IS MY SERVER A RELAY?

Hello,

I recently came to know something unsettling. Our internal servers can send 
mail via our exchange smtp protocol without the ip address being in the 
relay list. I have been using the relay list exclusively, so I'm not sure 
how this is possible. Below are the settings we have. If you can think of 
any way this is possible and how to fix it, please let me know.

mailserver.ourdomain.com is the smtp address people are supposed to put into 
programs for the smtp server. it is a dns cname for one of our exchange 
servers.

in the exchange system manager, we have the smtp protocol with these 
settings:

Administrative Groups -> First Admin Group -> exserver -> protocols -> 
smtp -> default smtp server ->

1. under IP address advanced settings, then "edit" the setting for "apply 
sender filter" is checked.

2. Access tab
    a. authentication button
        i. anonymous access is checked
        ii. resolve anonymouse email is not checked
        iii. basic authentication is checked
        iv. requires TLS is not checked
        v. there is no default domain listed
        vi. integrated windows authentication is checked
        USERS button
            1. we have two users listed who can send via the server if they 
authenticate. they are myself and another admin account. no one knows their 
pwds but me.
    b. connection button
        i. the radio button for "all except the list below" is selected. 
there are no ip addresses in the list.
    c. relay button
        i. the radio button for "only the list below" is selected. many 
servers' ip addresses are in this list. there are servers who's ip address 
IS NOT in the list, yet I confirmed that they have programs sending mail via 
this server. I used telnet from them to the exchange server and it worked 
fine sending e-mails. I was under the impression that unless i authenticated 
as one of the users in the list described above or on a machine whose ip 
address was in this list, that I wouldn't be able to telnet over port 25 to 
this server.
        ii. the "allow all computers which successfully authenticate..." 
check box is not checked.
        USERS BUTTON
            this lists the same two accounts described above.
3. Messages Tab
    a. the first two check boxes are cleared. the next two have 50 and 
640000 as their setting, respectively.
    b. the setting for sending copies of NDRs is filled in with an address.
    c. there is nothing in the "forward all mail with unresolved..."
4. Delivery Tab
    a. the intervals are all set up.
    b. Outbound security
        i. the "anonymous access" radio button is selected.
        ii. tls encryption is not checked.
    c. Outbound Connections tab
        i. the limit number of connections to is set to 1000
        ii. the limit number of connections per domain is set to 100
        iii. tcp port is 25
    b. Advanced tab
        i. the max hop count is 30
        ii. the FQDN is set up
        iii. it is not performing reverse DNS lookups.

Anyone who can help would be greatly appreciated!

Peace. 


0
10/25/2006 7:45:39 PM
exchange.admin 57650 articles. 2 followers. Follow

6 Replies
404 Views

Similar Articles

[PageSpeed] 24

Hi,

Are the mails for internal or external users. If the mails are for internal 
users it is not considered relaying.

Leif

"GC Postmaster" <gc_postmaster@newsgroups.nospam> wrote in message 
news:Otvso4G%23GHA.3456@TK2MSFTNGP02.phx.gbl...
> Hello,
>
> I recently came to know something unsettling. Our internal servers can 
> send mail via our exchange smtp protocol without the ip address being in 
> the relay list. I have been using the relay list exclusively, so I'm not 
> sure how this is possible. Below are the settings we have. If you can 
> think of any way this is possible and how to fix it, please let me know.
>
> mailserver.ourdomain.com is the smtp address people are supposed to put 
> into programs for the smtp server. it is a dns cname for one of our 
> exchange servers.
>
> in the exchange system manager, we have the smtp protocol with these 
> settings:
>
> Administrative Groups -> First Admin Group -> exserver -> protocols -> 
> smtp -> default smtp server ->
>
> 1. under IP address advanced settings, then "edit" the setting for "apply 
> sender filter" is checked.
>
> 2. Access tab
>    a. authentication button
>        i. anonymous access is checked
>        ii. resolve anonymouse email is not checked
>        iii. basic authentication is checked
>        iv. requires TLS is not checked
>        v. there is no default domain listed
>        vi. integrated windows authentication is checked
>        USERS button
>            1. we have two users listed who can send via the server if they 
> authenticate. they are myself and another admin account. no one knows 
> their pwds but me.
>    b. connection button
>        i. the radio button for "all except the list below" is selected. 
> there are no ip addresses in the list.
>    c. relay button
>        i. the radio button for "only the list below" is selected. many 
> servers' ip addresses are in this list. there are servers who's ip address 
> IS NOT in the list, yet I confirmed that they have programs sending mail 
> via this server. I used telnet from them to the exchange server and it 
> worked fine sending e-mails. I was under the impression that unless i 
> authenticated as one of the users in the list described above or on a 
> machine whose ip address was in this list, that I wouldn't be able to 
> telnet over port 25 to this server.
>        ii. the "allow all computers which successfully authenticate..." 
> check box is not checked.
>        USERS BUTTON
>            this lists the same two accounts described above.
> 3. Messages Tab
>    a. the first two check boxes are cleared. the next two have 50 and 
> 640000 as their setting, respectively.
>    b. the setting for sending copies of NDRs is filled in with an address.
>    c. there is nothing in the "forward all mail with unresolved..."
> 4. Delivery Tab
>    a. the intervals are all set up.
>    b. Outbound security
>        i. the "anonymous access" radio button is selected.
>        ii. tls encryption is not checked.
>    c. Outbound Connections tab
>        i. the limit number of connections to is set to 1000
>        ii. the limit number of connections per domain is set to 100
>        iii. tcp port is 25
>    b. Advanced tab
>        i. the max hop count is 30
>        ii. the FQDN is set up
>        iii. it is not performing reverse DNS lookups.
>
> Anyone who can help would be greatly appreciated!
>
> Peace.
> 


0
10/25/2006 8:26:43 PM
Leif,

The messages are destined for both offsite users and internal users. 
Shouldn't we be able to make it so you can't send to either unless your ip 
address is in that list or your username is in the allow users who 
authenticate list?

