Solved

internal open relay on exchange 2007

Posted on 2011-09-28
37
417 Views
Last Modified: 2012-05-12
I am running exchange 2007 SP2 on win 2003 R2 64bit.
I checked externally and I am NOT an open relay, but internally, I have a user via telnet and SMTP, they can send email as anyone in my organization to anyone, and I would like to know how to stop that?  When using outlook 2007 or 2010, you can't send as someone else unless the user is given access, but why via telnet and the SMTP protocol, they can send as anyone they want.
Any help is appreciated.
I've checked to make sure I'm not an open relay with the following websites:
www.mxtoolbox.com/diagnostic.aspx
www.checkor.com
They both said I am NOT an open relay.
0
Comment
Question by:afacts
  • 16
  • 15
  • 5
37 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36718189
What are the settings on your Receive Connector(s)?

get-receiveconnector | fl
0
 

Author Comment

by:afacts
ID: 36718202
which setting in particular do you need to know? Also, how do I access this info in the management console?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36718216
Run the command from the Exchange Management Shell.

Alternatively, from the Exchange Management Console, go to Server Configuration> Hub Transport> Receive Connectors and advise the following (per connector)

Network Tab> IP address ranges listed
Authentication Tab> What is ticked
Permissions Group Tab> What is ticked
0
 

Author Comment

by:afacts
ID: 36718225
whats the command to export it to file, as it's easier to just export it to a txt file and then I can add that here.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36718242
get-receiveconnector | fl >> connectors.txt

That will write to the folder that you run the command from - usually c:\windows\system32
0
 
LVL 1

Expert Comment

by:Ganyboy
ID: 36718259
u can restrict permissions on the internal relay , by Authenticated relaying

http://technet.microsoft.com/en-us/library/aa996446(EXCHG.65).aspx
0
 

Author Comment

by:afacts
ID: 36718265
is there any info there that I should not display here?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36718270
You can hide your domain name - other than that - that should be it.  I can edit / hide anything else later if you need it.
0
 

Author Comment

by:afacts
ID: 36718316
GanyBoy, that article is only for 2003, do you know the link for 2007?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36718336
Your SMTP Relay for W1.domain.com connector is open internally:

192.168.101.0-192.168.101.255, 192.168.100.0-192.168.100.255

Presumably you should remove these internal ranges and just have the external ranges??
0
 

Author Comment

by:afacts
ID: 36718365
So if I close it internally, what does that mean?  Will it affect anything?  That server is actually an external web server, in which we relay emails as it would come as internally.  
So knowing that, do we still need the internal relaying on?
So to turn it off, do I just remove the internal IPs?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36718397
You can put it back if it doesn't work - but it seems to me that you are trying to allow something external to send mail to your server - possibly a 3rd party spam filtering service or a client, but you are also allowing internal users to send too because you have your internal range included, which you shouldn't have.
0
 

Author Comment

by:afacts
ID: 36718520
that did the trick, I removed the internal ranges and now internally, there's no more relay, we'll see if it brakes anything.
0
 
LVL 1

Assisted Solution

by:Ganyboy
Ganyboy earned 250 total points
ID: 36718526
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36718534
You are welcome - sounds good.

Thanks for the points.

Alan
0
 
LVL 1

Expert Comment

by:Ganyboy
ID: 36718552
Thank you alan & afact .
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36718563
What for?
0
 
LVL 1

Expert Comment

by:Ganyboy
ID: 36718581
For some useful info which u gave through this forum :)
0
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36718589
My pleasure.
0
 
LVL 1

Expert Comment

by:Ganyboy
ID: 36718607
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36718616
Checking.
0
 

Author Comment

by:afacts
ID: 36718685
Actually, that didn't solve the problem, because as soon as i removed the internal IPs, external people were not able to email us anymore.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36718699
That doesn't make any sense.

Are they authenticating?

Put the settings back - then disable one connector and see which one causes the internal relay to stop.  Then we can look at the settings.

Re-opening the question for now.
0
 

Author Comment

by:afacts
ID: 36718802
The external people are not authenticating,  they are external ppl from different companies just trying to send email to me.

I put it back how it was before, but I'm trying to test sending an email from gmail, but it's still not working:

Delivery to the following recipient failed permanently:

     xxxxxx@domain.org

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550 Address unknown (state 14).

----- Original message -----

Received: by 10.227.61.6 with SMTP id r6mr9599643wbh.37.1317232104100; Wed, 28
 Sep 2011 10:48:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.227.10.83 with HTTP; Wed, 28 Sep 2011 10:47:44 -0700 (PDT)
From: Dan _ <xxxxxxxx@gmail.com>
Date: Wed, 28 Sep 2011 10:47:44 -0700
Message-ID: <CAMzYC+vXmCYR9mBZEXUShGFvVUP3daQU22sBWFHPJdo+XS=U9A@mail.gmail.com>
Subject: test4
To: xxxxxx@domain.com
Content-Type: multipart/alternative; boundary=20cf30025a60a6d39704ae03ffd6
0
 

Author Comment

by:afacts
ID: 36718944
Any help, as I added the two IP entries back, and it's still not working, I even restarted the services.
I checked my hub transport, and made sure that my internal and external DNS is up to date.

What else can I do to start receiving external email?
0
 

Author Comment

by:afacts
ID: 36719162
i even went through the hub transport settings, for the internal and external DNS, and I updated everything, it's all correct, but it's still not working.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36719355
Default External receive connector needs Anonymous auth enabled.  Don't recall seeing that on any Receive connector.

Just got home, so on iPhone / iPad for now, but back to laptop later when kids in bed.
0
 

Author Comment

by:afacts
ID: 36719559
that didn't work.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36719702
Default Elisha should be the connector that receives mail externally and should have Anonymous Permissions enabled.

Not sure why you have two Bindings set on it when 0.0.0.0:25 should work.  Worth removing the second binding and testing.
0
 

Author Comment

by:afacts
ID: 36720247
after restarting my firewall, everything is working fine now.  About 2 weeks ago, I demoted and discarded my backup DC, so the only thing I can think of, is that it was using the cached IP or something.   I already updated the firewall with the new dc, so hopefully it's up and runnig for good now.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36720277
Okay - so where are we with relaying internally and receiving external emails?
0
 

Author Comment

by:afacts
ID: 36720453
well, external emails are working now, so that's great, I guess I don't really care about internal relaying, as just by removing the internal IP addresses from my w1 connector, it caused all external emails to not be received.   I think I might just leave things the way they are, as it's working now.
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 250 total points
ID: 36720462
Removing the internal IP's from your W1 connector should have no bearing on receiving external emails at all, unless you are not receiving emails directly to your Exchange server and they are being sent to another device first, then sent to the Exchange server, which would be odd to say the least.
0
 

Author Comment

by:afacts
ID: 36720469
so then I guess I can remove those internal IP addresses from hte list?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36720520
Yes - you should be able to..

Once done - re-run the get-receiveconnector | fl command again and see what's changed.
0
 

Author Comment

by:afacts
ID: 36720599
I'm just going to leave it the way it is, as externally, there's no relaying.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Easy CSR creation in Exchange 2007,2010 and 2013
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
how to add IIS SMTP to handle application/Scanner relays into office 365.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now