Solved

MSX 2K3 relays even thought open relays have been blocked

Posted on 2013-06-05
7
316 Views
Last Modified: 2013-06-12
I have been fighting a problem with my mail server for a couple of weeks now and need some assistance.

My MSX 2K3 server passes a 16 point open relay test, however, about once a week, I have to go to the ESM and inspect the SMTP connections.  I will see an IP that is making several concurrent connections and I get alerted from MX Toolbox that I am now a spammer.

I will go into the properties of the smtp virtual server and block that IP for incoming connections and the problems will subside until another spammer starts the process all over again.

I have trend micro WFBS 8.0 and the server passes weekly malware scans, however I am aware that if there is already an infection, the system may be ignoring the condition, thinking that "all's well".

So, other than my system having a possible infection, what else can I do?  I have followed all lockdown procedures outlined in several documents from MS and EE and it appears as if the open relay issue is not an issue...  I am now getting reported as a spamming server and this is causing a breakage in the business.

What am I missing?
0
Comment
Question by:CandSNetworking
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39222607
Have you completely disabled authenticated relaying?
Do you have any systems listed in the allow relay list on the SMTP VS in ESM?

Simon.
0
 

Author Comment

by:CandSNetworking
ID: 39222887
Simon,

Please let me know which feature is configured to disallow authenticated relaying and I will look and see.  


We have the IP of the router and the localhost (127.0.0.1) as "allowed" in the SMTP VS...

Is this what you were asking?
0
 

Author Comment

by:CandSNetworking
ID: 39222951
Simon,

Is this what you were asking me about?
Screen shot of my SMTP relay config
Also, authenticated users from the  "users" button are enabled for submit only, not relay.  And I was incorrect about the ip addresses... we've used the NAT address of the server internally and Localhost.
0
Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39222997
You don't need either 127.0.0.1 or the router in the list for Exchange to work.
In some cases having the router listed can turn the server in to an open relay, because of how Exchange sees the traffic. Therefore I would remove the two entries and then restart the SMTP Server service and test again.

Simon.
0
 

Author Comment

by:CandSNetworking
ID: 39223033
I'll be happy to remove these two ip addresses (even the NAT address?  I was told that this had to be in the SMTP VS)

I am not sure how to test this, as all relay testing already shows that I have a closed relay....  recommendations?

To date, the "test" has been, "hey admin, I can't send email to xxxx@xxx.xx"  :)
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39223496
Who told you they had to be in the list? As who or whatever the source was, is incorrect.
You may not have an open relay, it could be an authenticated relay, unfortunately you will have to wait to see whether the problem goes away.

Worst case is you have compromised account and the attacker is actually logging in to OWA or using Outlook to send the messages. Not unheard of as the result of a phishing attack.

Simon.
0
 

Author Closing Comment

by:CandSNetworking
ID: 39241385
Simon,

Thank you for bringing these misconfigurations to our attention... up until now, we did not realize that relays could be authenticated through several mechanisms.

We believe that we are ready to close this question and appreciate the assist!

Sky
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question