Is it normal to allow any internal computer to relay through exchange if the 
rcpt to or mailfrom address is a mydomain.com address?

Thanks.

"Leif Pedersen [MVP]" <Leif.pedersenNO-SPAM@get2net.dk> wrote in message 
news:%23oYMkPH%23GHA.1128@TK2MSFTNGP05.phx.gbl...
> Hi,
>
> Are the mails for internal or external users. If the mails are for 
> internal users it is not considered relaying.
>
> Leif
>
> "GC Postmaster" <gc_postmaster@newsgroups.nospam> wrote in message 
> news:Otvso4G%23GHA.3456@TK2MSFTNGP02.phx.gbl...
>> Hello,
>>
>> I recently came to know something unsettling. Our internal servers can 
>> send mail via our exchange smtp protocol without the ip address being in 
>> the relay list. I have been using the relay list exclusively, so I'm not 
>> sure how this is possible. Below are the settings we have. If you can 
>> think of any way this is possible and how to fix it, please let me know.
>>
>> mailserver.ourdomain.com is the smtp address people are supposed to put 
>> into programs for the smtp server. it is a dns cname for one of our 
>> exchange servers.
>>
>> in the exchange system manager, we have the smtp protocol with these 
>> settings:
>>
>> Administrative Groups -> First Admin Group -> exserver -> protocols -> 
>> smtp -> default smtp server ->
>>
>> 1. under IP address advanced settings, then "edit" the setting for "apply 
>> sender filter" is checked.
>>
>> 2. Access tab
>>    a. authentication button
>>        i. anonymous access is checked
>>        ii. resolve anonymouse email is not checked
>>        iii. basic authentication is checked
>>        iv. requires TLS is not checked
>>        v. there is no default domain listed
>>        vi. integrated windows authentication is checked
>>        USERS button
>>            1. we have two users listed who can send via the server if 
>> they authenticate. they are myself and another admin account. no one 
>> knows their pwds but me.
>>    b. connection button
>>        i. the radio button for "all except the list below" is selected. 
>> there are no ip addresses in the list.
>>    c. relay button
>>        i. the radio button for "only the list below" is selected. many 
>> servers' ip addresses are in this list. there are servers who's ip 
>> address IS NOT in the list, yet I confirmed that they have programs 
>> sending mail via this server. I used telnet from them to the exchange 
>> server and it worked fine sending e-mails. I was under the impression 
>> that unless i authenticated as one of the users in the list described 
>> above or on a machine whose ip address was in this list, that I wouldn't 
>> be able to telnet over port 25 to this server.
>>        ii. the "allow all computers which successfully authenticate..." 
>> check box is not checked.
>>        USERS BUTTON
>>            this lists the same two accounts described above.
>> 3. Messages Tab
>>    a. the first two check boxes are cleared. the next two have 50 and 
>> 640000 as their setting, respectively.
>>    b. the setting for sending copies of NDRs is filled in with an 
>> address.
>>    c. there is nothing in the "forward all mail with unresolved..."
>> 4. Delivery Tab
>>    a. the intervals are all set up.
>>    b. Outbound security
>>        i. the "anonymous access" radio button is selected.
>>        ii. tls encryption is not checked.
>>    c. Outbound Connections tab
>>        i. the limit number of connections to is set to 1000
>>        ii. the limit number of connections per domain is set to 100
>>        iii. tcp port is 25
>>    b. Advanced tab
>>        i. the max hop count is 30
>>        ii. the FQDN is set up
>>        iii. it is not performing reverse DNS lookups.
>>
>> Anyone who can help would be greatly appreciated!
>>
>> Peace.
>>
>
> 


0
10/25/2006 8:36:21 PM
Most Exchange users mostly MAPI clients so the need to relay is generally 
limited.  When there is such a need, such as with Entourage or Eudora 
clients, the best practice is to require authentication instead of allowing 
relay by IP address.
-- 
Ed Crowley
MVP - Exchange
"Protecting the world from PSTs and brick backups!"

