Solved

MSX 2K3 relays even thought open relays have been blocked

Posted on 2013-06-05
7
293 Views
Last Modified: 2013-06-12
I have been fighting a problem with my mail server for a couple of weeks now and need some assistance.

My MSX 2K3 server passes a 16 point open relay test, however, about once a week, I have to go to the ESM and inspect the SMTP connections.  I will see an IP that is making several concurrent connections and I get alerted from MX Toolbox that I am now a spammer.

I will go into the properties of the smtp virtual server and block that IP for incoming connections and the problems will subside until another spammer starts the process all over again.

I have trend micro WFBS 8.0 and the server passes weekly malware scans, however I am aware that if there is already an infection, the system may be ignoring the condition, thinking that "all's well".

So, other than my system having a possible infection, what else can I do?  I have followed all lockdown procedures outlined in several documents from MS and EE and it appears as if the open relay issue is not an issue...  I am now getting reported as a spamming server and this is causing a breakage in the business.

What am I missing?
0
Comment
Question by:CandSNetworking
  • 4
  • 3
7 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39222607
Have you completely disabled authenticated relaying?
Do you have any systems listed in the allow relay list on the SMTP VS in ESM?

Simon.
0
 

Author Comment

by:CandSNetworking
ID: 39222887
Simon,

Please let me know which feature is configured to disallow authenticated relaying and I will look and see.  


We have the IP of the router and the localhost (127.0.0.1) as "allowed" in the SMTP VS...

Is this what you were asking?
0
 

Author Comment

by:CandSNetworking
ID: 39222951
Simon,

Is this what you were asking me about?
Screen shot of my SMTP relay config
Also, authenticated users from the  "users" button are enabled for submit only, not relay.  And I was incorrect about the ip addresses... we've used the NAT address of the server internally and Localhost.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39222997
You don't need either 127.0.0.1 or the router in the list for Exchange to work.
In some cases having the router listed can turn the server in to an open relay, because of how Exchange sees the traffic. Therefore I would remove the two entries and then restart the SMTP Server service and test again.

Simon.
0
 

Author Comment

by:CandSNetworking
ID: 39223033
I'll be happy to remove these two ip addresses (even the NAT address?  I was told that this had to be in the SMTP VS)

I am not sure how to test this, as all relay testing already shows that I have a closed relay....  recommendations?

To date, the "test" has been, "hey admin, I can't send email to xxxx@xxx.xx"  :)
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39223496
Who told you they had to be in the list? As who or whatever the source was, is incorrect.
You may not have an open relay, it could be an authenticated relay, unfortunately you will have to wait to see whether the problem goes away.

Worst case is you have compromised account and the attacker is actually logging in to OWA or using Outlook to send the messages. Not unheard of as the result of a phishing attack.

Simon.
0
 

Author Closing Comment

by:CandSNetworking
ID: 39241385
Simon,

Thank you for bringing these misconfigurations to our attention... up until now, we did not realize that relays could be authenticated through several mechanisms.

We believe that we are ready to close this question and appreciate the assist!

Sky
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now