Cannot find the fix for Exchange 2010 open relay
Hi
From time to time the queues in my exchange 2010 server are full of spam. When checking those messages, i see the ¨from¨field is some external email address, not from our organization.
Been looking here and trying different options, but still, in tests in mxtoolbox and other tools, the server still figures as an open relay, even if i have a specific domain list in my "accepted domains" tab...
Could someone walk me through the settings to close the open relay?
Thanks
Jaime
From time to time the queues in my exchange 2010 server are full of spam. When checking those messages, i see the ¨from¨field is some external email address, not from our organization.
Been looking here and trying different options, but still, in tests in mxtoolbox and other tools, the server still figures as an open relay, even if i have a specific domain list in my "accepted domains" tab...
Could someone walk me through the settings to close the open relay?
Thanks
Jaime
Please only open 25 port on firewall to Exchange server. Also enable and configure antispam feature on exchange 2010.
http://technet.microsoft.com/en-in/library/bb201691%28v=exchg.150%29.aspx
http://technet.microsoft.com/en-in/library/bb201691%28v=exchg.150%29.aspx
First disable anonymous setting from the relay connector. If you are using Exchange for application relay, create new relay connector and configure your application to use new relay connector.
ASKER
Alan in Tests methods 0,1 and 3 i have "Test not passed"
Amit if i disable the anonymous setting i cannot receive mails anymore
Antispam feature of exchange is configured
Amit if i disable the anonymous setting i cannot receive mails anymore
Antispam feature of exchange is configured
Okay - then you have a problem as you are an Open Relay.
How many receive connectors do you have setup?
How many receive connectors do you have setup?
ASKER
Two receive connectors. One named "Default" where all the remote network are enabled (0.0.0.0 to 255.255.255.255) and another one called "Client" where only my internal ip range figures in remote network (192.168.1.1/24)
Okay - Please note down the settings in the Default Connector, disable it, then create a new Receive Connector, replicate the settings from the 1st one and then enable and test.
Alan
Alan
ASKER
I forgot to mention i have Anonymous selected in both receive connectors.
If I create a new receive connector similar to the default with the exact same settings, what's the point? Should I set something different in the new connector?
If I create a new receive connector similar to the default with the exact same settings, what's the point? Should I set something different in the new connector?
Ah!
Pleas just disable the Non-Default connector, restart the Microsoft Exchange Transport Service service and then test on the test site again.
If you get the same results, please disable the Default connector and setup a new one as the Default connector may have underlying permissions that you can't see via the Exchange Console that allow relaying that a new connector won't have by default.
Make sure you restart the Microsoft Exchange Transport Service after making the changes and then test again and report back.
Many thanks
Alan
Pleas just disable the Non-Default connector, restart the Microsoft Exchange Transport Service service and then test on the test site again.
If you get the same results, please disable the Default connector and setup a new one as the Default connector may have underlying permissions that you can't see via the Exchange Console that allow relaying that a new connector won't have by default.
Make sure you restart the Microsoft Exchange Transport Service after making the changes and then test again and report back.
Many thanks
Alan
That's what I said, in my post disable anonymous and setup new connector for relay, if required.
ASKER
I disabled the Non-Default connector, i can send and receive mail, and the internal application (that needs the relay) can also send mail. The problem is that when testing it's still an open relay.
If i disable now anonymous in the default connector it won't receive mails at all from the outside...
If i disable now anonymous in the default connector it won't receive mails at all from the outside...
If you disable the Default Connector - you won't receive emails for a short while until you configure a new Receive Connector and restart the Transport Service then emails will flow again and any emails that tried to talk to your server will retry and nothing will get lost.
Then you will have hopefully fixed the problem and mail-flow will return to normal and you can get yourself off any Blacklists that you have managed to land on as a result.
Alan
Then you will have hopefully fixed the problem and mail-flow will return to normal and you can get yourself off any Blacklists that you have managed to land on as a result.
Alan
ASKER
Ok, i'm giving it a try.
I disable all receive connectors.
When creating a new connector, what type should i use, custom?
Created a custom one, then i see that only TLS is selected in authentication, and nothing is selected in the Permission Groups
I disable all receive connectors.
When creating a new connector, what type should i use, custom?
Created a custom one, then i see that only TLS is selected in authentication, and nothing is selected in the Permission Groups
ASKER
Amit if i disable Anonymous how will it receive mails from outside?
You need Anonymous to be able to receive emails - just copy all the settings that you had on the old Default one, restart the Transport Service and test mail-flow and the Open Relay site.
