Solved

Exchange 2003: SMTP Auth, Spam and RBLs - How to allow legit email

Posted on 2010-09-02
8
553 Views
Last Modified: 2012-06-21
Server = Exchange 2003 and Symantec Mail Security using RBL to reject 'known' spammers. Server is NOT an open relay.

Last week we had a compromised email account used to relay spam through our corporate server.  The spammers properly authenticated to the server, so the relay was allowed. I had everyone change their password as a precaution.

I have remote users that use broadband from home, hotels and such that cannot connect to our mail server if their originating IP is on the RBL.  If I add an exception to allow all email accounts from @ourdomain.com to bypass the RBL, then we are exposed to a degree I am not comfortable with.  

I have considered using a non traditional port number for them to send email to our server with a firewall proxy exception to allow all @ourdomain users to bypass the RBL, but I haven't been able to get it to function reliably.

Can anyone recommend a good solution for allowing authenticated users to access our server from RBL listed IP addresses that won't expose us unnecessarily to spamming risks?

I hope this makes sense.  I'm happy to clarify anything as needed.

Thanks in advance for your help.
0
Comment
Question by:CipherUser
8 Comments
 
LVL 7

Accepted Solution

by:
rcombis earned 167 total points
ID: 33589013
Have you looked into using a VPN?

All your users would authenticate to the VPN and be "on" your local network so that authentication should not be a problem.

0
 
LVL 12

Assisted Solution

by:tgtran
tgtran earned 167 total points
ID: 33589014
How's about setting up PPTP VPN and assign those clients with DHCP from designated private IP subnet.  Then allows authenticated users from that subnet to relay/send mail.

0
 
LVL 6

Assisted Solution

by:grandebob
grandebob earned 166 total points
ID: 33589074
Why not switch to using RPC via HTTP? That lets your remote users connect to exchange without relying on pop/imap/smtp. It's more secure (uses https) because it is encrypted. You wouldn't have to allow any one to relay through your exchange server. Then you don't allow any one to relay mail through your server.
0
 

Author Comment

by:CipherUser
ID: 33589159
If using the VPN solution, would I need to specify a secondary virtual server and the allow relaying based on the vpn subnet?

A lot of our users use RPC over HTTPS, but I have some holdouts that insist on using POP3 or IMAP (which I do have secured).  If I implemented this solution for everyone, would that still allow the Macs that are using Entourage to fully function? How would that affect the Blackberry and iPhone users?  The iPhone uses ActiveSync and the Blackberry users are using the Internet redirector from RIMM as we do not run a Blackberry server.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 6

Expert Comment

by:grandebob
ID: 33589244
Cipher-

Active sync would not be affected, but BB users who rely on IMAP/SMTP would be if you restricted those services. But it would be easier on you to allow *.blackberry.net or the major cell provider's networks to access your SMTP server and not every one else. To my knowledge, Entorage supports Active sync/RPC via HTTPs with the newer versions, but not very well. Mail.app in snow leopard supports Active sync/RPC via HTTPs. It would be easy to allow POP/IMAP/SMTP access from inside your network and not from the Internet if that would help you out.
0
 

Author Comment

by:CipherUser
ID: 33589490
Grandebob,

Are you suggesting that I allow all the major cell carriers to relay or bypass the RBL?  I'm not sure I'm comfortable with either.
0
 
LVL 6

Expert Comment

by:grandebob
ID: 33589541
I wouldn't allow them carte blanch, but with their IP's and authentication, you would be fairly safe.

The best solution is to install a Blackberry Professional server, or transition users to EAS devices. Both cost money.

It sounds like your real issue at the base of your problem is IT sprawl. with so many devices connecting over so many different protocols, it's difficult, if not impossible to protect and secure them in a cost effective manner.
0
 

Author Comment

by:CipherUser
ID: 33589728
Can anyone offer a solution to implement until (if) I can get everyone on RPC over HTTPS and/or Active Sync devices?

Is there any merit to allowing relaying only if the user connects to a non-standard port AND authenticates?  Wouldn't most spam attacks be aimed at port 25?

0

Featured Post

Do email signature updates give you a headache?

Do you feel like all of your time is spent managing email signatures? Too busy to visit every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now