IS MY SERVER A RELAY?

Hello,

I recently came to know something unsettling. Our internal servers can send 
mail via our exchange smtp protocol without the ip address being in the 
relay list. I have been using the relay list exclusively, so I'm not sure 
how this is possible. Below are the settings we have. If you can think of 
any way this is possible and how to fix it, please let me know.

mailserver.ourdomain.com is the smtp address people are supposed to put into 
programs for the smtp server. it is a dns cname for one of our exchange 
servers.

in the exchange system manager, we have the smtp protocol with these 
settings:

Administrative Groups -> First Admin Group -> exserver -> protocols -> 
smtp -> default smtp server ->

1. under IP address advanced settings, then "edit" the setting for "apply 
sender filter" is checked.

2. Access tab
    a. authentication button
        i. anonymous access is checked
        ii. resolve anonymouse email is not checked
        iii. basic authentication is checked
        iv. requires TLS is not checked
        v. there is no default domain listed
        vi. integrated windows authentication is checked
        USERS button
            1. we have two users listed who can send via the server if they 
authenticate. they are myself and another admin account. no one knows their 
pwds but me.
    b. connection button
        i. the radio button for "all except the list below" is selected. 
there are no ip addresses in the list.
    c. relay button
        i. the radio button for "only the list below" is selected. many 
servers' ip addresses are in this list. there are servers who's ip address 
IS NOT in the list, yet I confirmed that they have programs sending mail via 
this server. I used telnet from them to the exchange server and it worked 
fine sending e-mails. I was under the impression that unless i authenticated 
as one of the users in the list described above or on a machine whose ip 
address was in this list, that I wouldn't be able to telnet over port 25 to 
this server.
        ii. the "allow all computers which successfully authenticate..." 
check box is not checked.
        USERS BUTTON
            this lists the same two accounts described above.
3. Messages Tab
    a. the first two check boxes are cleared. the next two have 50 and 
640000 as their setting, respectively.
    b. the setting for sending copies of NDRs is filled in with an address.
    c. there is nothing in the "forward all mail with unresolved..."
4. Delivery Tab
    a. the intervals are all set up.
    b. Outbound security
        i. the "anonymous access" radio button is selected.
        ii. tls encryption is not checked.
    c. Outbound Connections tab
        i. the limit number of connections to is set to 1000
        ii. the limit number of connections per domain is set to 100
        iii. tcp port is 25
    b. Advanced tab
        i. the max hop count is 30
        ii. the FQDN is set up
        iii. it is not performing reverse DNS lookups.

Anyone who can help would be greatly appreciated!

Peace. 


0
10/25/2006 7:45:39 PM
exchange.admin 57650 articles. 2 followers. Follow

6 Replies
532 Views

Similar Articles

[PageSpeed] 37

Hi,

Are the mails for internal or external users. If the mails are for internal 
users it is not considered relaying.

Leif

"GC Postmaster" <gc_postmaster@newsgroups.nospam> wrote in message 
news:Otvso4G%23GHA.3456@TK2MSFTNGP02.phx.gbl...
> Hello,
>
> I recently came to know something unsettling. Our internal servers can 
> send mail via our exchange smtp protocol without the ip address being in 
> the relay list. I have been using the relay list exclusively, so I'm not 
> sure how this is possible. Below are the settings we have. If you can 
> think of any way this is possible and how to fix it, please let me know.
>
> mailserver.ourdomain.com is the smtp address people are supposed to put 
> into programs for the smtp server. it is a dns cname for one of our 
> exchange servers.
>
> in the exchange system manager, we have the smtp protocol with these 
> settings:
>
> Administrative Groups -> First Admin Group -> exserver -> protocols -> 
> smtp -> default smtp server ->
>
> 1. under IP address advanced settings, then "edit" the setting for "apply 
> sender filter" is checked.
>
> 2. Access tab
>    a. authentication button
>        i. anonymous access is checked
>        ii. resolve anonymouse email is not checked
>        iii. basic authentication is checked
>        iv. requires TLS is not checked
>        v. there is no default domain listed
>        vi. integrated windows authentication is checked
>        USERS button
>            1. we have two users listed who can send via the server if they 
> authenticate. they are myself and another admin account. no one knows 
> their pwds but me.
>    b. connection button
>        i. the radio button for "all except the list below" is selected. 
> there are no ip addresses in the list.
>    c. relay button
>        i. the radio button for "only the list below" is selected. many 
> servers' ip addresses are in this list. there are servers who's ip address 
> IS NOT in the list, yet I confirmed that they have programs sending mail 
> via this server. I used telnet from them to the exchange server and it 
> worked fine sending e-mails. I was under the impression that unless i 
> authenticated as one of the users in the list described above or on a 
> machine whose ip address was in this list, that I wouldn't be able to 
> telnet over port 25 to this server.
>        ii. the "allow all computers which successfully authenticate..." 
> check box is not checked.
>        USERS BUTTON
>            this lists the same two accounts described above.
> 3. Messages Tab
>    a. the first two check boxes are cleared. the next two have 50 and 
> 640000 as their setting, respectively.
>    b. the setting for sending copies of NDRs is filled in with an address.
>    c. there is nothing in the "forward all mail with unresolved..."
> 4. Delivery Tab
>    a. the intervals are all set up.
>    b. Outbound security
>        i. the "anonymous access" radio button is selected.
>        ii. tls encryption is not checked.
>    c. Outbound Connections tab
>        i. the limit number of connections to is set to 1000
>        ii. the limit number of connections per domain is set to 100
>        iii. tcp port is 25
>    b. Advanced tab
>        i. the max hop count is 30
>        ii. the FQDN is set up
>        iii. it is not performing reverse DNS lookups.
>
> Anyone who can help would be greatly appreciated!
>
> Peace.
> 