"GC Postmaster" <gc_postmaster@newsgroups.nospam> wrote in message 
news:eKtB9UH%23GHA.4524@TK2MSFTNGP04.phx.gbl...
> Leif,
>
> The messages are destined for both offsite users and internal users. 
> Shouldn't we be able to make it so you can't send to either unless your ip 
> address is in that list or your username is in the allow users who 
> authenticate list?
>
> Is it normal to allow any internal computer to relay through exchange if 
> the rcpt to or mailfrom address is a mydomain.com address?
>
> Thanks.
>
> "Leif Pedersen [MVP]" <Leif.pedersenNO-SPAM@get2net.dk> wrote in message 
> news:%23oYMkPH%23GHA.1128@TK2MSFTNGP05.phx.gbl...
>> Hi,
>>
>> Are the mails for internal or external users. If the mails are for 
>> internal users it is not considered relaying.
>>
>> Leif
>>
>> "GC Postmaster" <gc_postmaster@newsgroups.nospam> wrote in message 
>> news:Otvso4G%23GHA.3456@TK2MSFTNGP02.phx.gbl...
>>> Hello,
>>>
>>> I recently came to know something unsettling. Our internal servers can 
>>> send mail via our exchange smtp protocol without the ip address being in 
>>> the relay list. I have been using the relay list exclusively, so I'm not 
>>> sure how this is possible. Below are the settings we have. If you can 
>>> think of any way this is possible and how to fix it, please let me know.
>>>
>>> mailserver.ourdomain.com is the smtp address people are supposed to put 
>>> into programs for the smtp server. it is a dns cname for one of our 
>>> exchange servers.
>>>
>>> in the exchange system manager, we have the smtp protocol with these 
>>> settings:
>>>
>>> Administrative Groups -> First Admin Group -> exserver -> protocols -> 
>>> smtp -> default smtp server ->
>>>
>>> 1. under IP address advanced settings, then "edit" the setting for 
>>> "apply sender filter" is checked.
>>>
>>> 2. Access tab
>>>    a. authentication button
>>>        i. anonymous access is checked
>>>        ii. resolve anonymouse email is not checked
>>>        iii. basic authentication is checked
>>>        iv. requires TLS is not checked
>>>        v. there is no default domain listed
>>>        vi. integrated windows authentication is checked
>>>        USERS button
>>>            1. we have two users listed who can send via the server if 
>>> they authenticate. they are myself and another admin account. no one 
>>> knows their pwds but me.
>>>    b. connection button
>>>        i. the radio button for "all except the list below" is selected. 
>>> there are no ip addresses in the list.
>>>    c. relay button
>>>        i. the radio button for "only the list below" is selected. many 
>>> servers' ip addresses are in this list. there are servers who's ip 
>>> address IS NOT in the list, yet I confirmed that they have programs 
>>> sending mail via this server. I used telnet from them to the exchange 
>>> server and it worked fine sending e-mails. I was under the impression 
>>> that unless i authenticated as one of the users in the list described 
>>> above or on a machine whose ip address was in this list, that I wouldn't 
>>> be able to telnet over port 25 to this server.
>>>        ii. the "allow all computers which successfully authenticate..." 
>>> check box is not checked.
>>>        USERS BUTTON
>>>            this lists the same two accounts described above.
>>> 3. Messages Tab
>>>    a. the first two check boxes are cleared. the next two have 50 and 
>>> 640000 as their setting, respectively.
>>>    b. the setting for sending copies of NDRs is filled in with an 
>>> address.
>>>    c. there is nothing in the "forward all mail with unresolved..."
>>> 4. Delivery Tab
>>>    a. the intervals are all set up.
>>>    b. Outbound security
>>>        i. the "anonymous access" radio button is selected.
>>>        ii. tls encryption is not checked.
>>>    c. Outbound Connections tab
>>>        i. the limit number of connections to is set to 1000
>>>        ii. the limit number of connections per domain is set to 100
>>>        iii. tcp port is 25
>>>    b. Advanced tab
>>>        i. the max hop count is 30
>>>        ii. the FQDN is set up
>>>        iii. it is not performing reverse DNS lookups.
>>>
>>> Anyone who can help would be greatly appreciated!
>>>
>>> Peace.
>>>
>>
>>
>
> 


0
curspice6401 (3487)
10/26/2006 5:45:13 PM
This is fine. The real question I'm trying to answer here is why
servers are able to send mail via our exchange server whose IP address
is not in the relay list. This should not be.

Our users are using authentication to send messages. Just not programs
that send e-mail alerts from other servers. Those servers have been
given access via IP address.



Ed Crowley [MVP] wrote:
> Most Exchange users mostly MAPI clients so the need to relay is generally
