Solved

Throttle settings on Exchange 2003

Posted on 2014-04-07
32
233 Views
Last Modified: 2014-05-05
We have Exchange internal on our server. We keep getting blacklisted for the past 2 weeks. I have run every anti virus and malwarebytes on all machines on the network, yet we keep getting listed.

I read that setting throttling settings can help prevent this as well as setting up spam filtering. Where can I find those settings in Exchange 2003?

Thanks.
0
Comment
Question by:raffie613
  • 15
  • 12
  • 5
32 Comments
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39984932
I suppose it could be the throttle settings but I have never seen it be that.

Have you checked to see if your server is an Open Relay? If so, that for sure could cause this and it needs to be disabled.

Microsoft kb:

http://support.microsoft.com/kb/324958

Here is a good smtp test site:

http://mxtoolbox.com/diagnostic.aspx
0
 

Author Comment

by:raffie613
ID: 39984955
It definitely is not the cause, the cause is a virus i am sure, but we can't seem to pin point it and have too many users bringing in laptops.
I followed the steps in the article and we do not have SMTP port 25 open. we have a firewall and email spam filter.
Should i still look to disable open relay? Would that be causing us to be blacklisted?




Any other ideas to get us from keep getting blacklisted?
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39984957
You should have SMTP port 25 open.. if you didn't then you wouldn't be able to receive email on your Exchange server at all....

So as long as SMTP port 25 is open, I would certainly check for open relay.

Are you doing inbound AND outbound spam filtering.. or just inbound?
0
 

Author Comment

by:raffie613
ID: 39984965
just inbound. what tools will do outbound?

Where do i disable open relay on 2003 exchange?
0
 

Author Comment

by:raffie613
ID: 39984967
Mxtoolbox says it is NOT an open relay.
Any other ideas?
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39984970
On your perimeter firewall, is your email server the ONLY internal machine allowed to send outbound traffic on port 25?
0
 

Author Comment

by:raffie613
ID: 39984990
looks like it is set for * (all) allowed to send SMTP to our Sonicwall ESA. The Esa however is not configured to check outbound mail for viruses.

Should i make any changes to that?
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39984993
It is considered best/common practice to only allow your email server to send traffic outbound on port 25.

So the only IP allowed to use port 25 from your Internal to External zone should be the IP of your email server.

You can scan outgoing email for viruses if you wish.
0
 

Author Comment

by:raffie613
ID: 39985002
so configure the rule to read instead of *, just have the server ip address sending on port 25 to the ESA?
OR have * send SMTP to the email server?
0
 
LVL 10

Accepted Solution

by:
Schuyler Dorsey earned 500 total points
ID: 39985004
Outbound smtp traffic should be restricted to the email server.

Inbound traffic should still come from *.
0
 

Author Comment

by:raffie613
ID: 39985011
ok so i changed the rule to have the emails server be the only one to pass SMTP traffic to the ESA, or should i have it send to *?
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39985014
Send to *.

Its smtp traffic is not destined toward the Sonicwall. Its smtp traffic is destined to other email servers. It just passes through your Sonicwall on the way.
0
 

Author Comment

by:raffie613
ID: 39985025
ok, but wouldn't it help my issue if we subscribed to the ESA outgoing anti virus email check and have all the mail outgoing filter through there?
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39985028
My knowledge could but dated but I was under the impression that the Sonicwall just outgoing smtp traffic for viruses. If this is the case, you would not direct your email traffic to the Sonicwall. The traffic passes through the Sonicwall and it is scanned along the way.

If it were doing outbound spam filtering, that would be a different story as you would have to setup a smart host on the Exchange side too.
0
 

Author Comment

by:raffie613
ID: 39985045
Is it easier to just move our email to an off site host for office 365?
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39985046
Yes and no. It all depends on your organization's requirements and staff.

Note that Exchange 2003 IS about to go end of support so even if you do not go to a cloud solution like Office365, I would highly recommended upgrading to a higher version of Exchange such as 2010.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:raffie613
ID: 39985065
If I can't figure a way to prevent our domain from being blacklisted any time someone gets a virus on their laptop when they bring it in,  exchange email will do me no good anyway.
0
 

Author Comment

by:raffie613
ID: 39985067
What about throttling.  Would that help? If so how do I enable it?
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39985070
No virus will be able to relay spam email via your public IP if you locked down your ACL on the firewall.