0
10/25/2006 8:26:43 PM
Leif,

The messages are destined for both offsite users and internal users. 
Shouldn't we be able to make it so you can't send to either unless your ip 
address is in that list or your username is in the allow users who 
authenticate list?

Is it normal to allow any internal computer to relay through exchange if the 
rcpt to or mailfrom address is a mydomain.com address?

Thanks.

"Leif Pedersen [MVP]" <Leif.pedersenNO-SPAM@get2net.dk> wrote in message 
news:%23oYMkPH%23GHA.1128@TK2MSFTNGP05.phx.gbl...
> Hi,
>
> Are the mails for internal or external users. If the mails are for 
> internal users it is not considered relaying.
>
> Leif
>
> "GC Postmaster" <gc_postmaster@newsgroups.nospam> wrote in message 
> news:Otvso4G%23GHA.3456@TK2MSFTNGP02.phx.gbl...
>> Hello,
>>
>> I recently came to know something unsettling. Our internal servers can 
>> send mail via our exchange smtp protocol without the ip address being in 
>> the relay list. I have been using the relay list exclusively, so I'm not 
>> sure how this is possible. Below are the settings we have. If you can 
>> think of any way this is possible and how to fix it, please let me know.
>>
>> mailserver.ourdomain.com is the smtp address people are supposed to put 
>> into programs for the smtp server. it is a dns cname for one of our 
>> exchange servers.
>>
>> in the exchange system manager, we have the smtp protocol with these 
>> settings:
>>
>> Administrative Groups -> First Admin Group -> exserver -> protocols -> 
>> smtp -> default smtp server ->
>>
>> 1. under IP address advanced settings, then "edit" the setting for "apply 
>> sender filter" is checked.
>>
>> 2. Access tab
>>    a. authentication button
>>        i. anonymous access is checked
>>        ii. resolve anonymouse email is not checked
>>        iii. basic authentication is checked
>>        iv. requires TLS is not checked
>>        v. there is no default domain listed
>>        vi. integrated windows authentication is checked
>>        USERS button
>>            1. we have two users listed who can send via the server if 
>> they authenticate. they are myself and another admin account. no one 
>> knows their pwds but me.
>>    b. connection button
>>        i. the radio button for "all except the list below" is selected. 
>> there are no ip addresses in the list.
>>    c. relay button
>>        i. the radio button for "only the list below" is selected. many 
>> servers' ip addresses are in this list. there are servers who's ip 
>> address IS NOT in the list, yet I confirmed that they have programs 
>> sending mail via this server. I used telnet from them to the exchange 
>> server and it worked fine sending e-mails. I was under the impression 
>> that unless i authenticated as one of the users in the list described 
>> above or on a machine whose ip address was in this list, that I wouldn't 
>> be able to telnet over port 25 to this server.
>>        ii. the "allow all computers which successfully authenticate..." 
>> check box is not checked.
>>        USERS BUTTON
>>            this lists the same two accounts described above.
>> 3. Messages Tab
>>    a. the first two check boxes are cleared. the next two have 50 and 
>> 640000 as their setting, respectively.
>>    b. the setting for sending copies of NDRs is filled in with an 
>> address.
>>    c. there is nothing in the "forward all mail with unresolved..."
>> 4. Delivery Tab
>>    a. the intervals are all set up.
>>    b. Outbound security
>>        i. the "anonymous access" radio button is selected.
>>        ii. tls encryption is not checked.
>>    c. Outbound Connections tab
>>        i. the limit number of connections to is set to 1000
>>        ii. the limit number of connections per domain is set to 100
>>        iii. tcp port is 25
>>    b. Advanced tab
>>        i. the max hop count is 30
>>        ii. the FQDN is set up
>>        iii. it is not performing reverse DNS lookups.
>>
>> Anyone who can help would be greatly appreciated!
>>
>> Peace.
>>
>
> 


0
10/25/2006 8:36:21 PM
Most Exchange users mostly MAPI clients so the need to relay is generally 
limited.  When there is such a need, such as with Entourage or Eudora 
clients, the best practice is to require authentication instead of allowing 
relay by IP address.
-- 
Ed Crowley
MVP - Exchange
"Protecting the world from PSTs and brick backups!"

