Solved

Exchange 2003: SMTP Auth, Spam and RBLs - How to allow legit email

Posted on 2010-09-02
8
558 Views
Last Modified: 2012-06-21
Server = Exchange 2003 and Symantec Mail Security using RBL to reject 'known' spammers. Server is NOT an open relay.

Last week we had a compromised email account used to relay spam through our corporate server.  The spammers properly authenticated to the server, so the relay was allowed. I had everyone change their password as a precaution.

I have remote users that use broadband from home, hotels and such that cannot connect to our mail server if their originating IP is on the RBL.  If I add an exception to allow all email accounts from @ourdomain.com to bypass the RBL, then we are exposed to a degree I am not comfortable with.  

I have considered using a non traditional port number for them to send email to our server with a firewall proxy exception to allow all @ourdomain users to bypass the RBL, but I haven't been able to get it to function reliably.

Can anyone recommend a good solution for allowing authenticated users to access our server from RBL listed IP addresses that won't expose us unnecessarily to spamming risks?

I hope this makes sense.  I'm happy to clarify anything as needed.

Thanks in advance for your help.
0
Comment
Question by:CipherUser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 7

Accepted Solution

by:
rcombis earned 167 total points
ID: 33589013
Have you looked into using a VPN?

All your users would authenticate to the VPN and be "on" your local network so that authentication should not be a problem.

0
 
LVL 12

Assisted Solution

by:tgtran
tgtran earned 167 total points
ID: 33589014
How's about setting up PPTP VPN and assign those clients with DHCP from designated private IP subnet.  Then allows authenticated users from that subnet to relay/send mail.

0
 
LVL 6

Assisted Solution

by:grandebob
grandebob earned 166 total points
ID: 33589074
Why not switch to using RPC via HTTP? That lets your remote users connect to exchange without relying on pop/imap/smtp. It's more secure (uses https) because it is encrypted. You wouldn't have to allow any one to relay through your exchange server. Then you don't allow any one to relay mail through your server.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:CipherUser
ID: 33589159
If using the VPN solution, would I need to specify a secondary virtual server and the allow relaying based on the vpn subnet?

A lot of our users use RPC over HTTPS, but I have some holdouts that insist on using POP3 or IMAP (which I do have secured).  If I implemented this solution for everyone, would that still allow the Macs that are using Entourage to fully function? How would that affect the Blackberry and iPhone users?  The iPhone uses ActiveSync and the Blackberry users are using the Internet redirector from RIMM as we do not run a Blackberry server.
0
 
LVL 6

Expert Comment

by:grandebob
ID: 33589244
Cipher-

Active sync would not be affected, but BB users who rely on IMAP/SMTP would be if you restricted those services. But it would be easier on you to allow *.blackberry.net or the major cell provider's networks to access your SMTP server and not every one else. To my knowledge, Entorage supports Active sync/RPC via HTTPs with the newer versions, but not very well. Mail.app in snow leopard supports Active sync/RPC via HTTPs. It would be easy to allow POP/IMAP/SMTP access from inside your network and not from the Internet if that would help you out.
0
 

Author Comment

by:CipherUser
ID: 33589490
Grandebob,

Are you suggesting that I allow all the major cell carriers to relay or bypass the RBL?  I'm not sure I'm comfortable with either.
0
 
LVL 6

Expert Comment

by:grandebob
ID: 33589541
I wouldn't allow them carte blanch, but with their IP's and authentication, you would be fairly safe.

The best solution is to install a Blackberry Professional server, or transition users to EAS devices. Both cost money.

It sounds like your real issue at the base of your problem is IT sprawl. with so many devices connecting over so many different protocols, it's difficult, if not impossible to protect and secure them in a cost effective manner.
0
 

Author Comment

by:CipherUser
ID: 33589728
Can anyone offer a solution to implement until (if) I can get everyone on RPC over HTTPS and/or Active Sync devices?

Is there any merit to allowing relaying only if the user connects to a non-standard port AND authenticates?  Wouldn't most spam attacks be aimed at port 25?

0

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
This article explains how to install and use the NTBackup utility that comes with Windows Server.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question