exchange 2010 open relays

How would I close open relays? Would i need to? Will it effect anything if i do?

I recently ran some security test and it shows we have an open relay on our exchange box. How would i turn open relay off? If i do will it affect anything internally, as we use email relays for some of our servers that sends out alerts.

Will this effect anything from the outside coming in?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
You need to close an open relay.
If you need to allow servers to relay through your Exchange server, then configure a specific connector that allows just those servers to relay.

A correctly configured receive connector will not affect inbound email.

The most common method for creating an open relay is for the Default Receive Connector to have Externally Secured enabled.
The second most common method is to have a connector configured to allow relaying from the entire subnet, but traffic from the gateway device appears to Exchange to come from an internal source.

There is no single answer to the question on how to close the open relay. You need to go through the server configuration carefully, locking down everything but the Default Receive Connector to specific IP addresses. The default receive connector should be open to everyone (unless you use an external filtering source) with anonymous enabled. Externally Secured should NOT be enabled.

sirichaiphumiratAuthor Commented:
Our default connector doesn't have externally secured enabled,

But we have internal relay that has externally secured enabled is that ok or should that be disabled?

Example of one of our internal relay is

Under Authentication
transport layer Security TLS is checked

Externally Secured is Checked..   All others are unchecked

Permission groups
 everything is  checked but anonymous.

I also tried testing by sending email using telnet 25 command and wasn't able to.  

But when test on mxtoolbox  on one of the errors it says that, your server may be able to relay.  Which is weird.

thanks for the help.
Simon Butler (Sembee)ConsultantCommented:
May be able to relay doesn't mean it can.
All it means is the dumb test at mxtoolbox cannot tell, but the server isn't returning a response that confirms it cannot.
That usually means you haven't got recipient filtering enabled, or something is between Exchange and the internet scanning email is hiding headers.

For relaying... this article on TechNet outlines the best practise.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sirichaiphumiratAuthor Commented:
thank you
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.