"GC Postmaster" <gc_postmaster@newsgroups.nospam> wrote in message 
news:eKtB9UH%23GHA.4524@TK2MSFTNGP04.phx.gbl...
> Leif,
>
> The messages are destined for both offsite users and internal users. 
> Shouldn't we be able to make it so you can't send to either unless your ip 
> address is in that list or your username is in the allow users who 
> authenticate list?
>
> Is it normal to allow any internal computer to relay through exchange if 
> the rcpt to or mailfrom address is a mydomain.com address?
>
> Thanks.
>
> "Leif Pedersen [MVP]" <Leif.pedersenNO-SPAM@get2net.dk> wrote in message 
> news:%23oYMkPH%23GHA.1128@TK2MSFTNGP05.phx.gbl...
>> Hi,
>>
>> Are the mails for internal or external users. If the mails are for 
>> internal users it is not considered relaying.
>>
>> Leif
>>
>> "GC Postmaster" <gc_postmaster@newsgroups.nospam> wrote in message 
>> news:Otvso4G%23GHA.3456@TK2MSFTNGP02.phx.gbl...
>>> Hello,
>>>
>>> I recently came to know something unsettling. Our internal servers can 
>>> send mail via our exchange smtp protocol without the ip address being in 
>>> the relay list. I have been using the relay list exclusively, so I'm not 
>>> sure how this is possible. Below are the settings we have. If you can 
>>> think of any way this is possible and how to fix it, please let me know.
>>>
>>> mailserver.ourdomain.com is the smtp address people are supposed to put 
>>> into programs for the smtp server. it is a dns cname for one of our 
>>> exchange servers.
>>>
>>> in the exchange system manager, we have the smtp protocol with these 
>>> settings:
>>>
>>> Administrative Groups -> First Admin Group -> exserver -> protocols -> 
>>> smtp -> default smtp server ->
>>>
>>> 1. under IP address advanced settings, then "edit" the setting for 
>>> "apply sender filter" is checked.
>>>
>>> 2. Access tab
>>>    a. authentication button
>>>        i. anonymous access is checked
>>>        ii. resolve anonymouse email is not checked
>>>        iii. basic authentication is checked
>>>        iv. requires TLS is not checked
>>>        v. there is no default domain listed
>>>        vi. integrated windows authentication is checked
>>>        USERS button
>>>            1. we have two users listed who can send via the server if 
>>> they authenticate. they are myself and another admin account. no one 
>>> knows their pwds but me.
>>>    b. connection button
>>>        i. the radio button for "all except the list below" is selected. 
>>> there are no ip addresses in the list.
>>>    c. relay button
>>>        i. the radio button for "only the list below" is selected. many 
>>> servers' ip addresses are in this list. there are servers who's ip 
>>> address IS NOT in the list, yet I confirmed that they have programs 
>>> sending mail via this server. I used telnet from them to the exchange 
>>> server and it worked fine sending e-mails. I was under the impression 
>>> that unless i authenticated as one of the users in the list described 
>>> above or on a machine whose ip address was in this list, that I wouldn't 
>>> be able to telnet over port 25 to this server.
>>>        ii. the "allow all computers which successfully authenticate..." 
>>> check box is not checked.
>>>        USERS BUTTON
>>>            this lists the same two accounts described above.
>>> 3. Messages Tab
>>>    a. the first two check boxes are cleared. the next two have 50 and 
>>> 640000 as their setting, respectively.
>>>    b. the setting for sending copies of NDRs is filled in with an 
>>> address.
>>>    c. there is nothing in the "forward all mail with unresolved..."
>>> 4. Delivery Tab
>>>    a. the intervals are all set up.
>>>    b. Outbound security
>>>        i. the "anonymous access" radio button is selected.
>>>        ii. tls encryption is not checked.
>>>    c. Outbound Connections tab
>>>        i. the limit number of connections to is set to 1000
>>>        ii. the limit number of connections per domain is set to 100
>>>        iii. tcp port is 25
>>>    b. Advanced tab
>>>        i. the max hop count is 30
>>>        ii. the FQDN is set up
>>>        iii. it is not performing reverse DNS lookups.
>>>
>>> Anyone who can help would be greatly appreciated!
>>>
>>> Peace.
>>>
>>
>>
>
> 


0
curspice6401 (3487)
10/26/2006 5:45:13 PM
This is fine. The real question I'm trying to answer here is why
servers are able to send mail via our exchange server whose IP address
is not in the relay list. This should not be.