> limited.  When there is such a need, such as with Entourage or Eudora
> clients, the best practice is to require authentication instead of allowing
> relay by IP address.
> --
> Ed Crowley
> MVP - Exchange
> "Protecting the world from PSTs and brick backups!"
>
> "GC Postmaster" <gc_postmaster@newsgroups.nospam> wrote in message
> news:eKtB9UH%23GHA.4524@TK2MSFTNGP04.phx.gbl...
> > Leif,
> >
> > The messages are destined for both offsite users and internal users.
> > Shouldn't we be able to make it so you can't send to either unless your ip
> > address is in that list or your username is in the allow users who
> > authenticate list?
> >
> > Is it normal to allow any internal computer to relay through exchange if
> > the rcpt to or mailfrom address is a mydomain.com address?
> >
> > Thanks.
> >
> > "Leif Pedersen [MVP]" <Leif.pedersenNO-SPAM@get2net.dk> wrote in message
> > news:%23oYMkPH%23GHA.1128@TK2MSFTNGP05.phx.gbl...
> >> Hi,
> >>
> >> Are the mails for internal or external users. If the mails are for
> >> internal users it is not considered relaying.
> >>
> >> Leif
> >>
> >> "GC Postmaster" <gc_postmaster@newsgroups.nospam> wrote in message
> >> news:Otvso4G%23GHA.3456@TK2MSFTNGP02.phx.gbl...
> >>> Hello,
> >>>
> >>> I recently came to know something unsettling. Our internal servers can
> >>> send mail via our exchange smtp protocol without the ip address being in
> >>> the relay list. I have been using the relay list exclusively, so I'm not
> >>> sure how this is possible. Below are the settings we have. If you can
> >>> think of any way this is possible and how to fix it, please let me know.
> >>>
> >>> mailserver.ourdomain.com is the smtp address people are supposed to put
> >>> into programs for the smtp server. it is a dns cname for one of our
> >>> exchange servers.
> >>>
> >>> in the exchange system manager, we have the smtp protocol with these
> >>> settings:
> >>>
> >>> Administrative Groups -> First Admin Group -> exserver -> protocols ->
> >>> smtp -> default smtp server ->
> >>>
> >>> 1. under IP address advanced settings, then "edit" the setting for
> >>> "apply sender filter" is checked.
> >>>
> >>> 2. Access tab
> >>>    a. authentication button
> >>>        i. anonymous access is checked
> >>>        ii. resolve anonymouse email is not checked
> >>>        iii. basic authentication is checked
> >>>        iv. requires TLS is not checked
> >>>        v. there is no default domain listed
> >>>        vi. integrated windows authentication is checked
> >>>        USERS button
> >>>            1. we have two users listed who can send via the server if
> >>> they authenticate. they are myself and another admin account. no one
> >>> knows their pwds but me.
> >>>    b. connection button
> >>>        i. the radio button for "all except the list below" is selected.
> >>> there are no ip addresses in the list.
> >>>    c. relay button
> >>>        i. the radio button for "only the list below" is selected. many
> >>> servers' ip addresses are in this list. there are servers who's ip
> >>> address IS NOT in the list, yet I confirmed that they have programs
> >>> sending mail via this server. I used telnet from them to the exchange
> >>> server and it worked fine sending e-mails. I was under the impression
> >>> that unless i authenticated as one of the users in the list described
> >>> above or on a machine whose ip address was in this list, that I wouldn't
> >>> be able to telnet over port 25 to this server.
> >>>        ii. the "allow all computers which successfully authenticate..."
> >>> check box is not checked.
> >>>        USERS BUTTON
> >>>            this lists the same two accounts described above.
> >>> 3. Messages Tab
> >>>    a. the first two check boxes are cleared. the next two have 50 and
> >>> 640000 as their setting, respectively.
> >>>    b. the setting for sending copies of NDRs is filled in with an
> >>> address.
> >>>    c. there is nothing in the "forward all mail with unresolved..."
> >>> 4. Delivery Tab
> >>>    a. the intervals are all set up.
> >>>    b. Outbound security
> >>>        i. the "anonymous access" radio button is selected.
> >>>        ii. tls encryption is not checked.
> >>>    c. Outbound Connections tab
> >>>        i. the limit number of connections to is set to 1000
> >>>        ii. the limit number of connections per domain is set to 100
> >>>        iii. tcp port is 25
> >>>    b. Advanced tab
> >>>        i. the max hop count is 30
> >>>        ii. the FQDN is set up
> >>>        iii. it is not performing reverse DNS lookups.
> >>>
> >>> Anyone who can help would be greatly appreciated!
> >>>
> >>> Peace.
> >>>
> >>
> >>
> >
> >

