Common Exchange Server Configuration Mistakes - Open Relay Server Settings
Having an open relay server is a death sentence for your organization. In today’s post, we’re going to make sure that your MS Exchange 2003 server is not configured as an open relay server - a common mistake that unfortunately is all too easy to make.
In this post, we’re going to talk about how to check and avoid making your server an open relay server. We’ll also point out a few tools to make sure your servers aren’t on Real Time Blacklists as a possible result of open relay server configurations.
Open Relay Server Settings in Exchange 2003
Ok, let’s get down to it - here’s how to make sure you don’t configure you exchange server to be an open relay server.
In Exchange 2003 Server, bring up Exchange System Manager .
Then bring up SMTP Virtual Server properties (expand Servers | Server Name | Protocols Default SMTP Virtual Server).
SMTP Virtual Server Properties
Click on the Access tab and Relay button in the bottom.
SMTP Properties Access Tab
You’ll see this screen after you hit the Relay button:
Open Relay Button
SMTP Open Relay Restrictions
As mentioned in the screen shot above, the key point here is making sure that your MS Exchange Server’s own IP is not listed here. It’s also ok NOT to have any IPs defined here.
In Relay Restrictions a common problem we find is that some IT Administrators put in the Exchange server IP address in the option for only the list below under “Select which computer may relay through this virtual server.”
IT Admins can easily get confused in this screen and assume that if they do not put an IP address here no e-mails will be allowed to relay through this server and thus they have to allow their own mail server to relay. The problem with this is that then the entire server becomes an open relay server. Since the option below “Allow all computers which successfully authenticate to relay, regardless of the list above” is checked by default, mail clients such as Outlook will still be able to send or relay e-mails through this server even if no IP is listed under “only the list below”. Ideally you should not have to add any IP addresses under the allowable IP address list at all since all mail clients do authenticate with username and password or should be required to do so. In rare cases there are applications such as a website where a visitor fills out a form and needs this form to be sent to you via e-mail, this IP address maybe entered here because that is the only way for the Web script to send email as it may not be able to send the Username and Password to the mail server.
How to check if your server is an Open Relay Server.
Visit http://www.itanetworks.com/ and scroll down to find the Free Utilities section and select Open Relay test. Put your Domain Name or IP address and click on submit to see the results.
To check if your domain or mail server is black listed in an RBL.
Go to Email Talk’s Homepage. Under RBL lookup enter your domain name or mail server ip address and click on GO button to see the results. If your server is blacklisted in the report click on the RBL name to visit the site after fixing your mail server issue and send that specific RBL a message to ask to be removed from their blacklist.
Leave A Comment