internal open relay on exchange 2007

I am running exchange 2007 SP2 on win 2003 R2 64bit.
I checked externally and I am NOT an open relay, but internally, I have a user via telnet and SMTP, they can send email as anyone in my organization to anyone, and I would like to know how to stop that?  When using outlook 2007 or 2010, you can't send as someone else unless the user is given access, but why via telnet and the SMTP protocol, they can send as anyone they want.
Any help is appreciated.
I've checked to make sure I'm not an open relay with the following websites:
www.mxtoolbox.com/diagnostic.aspx
www.checkor.com
They both said I am NOT an open relay.
DanNetwork EngineerAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Alan HardistyConnect With a Mentor Co-OwnerCommented:
Removing the internal IP's from your W1 connector should have no bearing on receiving external emails at all, unless you are not receiving emails directly to your Exchange server and they are being sent to another device first, then sent to the Exchange server, which would be odd to say the least.
0
 
Alan HardistyCo-OwnerCommented:
What are the settings on your Receive Connector(s)?

get-receiveconnector | fl
0
 
DanNetwork EngineerAuthor Commented:
which setting in particular do you need to know? Also, how do I access this info in the management console?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Alan HardistyCo-OwnerCommented:
Run the command from the Exchange Management Shell.

Alternatively, from the Exchange Management Console, go to Server Configuration> Hub Transport> Receive Connectors and advise the following (per connector)

Network Tab> IP address ranges listed
Authentication Tab> What is ticked
Permissions Group Tab> What is ticked
0
 
DanNetwork EngineerAuthor Commented:
whats the command to export it to file, as it's easier to just export it to a txt file and then I can add that here.
0
 
Alan HardistyCo-OwnerCommented:
get-receiveconnector | fl >> connectors.txt

That will write to the folder that you run the command from - usually c:\windows\system32
0
 
Ganesh GMessaging ConsultantCommented:
u can restrict permissions on the internal relay , by Authenticated relaying

http://technet.microsoft.com/en-us/library/aa996446(EXCHG.65).aspx
0
 
DanNetwork EngineerAuthor Commented:
is there any info there that I should not display here?
0
 
Alan HardistyCo-OwnerCommented:
You can hide your domain name - other than that - that should be it.  I can edit / hide anything else later if you need it.
0
 
DanNetwork EngineerAuthor Commented:
GanyBoy, that article is only for 2003, do you know the link for 2007?
0
 
Alan HardistyCo-OwnerCommented:
Your SMTP Relay for W1.domain.com connector is open internally:

192.168.101.0-192.168.101.255, 192.168.100.0-192.168.100.255

Presumably you should remove these internal ranges and just have the external ranges??
0
 
DanNetwork EngineerAuthor Commented:
So if I close it internally, what does that mean?  Will it affect anything?  That server is actually an external web server, in which we relay emails as it would come as internally.  
So knowing that, do we still need the internal relaying on?
So to turn it off, do I just remove the internal IPs?
0
 
Alan HardistyCo-OwnerCommented:
You can put it back if it doesn't work - but it seems to me that you are trying to allow something external to send mail to your server - possibly a 3rd party spam filtering service or a client, but you are also allowing internal users to send too because you have your internal range included, which you shouldn't have.
0
 
DanNetwork EngineerAuthor Commented:
that did the trick, I removed the internal ranges and now internally, there's no more relay, we'll see if it brakes anything.
0
 
Ganesh GConnect With a Mentor Messaging ConsultantCommented:
0
 
Alan HardistyCo-OwnerCommented:
You are welcome - sounds good.

Thanks for the points.

Alan
0
 
Ganesh GMessaging ConsultantCommented:
Thank you alan & afact .
0
 
Alan HardistyCo-OwnerCommented:
What for?
0
 
Ganesh GMessaging ConsultantCommented:
For some useful info which u gave through this forum :)
0
 
Alan HardistyCo-OwnerCommented:
My pleasure.
0
 
Ganesh GMessaging ConsultantCommented:
0
 
Alan HardistyCo-OwnerCommented:
Checking.
0
 
DanNetwork EngineerAuthor Commented:
Actually, that didn't solve the problem, because as soon as i removed the internal IPs, external people were not able to email us anymore.
0
 
Alan HardistyCo-OwnerCommented:
That doesn't make any sense.

Are they authenticating?

Put the settings back - then disable one connector and see which one causes the internal relay to stop.  Then we can look at the settings.

Re-opening the question for now.
0
 
DanNetwork EngineerAuthor Commented:
The external people are not authenticating,  they are external ppl from different companies just trying to send email to me.

I put it back how it was before, but I'm trying to test sending an email from gmail, but it's still not working:

Delivery to the following recipient failed permanently:

     xxxxxx@domain.org

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550 Address unknown (state 14).

----- Original message -----

Received: by 10.227.61.6 with SMTP id r6mr9599643wbh.37.1317232104100; Wed, 28
 Sep 2011 10:48:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.227.10.83 with HTTP; Wed, 28 Sep 2011 10:47:44 -0700 (PDT)
From: Dan _ <xxxxxxxx@gmail.com>
Date: Wed, 28 Sep 2011 10:47:44 -0700
Message-ID: <CAMzYC+vXmCYR9mBZEXUShGFvVUP3daQU22sBWFHPJdo+XS=U9A@mail.gmail.com>
Subject: test4
To: xxxxxx@domain.com
Content-Type: multipart/alternative; boundary=20cf30025a60a6d39704ae03ffd6
0
 
DanNetwork EngineerAuthor Commented:
Any help, as I added the two IP entries back, and it's still not working, I even restarted the services.
I checked my hub transport, and made sure that my internal and external DNS is up to date.

What else can I do to start receiving external email?
0
 
DanNetwork EngineerAuthor Commented:
i even went through the hub transport settings, for the internal and external DNS, and I updated everything, it's all correct, but it's still not working.
0
 
Alan HardistyCo-OwnerCommented:
Default External receive connector needs Anonymous auth enabled.  Don't recall seeing that on any Receive connector.

Just got home, so on iPhone / iPad for now, but back to laptop later when kids in bed.
0
 
DanNetwork EngineerAuthor Commented:
that didn't work.
0
 
Alan HardistyCo-OwnerCommented:
Default Elisha should be the connector that receives mail externally and should have Anonymous Permissions enabled.

Not sure why you have two Bindings set on it when 0.0.0.0:25 should work.  Worth removing the second binding and testing.
0
 
DanNetwork EngineerAuthor Commented:
after restarting my firewall, everything is working fine now.  About 2 weeks ago, I demoted and discarded my backup DC, so the only thing I can think of, is that it was using the cached IP or something.   I already updated the firewall with the new dc, so hopefully it's up and runnig for good now.
0
 
Alan HardistyCo-OwnerCommented:
Okay - so where are we with relaying internally and receiving external emails?
0
 
DanNetwork EngineerAuthor Commented:
well, external emails are working now, so that's great, I guess I don't really care about internal relaying, as just by removing the internal IP addresses from my w1 connector, it caused all external emails to not be received.   I think I might just leave things the way they are, as it's working now.
0
 
DanNetwork EngineerAuthor Commented:
so then I guess I can remove those internal IP addresses from hte list?
0
 
Alan HardistyCo-OwnerCommented:
Yes - you should be able to..

Once done - re-run the get-receiveconnector | fl command again and see what's changed.
0
 
DanNetwork EngineerAuthor Commented:
I'm just going to leave it the way it is, as externally, there's no relaying.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.