0
10/26/2006 7:19:48 PM
The IP addresses listed in your list are authorized to relay.  All other IP 
addresses must authenticate to do so.  Does that answer your question?
-- 
Ed Crowley
MVP - Exchange
"Protecting the world from PSTs and brick backups!"

"GC Postmaster" <Blake.Whitney@gmail.com> wrote in message 
news:1161890388.917695.113540@f16g2000cwb.googlegroups.com...
> This is fine. The real question I'm trying to answer here is why
> servers are able to send mail via our exchange server whose IP address
> is not in the relay list. This should not be.
>
> Our users are using authentication to send messages. Just not programs
> that send e-mail alerts from other servers. Those servers have been
> given access via IP address.
>
>
>
> Ed Crowley [MVP] wrote:
>> Most Exchange users mostly MAPI clients so the need to relay is generally
>> limited.  When there is such a need, such as with Entourage or Eudora
>> clients, the best practice is to require authentication instead of 
>> allowing
>> relay by IP address.
>> --
>> Ed Crowley
>> MVP - Exchange
>> "Protecting the world from PSTs and brick backups!"
>>
>> "GC Postmaster" <gc_postmaster@newsgroups.nospam> wrote in message
>> news:eKtB9UH%23GHA.4524@TK2MSFTNGP04.phx.gbl...
>> > Leif,
>> >
>> > The messages are destined for both offsite users and internal users.
>> > Shouldn't we be able to make it so you can't send to either unless your 
>> > ip
>> > address is in that list or your username is in the allow users who
>> > authenticate list?
>> >
>> > Is it normal to allow any internal computer to relay through exchange 
>> > if
>> > the rcpt to or mailfrom address is a mydomain.com address?
>> >
>> > Thanks.
>> >
>> > "Leif Pedersen [MVP]" <Leif.pedersenNO-SPAM@get2net.dk> wrote in 
>> > message
>> > news:%23oYMkPH%23GHA.1128@TK2MSFTNGP05.phx.gbl...
>> >> Hi,
>> >>
>> >> Are the mails for internal or external users. If the mails are for
>> >> internal users it is not considered relaying.
>> >>
>> >> Leif
>> >>
>> >> "GC Postmaster" <gc_postmaster@newsgroups.nospam> wrote in message
>> >> news:Otvso4G%23GHA.3456@TK2MSFTNGP02.phx.gbl...
>> >>> Hello,
>> >>>
>> >>> I recently came to know something unsettling. Our internal servers 
>> >>> can
>> >>> send mail via our exchange smtp protocol without the ip address being 
>> >>> in
>> >>> the relay list. I have been using the relay list exclusively, so I'm 
>> >>> not
>> >>> sure how this is possible. Below are the settings we have. If you can
>> >>> think of any way this is possible and how to fix it, please let me 
>> >>> know.
>> >>>
>> >>> mailserver.ourdomain.com is the smtp address people are supposed to 
>> >>> put
>> >>> into programs for the smtp server. it is a dns cname for one of our
>> >>> exchange servers.
>> >>>
>> >>> in the exchange system manager, we have the smtp protocol with these
>> >>> settings:
>> >>>
>> >>> Administrative Groups -> First Admin Group -> exserver -> 
>> >>> protocols ->
>> >>> smtp -> default smtp server ->
>> >>>
>> >>> 1. under IP address advanced settings, then "edit" the setting for
>> >>> "apply sender filter" is checked.
>> >>>
>> >>> 2. Access tab
>> >>>    a. authentication button
>> >>>        i. anonymous access is checked
>> >>>        ii. resolve anonymouse email is not checked
>> >>>        iii. basic authentication is checked
>> >>>        iv. requires TLS is not checked
>> >>>        v. there is no default domain listed
>> >>>        vi. integrated windows authentication is checked
>> >>>        USERS button
>> >>>            1. we have two users listed who can send via the server if
>> >>> they authenticate. they are myself and another admin account. no one
>> >>> knows their pwds but me.
>> >>>    b. connection button
>> >>>        i. the radio button for "all except the list below" is 
>> >>> selected.
>> >>> there are no ip addresses in the list.
>> >>>    c. relay button
>> >>>        i. the radio button for "only the list below" is selected. 
>> >>> many
>> >>> servers' ip addresses are in this list. there are servers who's ip
>> >>> address IS NOT in the list, yet I confirmed that they have programs
>> >>> sending mail via this server. I used telnet from them to the exchange
>> >>> server and it worked fine sending e-mails. I was under the impression
>> >>> that unless i authenticated as one of the users in the list described
>> >>> above or on a machine whose ip address was in this list, that I 
>> >>> wouldn't
>> >>> be able to telnet over port 25 to this server.
>> >>>        ii. the "allow all computers which successfully 
>> >>> authenticate..."
>> >>> check box is not checked.
>> >>>        USERS BUTTON
>> >>>            this lists the same two accounts described above.
>> >>> 3. Messages Tab
>> >>>    a. the first two check boxes are cleared. the next two have 50 and
>> >>> 640000 as their setting, respectively.
>> >>>    b. the setting for sending copies of NDRs is filled in with an
>> >>> address.
>> >>>    c. there is nothing in the "forward all mail with unresolved..."
>> >>> 4. Delivery Tab
>> >>>    a. the intervals are all set up.
>> >>>    b. Outbound security
>> >>>        i. the "anonymous access" radio button is selected.
>> >>>        ii. tls encryption is not checked.
>> >>>    c. Outbound Connections tab
>> >>>        i. the limit number of connections to is set to 1000
>> >>>        ii. the limit number of connections per domain is set to 100
>> >>>        iii. tcp port is 25
>> >>>    b. Advanced tab
>> >>>        i. the max hop count is 30
>> >>>        ii. the FQDN is set up
>> >>>        iii. it is not performing reverse DNS lookups.
>> >>>
>> >>> Anyone who can help would be greatly appreciated!
>> >>>
>> >>> Peace.
>> >>>
>> >>
>> >>
>> >
>> >
> 