If you have issues with viruses, I would review the configuration of your company anti-virus solution.

This isn't an issue as long as your security posture is properly managed. I manage roughly 20 clients with Exchange on premise; none of them have issues with being blacklisted as I deploy layered security at all of them.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39985263
There is no throttling on Exchange 2003.
If your Exchange 2003 server was being abused, then you would see signs of it on the server itself, such as large numbers of messages in the queues.

The most likely cause of blacklisting is a workstation, which appears to be coming from the same IP address.

If you can get Exchange on to its own external IP address that will stop the blacklisting of its IP address when that happens.
Blocking port 25 outbound will also help, plus if you enable logging it will allow you to track down the source.

Stop concentrating on the Exchange server as the cause, it is unlikely to be where the messages are originating from.

Simon.
0
 

Author Comment

by:raffie613
ID: 39985886
How do I  point the exchange server to my second external ip address? Just add the rule to the firewall or is there a place inside exchange i need to do it as well?
0
 

Author Comment

by:raffie613
ID: 39985925
Also the sonicwall  only gives me an option to allow LAN traffic out for all services and a bunch of other specific ones but not just for tcp. The only tcp  options it has are for tivo tcp.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39985995
I cannot help with the Sonicwall queries, you should ask Sonicwall support on how to block port 25 outbound.

The same goes for the external IP address. Remember you need to setup everything - so you will need a PTR on that address, the DNS changed as well as the firewall. It will be something like NAT, you want it for both inbound and outbound traffic, so the traffic appears to be coming from the correct IP address. I expect the Sonicwall can do it, it just isn't something I have ever used.

Simon.
0
 

Author Comment

by:raffie613
ID: 39986231
Simon,
Regardless of the Sonicwall settings, is there anything I would need to do on the exchange server to have emails go in and out from the new external IP?
0
 

Author Comment

by:raffie613
ID: 39986261
now that i changed my firewall to only let my exchange server use SMTP, we are unable to receive any external Email from outside our network.

Do I need to create a new SMTP rule to allow destination * to reach my exchange server?

Or DO I do a POP3 rule to reach exchange server?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39986381
Exchange doesn't care what the external IP address is, so there is nothing that you need to do to ensure that the email flows. If you have made changes on the Sonicwall and email flow has stopped, then the changes were wrong. You do not need to do anything to Exchange.

Whether you require additional rules in the Sonicwall, I cannot answer, that depends on the rule system you have at the moment. POP3 has nothing to do with delivering email to your server, that is a client protocol.


Simon.
0
 

Author Comment

by:raffie613
ID: 39987529
Ok can you guide me how I go about making the exchange server use the second external ip address instead of the ip address the network uses to get out?
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39987626
You would have to setup a new NAT rule on your Sonicwall to tell it to NAT the internal Exchange IP out to the secondary Public IP.

Then you would have to call your ISP to setup a new DNS PTR record.

You would also have to adjust your public DNS MX/A records.

The EASIER route... keep your Exchange server on the current IP and change everything else to NAT out the second public IP.

So have a NAT rule that nats your internal Exchange IP out the current primary IP
Second NAT rule UNDER it to NAT out * to secondary public IP.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39988251
"The EASIER route... keep your Exchange server on the current IP and change everything else to NAT out the second public IP. "

Except that is the one that is blacklisted and has a poor reputation. I always find it easier to NAT everything over the default first IP address, and put Exchange on to an additional address. That way if something is forgotten or reset and traffic starts going out on the default address, the Exchange server has its own address rather than clients trashing the reputation.

Simon.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39988558
True that is may have a poor reputation.. but in my experience, an IP never gets blacklisted again unless it is found to be abusing again.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39989417
That is exactly my point - if you use the default IP address and make an error when doing the firewall rules, a workstation could cause blacklisting because it is the default address. I work on the basis of planning for the worst - so for the additional work of getting the second address to work (which isn't that much of a problem) I cover myself against future errors.

Simon.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39989492
I see what you mean.

However, my suggestion was to change the default outbound NAT address to the secondary public IP and having an explicit rule for outbound NAT that matches on only the Exchange server.. so it would avoid any future issues.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Familiarize people with the process of utilizing SQL Server views from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Access…
Familiarize people with the process of utilizing SQL Server stored procedures from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Micr…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now