Alan
Alan
ASKER
Alan, you're right on the spot. I ticked Anonymous in the newly created one, mail flow is good, and all tests are ok.
Now the only issue left is create a new connector as relay for our internal application. For this receive connector, i guess i do not need to to tick Anonymous, and should i just enter my internal ip range in the "remote networks" setting?
Now the only issue left is create a new connector as relay for our internal application. For this receive connector, i guess i do not need to to tick Anonymous, and should i just enter my internal ip range in the "remote networks" setting?
Just enable the old Client connector, restart the Transport Service and test the open Relay and see how that goes. If it was restricted to the internal IP's then you should be good to go.
Alan
Alan
ASKER
Enabled the old client connector, which didn't change much - in fact this client connector is for port 587. Don't know why this one is needed.
The problem with the new connector is that the application does not send - i need to give the possibility to send mail even when not authenticated, provided it's from an internal ip.
The weirdest thing is that the new connector has the exact same settings as the default one ( except range which is 1.1.1.1 to 255.255.255.255 since it didn't let me enter the same range as an existing connector)
The problem with the new connector is that the application does not send - i need to give the possibility to send mail even when not authenticated, provided it's from an internal ip.
The weirdest thing is that the new connector has the exact same settings as the default one ( except range which is 1.1.1.1 to 255.255.255.255 since it didn't let me enter the same range as an existing connector)
Okay - leave the New connector alone now - that is for the Public to use for sending you emails and nothing else.
In terms of the Client Connector, what is sending to / from that and what isn't working?
What is the network range on the 'New' connector and the Client connector? Ideally the 'New connector should be everything except your internal network range and your Client connector just your internal network range.
In terms of the Client Connector, what is sending to / from that and what isn't working?
What is the network range on the 'New' connector and the Client connector? Ideally the 'New connector should be everything except your internal network range and your Client connector just your internal network range.
ASKER
As i previously said, there is some internal application that sends mails using unauthenticated users.
The situation now is extremely frustrating. Here it is explained in a nutshell: (forget about the old Client connector everything works without it, so i'm removing it to not complicate things further)
1) Enable old Default Connector (and disable all others)
- remote network range 0.0.0.0-255.255.255.255
- anonymous ticked
******* results ***********
- system sends and receive mails
- internal application sends mails succesfully
- system is open relay in tests
2) Enable two connectors
- new connector Main with the exact same settings as old Default Connector
- remote network ranges: 0.0.0.0-192.168.0.255 and 192.168.2.1-255.255.255.25
- new connector Client with range 192.168.1.1-192.168.1.255,
******* results **********
- system sends and receive mails
- internal applications does not send mails
- system is not open relay in tests
It's driving me crazy!!!!
The situation now is extremely frustrating. Here it is explained in a nutshell: (forget about the old Client connector everything works without it, so i'm removing it to not complicate things further)
1) Enable old Default Connector (and disable all others)
- remote network range 0.0.0.0-255.255.255.255
- anonymous ticked
******* results ***********
- system sends and receive mails
- internal application sends mails succesfully
- system is open relay in tests
2) Enable two connectors
- new connector Main with the exact same settings as old Default Connector
- remote network ranges: 0.0.0.0-192.168.0.255 and 192.168.2.1-255.255.255.25
- new connector Client with range 192.168.1.1-192.168.1.255,
******* results **********
- system sends and receive mails
- internal applications does not send mails
- system is not open relay in tests
It's driving me crazy!!!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That was it!! Granting the ADPermission to the client was the missing link!!
A million thanks for your patience!
A million thanks for your patience!
You're welcome. It looks like that permission may have been granted to the Default connector at some point, so that would be why the Open Relay was created.
Now just to tackle any Blacklists:
www.blacklistalert.org / http://mxtoolbox.com/blacklists.aspx
Alan
Now just to tackle any Blacklists:
www.blacklistalert.org / http://mxtoolbox.com/blacklists.aspx
Alan
ASKER
Thanks, i indeed checked for blacklisting as soon as it worked, luckily we were still clean.
On another note, i still have a problem for some users relaying, and that has to do with permissions, so i created a new question for it: https://www.experts-exchange.com/questions/28520062/Adding-rights-to-smtp-relay-users-in-Exchange-2010.html
On another note, i still have a problem for some users relaying, and that has to do with permissions, so i created a new question for it: https://www.experts-exchange.com/questions/28520062/Adding-rights-to-smtp-relay-users-in-Exchange-2010.html
What does that return in the results?
Alan