0
curspice6401 (3487)
10/26/2006 7:24:36 PM
That's the way I understood things should work. What I'm saying is that
this isn't happening. Servers's whose IP address is not in our relay
list are able to send mail through our exchange smtp server and they
are also not authenticating. My desktop computer's ip address is not
the in the allow relay and even i could telnet over port 25 to the
exchange server and send mail that way.

I was hoping based on my posted settings someone would see something
wrong with our config and I'd be able to fix it. We only want the
situation described, but right now it seems not to be the case.

Ed Crowley [MVP] wrote:
> The IP addresses listed in your list are authorized to relay.  All other IP
> addresses must authenticate to do so.  Does that answer your question?
> --
> Ed Crowley
> MVP - Exchange
> "Protecting the world from PSTs and brick backups!"
>
> "GC Postmaster" <Blake.Whitney@gmail.com> wrote in message
> news:1161890388.917695.113540@f16g2000cwb.googlegroups.com...
> > This is fine. The real question I'm trying to answer here is why
> > servers are able to send mail via our exchange server whose IP address
> > is not in the relay list. This should not be.
> >
> > Our users are using authentication to send messages. Just not programs
> > that send e-mail alerts from other servers. Those servers have been
> > given access via IP address.
> >
> >
> >
> > Ed Crowley [MVP] wrote:
> >> Most Exchange users mostly MAPI clients so the need to relay is generally
> >> limited.  When there is such a need, such as with Entourage or Eudora
> >> clients, the best practice is to require authentication instead of
> >> allowing
> >> relay by IP address.
> >> --
> >> Ed Crowley
> >> MVP - Exchange
> >> "Protecting the world from PSTs and brick backups!"
> >>
> >> "GC Postmaster" <gc_postmaster@newsgroups.nospam> wrote in message
> >> news:eKtB9UH%23GHA.4524@TK2MSFTNGP04.phx.gbl...
> >> > Leif,
> >> >
> >> > The messages are destined for both offsite users and internal users.
> >> > Shouldn't we be able to make it so you can't send to either unless your
> >> > ip
> >> > address is in that list or your username is in the allow users who
> >> > authenticate list?
> >> >
> >> > Is it normal to allow any internal computer to relay through exchange
> >> > if
> >> > the rcpt to or mailfrom address is a mydomain.com address?
> >> >
> >> > Thanks.
> >> >
> >> > "Leif Pedersen [MVP]" <Leif.pedersenNO-SPAM@get2net.dk> wrote in
> >> > message
> >> > news:%23oYMkPH%23GHA.1128@TK2MSFTNGP05.phx.gbl...
> >> >> Hi,
> >> >>
> >> >> Are the mails for internal or external users. If the mails are for
> >> >> internal users it is not considered relaying.
> >> >>
> >> >> Leif
> >> >>
> >> >> "GC Postmaster" <gc_postmaster@newsgroups.nospam> wrote in message
> >> >> news:Otvso4G%23GHA.3456@TK2MSFTNGP02.phx.gbl...
> >> >>> Hello,
> >> >>>
> >> >>> I recently came to know something unsettling. Our internal servers
> >> >>> can
> >> >>> send mail via our exchange smtp protocol without the ip address being
> >> >>> in
> >> >>> the relay list. I have been using the relay list exclusively, so I'm
> >> >>> not
> >> >>> sure how this is possible. Below are the settings we have. If you can
> >> >>> think of any way this is possible and how to fix it, please let me
> >> >>> know.
> >> >>>
> >> >>> mailserver.ourdomain.com is the smtp address people are supposed to
> >> >>> put
> >> >>> into programs for the smtp server. it is a dns cname for one of our
> >> >>> exchange servers.
> >> >>>
> >> >>> in the exchange system manager, we have the smtp protocol with these
> >> >>> settings:
> >> >>>
> >> >>> Administrative Groups -> First Admin Group -> exserver ->
> >> >>> protocols ->
> >> >>> smtp -> default smtp server ->
> >> >>>
> >> >>> 1. under IP address advanced settings, then "edit" the setting for
> >> >>> "apply sender filter" is checked.
> >> >>>
> >> >>> 2. Access tab
> >> >>>    a. authentication button
> >> >>>        i. anonymous access is checked
> >> >>>        ii. resolve anonymouse email is not checked
> >> >>>        iii. basic authentication is checked
> >> >>>        iv. requires TLS is not checked
> >> >>>        v. there is no default domain listed
> >> >>>        vi. integrated windows authentication is checked
> >> >>>        USERS button
> >> >>>            1. we have two users listed who can send via the server if
> >> >>> they authenticate. they are myself and another admin account. no one
> >> >>> knows their pwds but me.
> >> >>>    b. connection button
> >> >>>        i. the radio button for "all except the list below" is
> >> >>> selected.
> >> >>> there are no ip addresses in the list.
> >> >>>    c. relay button
> >> >>>        i. the radio button for "only the list below" is selected.
> >> >>> many
> >> >>> servers' ip addresses are in this list. there are servers who's ip
> >> >>> address IS NOT in the list, yet I confirmed that they have programs
> >> >>> sending mail via this server. I used telnet from them to the exchange
> >> >>> server and it worked fine sending e-mails. I was under the impression
> >> >>> that unless i authenticated as one of the users in the list described
> >> >>> above or on a machine whose ip address was in this list, that I
> >> >>> wouldn't
> >> >>> be able to telnet over port 25 to this server.
> >> >>>        ii. the "allow all computers which successfully
> >> >>> authenticate..."
> >> >>> check box is not checked.
> >> >>>        USERS BUTTON
> >> >>>            this lists the same two accounts described above.
> >> >>> 3. Messages Tab
> >> >>>    a. the first two check boxes are cleared. the next two have 50 and
> >> >>> 640000 as their setting, respectively.
> >> >>>    b. the setting for sending copies of NDRs is filled in with an
> >> >>> address.
> >> >>>    c. there is nothing in the "forward all mail with unresolved..."
> >> >>> 4. Delivery Tab
> >> >>>    a. the intervals are all set up.
> >> >>>    b. Outbound security
> >> >>>        i. the "anonymous access" radio button is selected.
> >> >>>        ii. tls encryption is not checked.
> >> >>>    c. Outbound Connections tab
> >> >>>        i. the limit number of connections to is set to 1000
> >> >>>        ii. the limit number of connections per domain is set to 100
> >> >>>        iii. tcp port is 25
> >> >>>    b. Advanced tab
> >> >>>        i. the max hop count is 30
> >> >>>        ii. the FQDN is set up
> >> >>>        iii. it is not performing reverse DNS lookups.
> >> >>>
> >> >>> Anyone who can help would be greatly appreciated!
> >> >>>
> >> >>> Peace.
> >> >>>
> >> >>
> >> >>
> >> >
> >> >
> >

0
10/26/2006 8:38:01 PM
Reply:

Similar Artilces:

NO DEFAULT SMTP SERVER..
Hello, I had a problem with exadmin.dll, unregistered it, copied new one and registered it and now the default smtp server is gone under SMTP in my systems manager but everything still works.... HELP where is it ? and how can i get it back ? tnnx. Philippe ...

Upgrading from server 2000 to server 2008R2?
We would like to upgrade our servers to Windows server 2008 R2. Currently we have two Windows 2000 (SP 4) domain controllers, we want to replace the Forest Root Domain box with new hardware & upgrade the other DC to server 2008 R2. I understand it's not possible to upgrade from 2000 straight to 2008 but is server 2003 still available to ugrade to in between? I'm also not sure of what the implications of retiring the Forest Root Domain box would be? Would the best plan be to add the new 2008 server (domain function & forest function level: 2000); upgrade the se...

Can Recovery Storage Groups be used if original server gone?
We had an Exchange server die on us a few months back due to hardware issues. All accounts were moved to another box and that one was flattened and taken out of the Exchange org. It was replaced by new hardware that does NOT have the storage groups or databases that the old one did. We have a request to recover data from an info store back up prior to the events above and are running into problems with our backup vendor. Would it be possible to use a Recovery Storage Group to retrieve this data? The mailbox still exists (but may have been moved via Exmerge) so I believe I will pas...

MS Project Server Admin // Denver, CO
MS Project Server Admin Location: Denver, CO Duration: 6 months Pay Rate: DOE =95 MSProject Server ver 2010, SQL database and Sharepoint 2010 =95 Ongoing support and maintenance involving activities such as =96 Monitoring logs, Patches, resolving support tickets, Dev/Test/Prod support =95 Routine troubleshooting =95 Technical APS maintenance (Project Server & SharePoint 2010) =95 User administration / Password resets etc. =95 Work with Microsoft for any critical issues that might need intervention from Microsoft =95 Application of Patches & migration to Production =95 SQL services mo...

