http://www.petri.co.il/preventing_exchange_2000_2003_from_relaying.htm
What's a "Relay"?
First let's see what "relaying" is:
-
A user in your domain wants to send e-mail to another user in your domain - This is NOT relaying.
-
An outside user (from the Internet) wants to send e-mail to another user in your domain - This is NOT relaying.
-
A user in your domain wants to send e-mail to an outside user (on the Internet) - This IS relaying.
-
An outside user (from the Internet) wants to send e-mail to an outside user (on the Internet) - This IS relaying.
The default Exchange 2000/2003 configuration does not allow unauthenticated users to relay through the server.
Exchange 2000/2003 provides full Simple Mail Transfer Protocol
(SMTP) mail services. The Exchange 2000 SMTP server can be used to
receive and relay e-mail messages to other Exchange 2000/2003 servers
on your network or to other SMTP servers on the Internet. Mail relay
allows Exchange 2000 mail clients to send mail to users in other
organizations. If mail relay is not allowed, the Exchange 2000 server
can only receive and send mail for users in the same mail domain as the
Exchange 2000/2003 servers.
When the Exchange 2000/2003 server relays e-mail messages, the
Exchange 2000/2003 server can forward mail that is addressed to mail
domains other than its own. This allows Exchange 2000 to forward mail
to any internal or external network SMTP server.
There are dangers inherent in making an Exchange 2000/2003 server
accessible to Internet users. The Exchange 2000/2003 server might be
used as a mail relay by Internet users, which is undesirable because
unscrupulous users might forward mail to your Exchange 2000/2003 SMTP
server to distribute unsolicited commercial e-mail messages to large
numbers of computers. This can have a severe adverse impact on
available bandwidth for your Internet connection and might lead to your
mail server being placed on "black hole" lists of open mail relays. If
your server is placed on such a list, other mail servers may not accept
mail from your domain.
For a user or computer to relay e-mail messages through an Exchange 2000/2003 SMTP server, two conditions must be met:
If these conditions are not both met, the server does not relay e-mail messages.
Prevent Relaying
To prevent the Exchange 2000/2003 server from relaying e-mail messages:
-
Start Exchange System Manager.
-
Expand the organization_name object, and then expand the Servers
node. Expand the server_name object of the server on which you want to
prevent mail relay, and then expand the Protocols node.
-
Expand the SMTP node, right-click the virtual SMTP server on which you want to prevent mail relay, and then click Properties.
-
Click the Access tab, and then click Authentication.
-
Click to select either the Basic Authentication check box, or the
Windows security package check box, or both of these check boxes, and
then click to clear the Anonymous access check box. When you select the
Basic Authentication check box, you need to provide a default user
domain. Click OK.
-
If you click to select the Anonymous access check box and do not
select any other check box on this page, all of the users and computers
can gain access to the Exchange 2000/2003 SMTP server. This setting
disables inbound authentication.
-
If you click to select either the Basic Authentication check box, or
the Windows security package check box, or both of these check boxes,
and you click to clear the Anonymous access check box, authentication
is required to gain access to the Exchange 2000/2003 SMTP server. If
the user or computer does not successfully authenticate, the user or
computer cannot send mail to the server.
-
Click Relay.
-
In the Relay Restriction dialog box, several options are available.
The Only the list below option is enabled by default; the list below
this option is empty. The Allow all computers which successfully
authenticate to relay, regardless of the list above option is also
enabled by default, which allows users and computers that can
authenticate with the server to relay through the server. This option
allows the Exchange 2000/2003 server to relay mail from your internal
network clients. Note that if you allow only anonymous access, the
server cannot authenticate users or computers.
-
Click Add. You can allow a single computer, a group of computers, or
an entire domain to relay through the server by making the appropriate
selection in the Computer dialog box.
-
Allowing access by IP address or domain name is helpful for users
who do not authenticate with the Exchange server (for example, in an
Internet service provider [ISP] implementation).
-
Click Cancel if you do not want to make any changes.
-
In the Relay Restrictions dialog box, click OK.
-
Click Apply, and then click OK in the Default SMTP Virtual Server Properties dialog box.
Consequences
You must understand what will happen if you choose to clear the
"Anonymous access" check box in the Authentication window of the SMTP
Virtual Server. Although this will indeed successfully stop your server
from being a relay, on the other hand it will cause your server to stop
receiving incoming mail from the Internet. This is because all the
servers (it doesn't matter if they are E2K, Send Mail or any other mail
servers) that will ever need to open an SMTP connection to your server
will be required to authenticate, and it will be impossible for them to
do so because they are not configured to use a specific username and
password. You can't expect every mail server that will need to "talk"
to your server to to "know" what username and passwords you've got
configured in your domain, so basically no one will ever be able to
send mail to your domain.
Conclusions
Keeping the SMTP Virtual Server's default settings (the
authentication and relay buttons) will safely protect you from relaying
un-authorized messages while still enabling outside users to send
e-mail to your domain.
