Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 461
  • Last Modified:

internal open relay on exchange 2007

I am running exchange 2007 SP2 on win 2003 R2 64bit.
I checked externally and I am NOT an open relay, but internally, I have a user via telnet and SMTP, they can send email as anyone in my organization to anyone, and I would like to know how to stop that?  When using outlook 2007 or 2010, you can't send as someone else unless the user is given access, but why via telnet and the SMTP protocol, they can send as anyone they want.
Any help is appreciated.
I've checked to make sure I'm not an open relay with the following websites:
www.mxtoolbox.com/diagnostic.aspx
www.checkor.com
They both said I am NOT an open relay.
0
afacts
Asked:
afacts
  • 16
  • 15
  • 5
2 Solutions
 
Alan HardistyCommented:
What are the settings on your Receive Connector(s)?

get-receiveconnector | fl
0
 
afactsAuthor Commented:
which setting in particular do you need to know? Also, how do I access this info in the management console?
0
 
Alan HardistyCommented:
Run the command from the Exchange Management Shell.

Alternatively, from the Exchange Management Console, go to Server Configuration> Hub Transport> Receive Connectors and advise the following (per connector)

Network Tab> IP address ranges listed
Authentication Tab> What is ticked
Permissions Group Tab> What is ticked
0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
afactsAuthor Commented:
whats the command to export it to file, as it's easier to just export it to a txt file and then I can add that here.
0
 
Alan HardistyCommented:
get-receiveconnector | fl >> connectors.txt

That will write to the folder that you run the command from - usually c:\windows\system32
0
 
Ganesh GMessaging ConsultantCommented:
u can restrict permissions on the internal relay , by Authenticated relaying

http://technet.microsoft.com/en-us/library/aa996446(EXCHG.65).aspx
0
 
afactsAuthor Commented:
is there any info there that I should not display here?
0
 
Alan HardistyCommented:
You can hide your domain name - other than that - that should be it.  I can edit / hide anything else later if you need it.
0
 
afactsAuthor Commented:
GanyBoy, that article is only for 2003, do you know the link for 2007?
0
 
Alan HardistyCommented:
Your SMTP Relay for W1.domain.com connector is open internally:

192.168.101.0-192.168.101.255, 192.168.100.0-192.168.100.255

Presumably you should remove these internal ranges and just have the external ranges??
0
 
afactsAuthor Commented:
So if I close it internally, what does that mean?  Will it affect anything?  That server is actually an external web server, in which we relay emails as it would come as internally.  
So knowing that, do we still need the internal relaying on?
So to turn it off, do I just remove the internal IPs?
0
 
Alan HardistyCommented:
You can put it back if it doesn't work - but it seems to me that you are trying to allow something external to send mail to your server - possibly a 3rd party spam filtering service or a client, but you are also allowing internal users to send too because you have your internal range included, which you shouldn't have.
0
 
afactsAuthor Commented:
that did the trick, I removed the internal ranges and now internally, there's no more relay, we'll see if it brakes anything.
0
 
Ganesh GMessaging ConsultantCommented:
0
 
Alan HardistyCommented:
You are welcome - sounds good.

Thanks for the points.

Alan
0
 
Ganesh GMessaging ConsultantCommented:
Thank you alan & afact .
0
 
Alan HardistyCommented:
What for?
0
 
Ganesh GMessaging ConsultantCommented:
For some useful info which u gave through this forum :)
0
 
Alan HardistyCommented:
My pleasure.
0
 
Ganesh GMessaging ConsultantCommented:
0
 
Alan HardistyCommented:
Checking.
0
 
afactsAuthor Commented:
Actually, that didn't solve the problem, because as soon as i removed the internal IPs, external people were not able to email us anymore.
0
 
Alan HardistyCommented:
That doesn't make any sense.

Are they authenticating?

Put the settings back - then disable one connector and see which one causes the internal relay to stop.  Then we can look at the settings.

Re-opening the question for now.
0
 
afactsAuthor Commented:
The external people are not authenticating,  they are external ppl from different companies just trying to send email to me.

I put it back how it was before, but I'm trying to test sending an email from gmail, but it's still not working:

Delivery to the following recipient failed permanently:

     xxxxxx@domain.org

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550 Address unknown (state 14).

----- Original message -----

Received: by 10.227.61.6 with SMTP id r6mr9599643wbh.37.1317232104100; Wed, 28
 Sep 2011 10:48:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.227.10.83 with HTTP; Wed, 28 Sep 2011 10:47:44 -0700 (PDT)
From: Dan _ <xxxxxxxx@gmail.com>
Date: Wed, 28 Sep 2011 10:47:44 -0700
Message-ID: <CAMzYC+vXmCYR9mBZEXUShGFvVUP3daQU22sBWFHPJdo+XS=U9A@mail.gmail.com>
Subject: test4
To: xxxxxx@domain.com
Content-Type: multipart/alternative; boundary=20cf30025a60a6d39704ae03ffd6
0
 
afactsAuthor Commented:
Any help, as I added the two IP entries back, and it's still not working, I even restarted the services.
I checked my hub transport, and made sure that my internal and external DNS is up to date.

What else can I do to start receiving external email?
0
 
afactsAuthor Commented:
i even went through the hub transport settings, for the internal and external DNS, and I updated everything, it's all correct, but it's still not working.
0
 
Alan HardistyCommented:
Default External receive connector needs Anonymous auth enabled.  Don't recall seeing that on any Receive connector.

Just got home, so on iPhone / iPad for now, but back to laptop later when kids in bed.
0
 
afactsAuthor Commented:
that didn't work.
0
 
Alan HardistyCommented:
Default Elisha should be the connector that receives mail externally and should have Anonymous Permissions enabled.

Not sure why you have two Bindings set on it when 0.0.0.0:25 should work.  Worth removing the second binding and testing.
0
 
afactsAuthor Commented:
after restarting my firewall, everything is working fine now.  About 2 weeks ago, I demoted and discarded my backup DC, so the only thing I can think of, is that it was using the cached IP or something.   I already updated the firewall with the new dc, so hopefully it's up and runnig for good now.
0
 
Alan HardistyCommented:
Okay - so where are we with relaying internally and receiving external emails?
0
 
afactsAuthor Commented:
well, external emails are working now, so that's great, I guess I don't really care about internal relaying, as just by removing the internal IP addresses from my w1 connector, it caused all external emails to not be received.   I think I might just leave things the way they are, as it's working now.
0
 
Alan HardistyCommented:
Removing the internal IP's from your W1 connector should have no bearing on receiving external emails at all, unless you are not receiving emails directly to your Exchange server and they are being sent to another device first, then sent to the Exchange server, which would be odd to say the least.
0
 
afactsAuthor Commented:
so then I guess I can remove those internal IP addresses from hte list?
0
 
Alan HardistyCommented:
Yes - you should be able to..

Once done - re-run the get-receiveconnector | fl command again and see what's changed.
0
 
afactsAuthor Commented:
I'm just going to leave it the way it is, as externally, there's no relaying.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

  • 16
  • 15
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now