Small Business Server in Windows Server 2000 Environment
I have a requirement to install Microsoft CRM for about 10 CRM Users. The existing Windows 2000 has about 120 users with two Exchange Servers. Is it possible to set up a separate Small Business Server to run CRM within the Windows 2000 domain as this is the most cost effective way of implementing CRM for such a low User count? ...

Removed server, exchange still looking for it?
Exchange 5.5, I removed a server from the site using exchange admin, and now am getting event 9318, saying MTA can't contact it. Why is it doing that? I had the same problem after a 5.5 to 2000 migration. Rebooting the Exchange server that was trying to connect resolved the problem. MTA must keep the information cached. Tim "dlw" <dlw@discussions.microsoft.com> wrote in message news:C431500C-F78D-47E5-AAC5-B8C611592E97@microsoft.com... > Exchange 5.5, I removed a server from the site using exchange admin, and > now > am getting event 9318, saying MTA can...

windows 2008 server cord and windows 2008 std
we have 20+ New server to install windows 2008 for trading purpose. still can not decide to install server core or std full, can someone advise what is the benefit to install core rather than std edition or to install std edition ? DD, There is: Server Standard Server Standard Core Server Enterprise Server Enterprise Core Core is (not quite correctly called) 'Server without Graphical User Interface (GUI)'. There are several reasons why Core was introduced: - *Nix purists were saying that there's no real need/use for GUI on a server and *real* sysadmins ar...

Outlook won't leave messages on the server
I have tried and tried to keep Outlook 2003 from deleting my email off my server. I have found the check box under advanced send\receive setting in "options" and I have tried variations of the 3 check boxes in this window and they work until I close Outlook and reopen it, then all of my settings return to the default of deleting my email off the server. Wasn't MS suppose to stop doing things like this? Any help in steering me to the answer (which i am sure is here) to this question is appreciated. Regards Paul A. Walters Hi, Goto Tools --> Email Accounts --> V...

Project Server Provisioned
Hello, I have provisioned Project Server and added it to the trusted zone, but it still comes up unresolved. Hello, You mean PWA home page is not loading or issue with connecting from MS Project Professional? Also mention the version of Project Server. Thanks Chak pVector Technologies http://www.pvectortech.com http://www.epmcentral.com On Apr 16, 11:04=A0am, me <mtyso...@yahoo.com> wrote: > Hello, I have provisioned Project Server and added it to the trusted > zone, but it still comes up unresolved. On Apr 16, 12:20=A0pm, Chak <chak...@hotmail.com>...

OT: SVN server
Hi, Sorry for the OT, I am not 100% sure where to ask. I want to setup a subversion repo on a personal website. Would anyone know the best forum/NG to ask such a question? (Or where I could find a tutorial for installing such a repo). Thanks Simon Simon wrote: > Hi, > > Sorry for the OT, I am not 100% sure where to ask. > > I want to setup a subversion repo on a personal website. > Would anyone know the best forum/NG to ask such a question? > (Or where I could find a tutorial for installing such a repo). > > Thanks > > Simon ...

Windows Server 2008 RC2 in Windows Server 2003 Domain
I'm having trouble with one domain controller that has all of the FSMO roles (I have 6 Domain controllers in total running server 2003) I updated my schema to version 47 (Windows server 2008 RC2) and would like to add a new physical server with W2K8 R2 on it and transfer all of the FSMO roles on it. I don't want to upgrade all DC's yet to 2008 R2 yet, so the domain functional level will stay the same for a while (Windows Server 2003). Is there anything I should watch out for with this scenario? Or by just adding a W2k8 R2 box with all the FSMO roles and then decomm...

Exchange Router setup/Setting More than one Exchange Server up in one organisation with two active directories?
Forgive the version difference, but on Exchange 2003 is there a way to install a secondary Exchange Server on a different domain and somehow have it routed to from the other domain or act as a connector to be able to see those emails without removing them? I don't know enough about routing on Exchange to figure if its capable. Or perhaps I need to utilise a different registered email domain and I should use this for testing instead of trying to somehow route emails from one to the other? eg instead of companyname.com I could use companynamecrm.com or something. Would I still want to setu...

pop3 server response
When opening outlook recently it has been saying my pop3 server hasn't respoded in 60 seconds and asks if I would like to wait longer for the server to respond. but sometimes it goes right through. is there any reason why this might be happening. i can only get e-mail about 60% of the time. any help would be greatly appreciated. J.H. Try removing and reinstalling your mail account settings. --� Milly Staples [MVP - Outlook] Post all replies to the group to keep the discussion intact. Due to the Swen virus, all e-mails sent to my actual account will be deleted w/out reading. After...

Manually run message rules on the server
Hi, Is there a way to run message rules (created by the end-user on Outlook) on the server, say on a daily basis ? The reason is that that person has ~50 rules, moving all incoming messages from his inbox to specific folders. Since he now owns a BES-enabled BlackBerry, these rules prevent him from getting his emails onto his handheld. The idea would be to run all the rules once a day, on his behalf, on the server. Exchange 2007 SP1 Thanks Christian Some rules, like moving messages to another folder in the same mailbox, will run server-side by default, depending on how they're create...

E-Mail Messages Reappear When Server is rebooted
Hello All, I had reason to reboot a windows2003 SBS a few months ago. When it rebooted clients reported old emails had reappeared in their inbox. I was then on a windows2000 SBS site yesterday and when I rebooted the server old emails reappeared. The Windows2003 server rebooted today and again old email reappear. I cannot find any info on web re: this problem. Any help would be appreciated. Sam wrote: > Hello All, > > I had reason to reboot a windows2003 SBS a few months ago. When it > rebooted clients reported old emails had reappeared in their inbox. I > was then on...

web server and exchange server on 2 different servers.
Is there a way to redirect traffic through my web server to my mail server to use OWA with out setting up a front end/back end? If I do have to set up a front end do I have to purchase a separate license? What version of Exchange? If E2k/2003, you have to use FE/BE....and for E2k, the FE server has to be Enterprise. Gonzosez wrote: > Is there a way to redirect traffic through my web server to my mail > server to use OWA with out setting up a front end/back end? > > If I do have to set up a front end do I have to purchase a separate > license? You can install OWA on the w...

