Exchange 2007 block open relay

We have an Exchange 2007 server running on our 2008SBS server. External security scans indicate we have an open relay. I have verified this with several resources. I need to setup the server to only allow authenticated users to send mail. We only have one Exchange server. I have read so many posts and articles and I still don't know what I need to do. I have found some posts that recommend using the Exchange Management Shell. I don't have any experience with it. I need to make sure if I make a change that causes other problems that I know how to undo the change.

On my default receive connector I have TLS enabled. Basic authentication with offcer basic authentication only after starting TLS disabled. I also have integrated windows authentication enabled. In the permission group I have to following selected. Anoymous users, exchange users,exchange servers and legacy exchange servers.

I know that by default Exchange 2007 isn't setup to be an open relay, but something went wrong.
wcoilAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PaulD77Commented:
Open the Exchange Management Console, under organization config, select Hub transport- Accepted Domains- check properties of your domain and make sure Authoritive Domain is check, not External relay.  Also, scan the machine with some AV software...chances it will switch back to an open Relay if some malware is on there.
0
wcoilAuthor Commented:
Paul,

I checked that. It is set to authoritative.Virus and Malware scans have come back clean.
0
PaulD77Commented:
hmmm did you check all your MX records?

http://www.mxtoolbox.com/
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

wcoilAuthor Commented:
Check them for what?
0
Madan SharmaConsultantCommented:
hi,

Open up your exchange management shell and paste the following command to it

Get-ReceiveConnector | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

if it will ask for any confirmation press Y and go ahead.
0
wcoilAuthor Commented:
akicute,

If I do this and test it, I need to be able to change it back right after testing. We have mobile devices that will have to be notified about using SMTP auth. How would I go about doing that?
0
Madan SharmaConsultantCommented:
mobile can should also authenticated before connecting to exchange server. No need to change again this setting and make your server a open relay.
0
wcoilAuthor Commented:
After look at this in more detail, you command creates an open relay not blocks it.
0
Madan SharmaConsultantCommented:
Ah ! my apologies just use this one:-

Get-ReceiveConnector | Remove-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"
0
wcoilAuthor Commented:
I've done this. When I try and setup my iPad to use smtp auth, I get a message that the SMTP server doesn't support Password authentication.
0
Madan SharmaConsultantCommented:
open up your exchange 2007 EMC navigate to Server Configuration => Client Access => Exchange ActiveSync => Right click on Microsoft Server ActiveSync and go to property - Select Authentication Tab and make sure you have check basic authentication select if not selected then select it and click OK then try to configure your IPhone
0
wcoilAuthor Commented:
Doh!! I have found that the problem was ahead of the Exchange server with our Barracuda spam filter.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Vee_ModCommented:
Starting the auto-close procedure on behalf of the question asker.

Vee_Mod
Community Support Moderator
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.