay or bypass the RBL?  I'm not sure I'm comfortable with either.
0
 
LVL 6

Expert Comment

by:grandebob
ID: 33589541
I wouldn't allow them carte blanch, but with their IP's and authentication, you would be fairly safe.

The best solution is to install a Blackberry Professional server, or transition users to EAS devices. Both cost money.

It sounds like your real issue at the base of your problem is IT sprawl. with so many devices connecting over so many different protocols, it's difficult, if not impossible to protect and secure them in a cost effective manner.
0
 

Author Comment

by:CipherUser
ID: 33589728
Can anyone offer a solution to implement until (if) I can get everyone on RPC over HTTPS and/or Active Sync devices?

Is there any merit to allowing relaying only if the user connects to a non-standard port AND authenticates?  Wouldn't most spam attacks be aimed at port 25?

0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

766 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question