MultiFunctional Printers and Server 2008
Hello is there are a way without using TS Server to use a printer that is off location? -- Member - Liberal International This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! http://twitter.com/rootnl2k http://www.facebook.com/dyadallee UK Time for a Common Sense change vote Liberal Democrat / Alliance Yes, there are many ways. You can use print server device, like HP JetDirect. You can attach printer to any networked computer. "The Doctor" <doctor@doctor.nl2k.ab.ca> wrote in message ...

Importing XML data into SQL Server 2005
Hi, We have an app in .NET with sql server 2005 backend and would need to import relatively huge amount of data from disparate providers on a nightly basis. What is the file format that is preferred and please help me understand why we need to go with a specific format? Is it XML, CSV, or anything else? We have been leaning towards using XML If it is XML, how can we a template for the XML file (is it the XSD schema file?) and pass it to the providers so that we can get formatted data without much discrepancies? Thanks in advance! ...

If NIC teaming good or bad for Exch2003 server?
Hi there, For exchange2003 server running on branded server hardware such as HP, if network card teaming (of 2 nics) a good option for exchange2003 or not? How do you guys doing? Just using 1 nic or what? Many thanks! Leemutpo - The good thing about HP is that it will present one virtual NIC to the OS. Generally, unless my client has good network hardware with relatively current IOS levels and good network and server support teams, I will try to steer them clear of NIC teaming. Granted, it is good for redundancy. However, it does have the occasional problem, depe...

Exchange Attributes Missing for New Users after Server Move
Hi, We have recently migrated our Exchange 2003 Enterprise Server by installing the new server on a new platform with a new name in the domain, then used the Move Mailboxes feature. I then followed the procedures in http://support.microsoft.com/kb/822931/ How to remove the first Exchange Server 2003 computer from the administrative group. I shut down the old server and left if configured for December. I have just disposed of the original server (Generation 1 Compaq Proliant). However we have a new user starting today, and although AD seems to add his account as usual, there is no Exchange a...

Multiple Service Failures Exchange Server 2003 Win2K3
My Exchange Server has freaked out tonight, and now into the morning I'm still scratching my head. The IISAdmin, Microsoft Exchange Routing Engine & SMTP Protocol Service keep giving the following errors: IISAdmin - 7031 The IIS Admin Service service terminated unexpectedly. It has done this 29 time(s). The following corrective action will be taken in 1 milliseconds: Run the configured recovery program. Microsoft Exchange Routing Engine - 7034 The Microsoft Exchange Routing Engine service terminated unexpectedly. It has done this 29 time(s). Simple Mail Transport Proto...

application closing in windows 2000 server
hi, I compliled and run the chat server(got the source from MSDN) in the Windows 2000 server(No service pack). I compiled and copied the chat client in another machine(windows 98). When i run the client, it asked the handle and chat server. I gave my name as handle and chat server machine name as server. Then i click on the OK button, the chat server application got closed with out giving any error message. In client i got the message "Failed to connect server Try Again?". Then i copied the same server application to the windows 98 machine and run the chat server applicatio...

auto copy of emails to server folders
Hello, It would be highly useful if every time an email associated with a certain client arrives, a copy of the email automatically is saved in the client's folder on the server. I find it quite cumbersome to choose the "File, Save as" function, then locate the client folder on the server, then choose "save as .msg" everytime an email arrives. This raises the issue of how to automatically associate the email with a particular client. Simply identifying a certain email address wouldn't be very useful, because, for example, some email addresses are associated with m...

(APPZ) Serv.U.File.Server.Gold.Enterprise.v9.3.0.1.Multilingual.Incl.Keymaker.And.Patch-CORE
=ybegin part=1 line=128 size=6803 name=Serv.U.File.Server.Gold.Enterprise.v9.3.0.1.Multilingual.Incl.Keymaker.And.Patch-CORE.nzb =ypart begin=1 end=6803 fi���J�������gL[XZLJ��������gL���WbLJih74fKnym~�zoJ���JzlvsmJLWYY����l��YYn~nJx�lJZXcYYoxLJL����dYY���X�������X���Yn~nY���Y���W ZXcX���Lh74f���J�����gL����dYY���X�������X���Yn~nY\ZZ]Y���Lh74JJf����J������gL��������bbj������W����X���JR��������SLJ����gL[\`_b bb][`LJ�������gLRkzz�SJ}���XXp���X}�����Xq���Xo���������X�cX]XZX[Xw�����������Xs���Xu�������Xk��Xz����Wmy|oJWJPM�\\e}���XXp��� X}�����Xq���Xo���������X�cX]XZX[Xw�����������Xs���Xu�...

Visual studio with CRM server
When i install VS.Net on CRM Server it install another framework version and CRM dosent work after that . I need to use VB.NET with CRM and idea how i can accomplish this on the same server or can i do it from another machine ? Hi, VS.NET work well opn the CRM Server. If you have CRM 1.2 you need to install VS.NET 2003 (.NET Framework 1.1). If you have CRM 1.0 you need to install VS (.NET Framework 1.0) "Silverwing" wrote: > When i install VS.Net on CRM Server it install another framework version and CRM dosent work after that . I need to use VB.NET with CRM and ide...