Our users are using authentication to send messages. Just not programs
that send e-mail alerts from other servers. Those servers have been
given access via IP address.



Ed Crowley [MVP] wrote:
> Most Exchange users mostly MAPI clients so the need to relay is generally
> limited.  When there is such a need, such as with Entourage or Eudora
> clients, the best practice is to require authentication instead of allowing
> relay by IP address.
> --
> Ed Crowley
> MVP - Exchange
> "Protecting the world from PSTs and brick backups!"
>
> "GC Postmaster" <gc_postmaster@newsgroups.nospam> wrote in message
> news:eKtB9UH%23GHA.4524@TK2MSFTNGP04.phx.gbl...
> > Leif,
> >
> > The messages are destined for both offsite users and internal users.
> > Shouldn't we be able to make it so you can't send to either unless your ip
> > address is in that list or your username is in the allow users who
> > authenticate list?
> >
> > Is it normal to allow any internal computer to relay through exchange if
> > the rcpt to or mailfrom address is a mydomain.com address?
> >
> > Thanks.
> >
> > "Leif Pedersen [MVP]" <Leif.pedersenNO-SPAM@get2net.dk> wrote in message
> > news:%23oYMkPH%23GHA.1128@TK2MSFTNGP05.phx.gbl...
> >> Hi,
> >>
> >> Are the mails for internal or external users. If the mails are for
> >> internal users it is not considered relaying.
> >>
> >> Leif
> >>
> >> "GC Postmaster" <gc_postmaster@newsgroups.nospam> wrote in message
> >> news:Otvso4G%23GHA.3456@TK2MSFTNGP02.phx.gbl...
> >>> Hello,
> >>>
> >>> I recently came to know something unsettling. Our internal servers can
> >>> send mail via our exchange smtp protocol without the ip address being in
> >>> the relay list. I have been using the relay list exclusively, so I'm not
> >>> sure how this is possible. Below are the settings we have. If you can
> >>> think of any way this is possible and how to fix it, please let me know.
> >>>
> >>> mailserver.ourdomain.com is the smtp address people are supposed to put
> >>> into programs for the smtp server. it is a dns cname for one of our
> >>> exchange servers.
> >>>
> >>> in the exchange system manager, we have the smtp protocol with these
> >>> settings:
> >>>
> >>> Administrative Groups -> First Admin Group -> exserver -> protocols ->
> >>> smtp -> default smtp server ->
> >>>
> >>> 1. under IP address advanced settings, then "edit" the setting for
> >>> "apply sender filter" is checked.
> >>>
> >>> 2. Access tab
> >>>    a. authentication button
> >>>        i. anonymous access is checked
> >>>        ii. resolve anonymouse email is not checked
> >>>        iii. basic authentication is checked
> >>>        iv. requires TLS is not checked
> >>>        v. there is no default domain listed
> >>>        vi. integrated windows authentication is checked
> >>>        USERS button
> >>>            1. we have two users listed who can send via the server if
> >>> they authenticate. they are myself and another admin account. no one
> >>> knows their pwds but me.
> >>>    b. connection button
> >>>        i. the radio button for "all except the list below" is selected.
> >>> there are no ip addresses in the list.
> >>>    c. relay button
> >>>        i. the radio button for "only the list below" is selected. many
> >>> servers' ip addresses are in this list. there are servers who's ip
> >>> address IS NOT in the list, yet I confirmed that they have programs
> >>> sending mail via this server. I used telnet from them to the exchange
> >>> server and it worked fine sending e-mails. I was under the impression
> >>> that unless i authenticated as one of the users in the list described
> >>> above or on a machine whose ip address was in this list, that I wouldn't
> >>> be able to telnet over port 25 to this server.
> >>>        ii. the "allow all computers which successfully authenticate..."
> >>> check box is not checked.
> >>>        USERS BUTTON
> >>>            this lists the same two accounts described above.
> >>> 3. Messages Tab
> >>>    a. the first two check boxes are cleared. the next two have 50 and
> >>> 640000 as their setting, respectively.
> >>>    b. the setting for sending copies of NDRs is filled in with an
> >>> address.
> >>>    c. there is nothing in the "forward all mail with unresolved..."
> >>> 4. Delivery Tab
> >>>    a. the intervals are all set up.
> >>>    b. Outbound security
> >>>        i. the "anonymous access" radio button is selected.
> >>>        ii. tls encryption is not checked.
> >>>    c. Outbound Connections tab
> >>>        i. the limit number of connections to is set to 1000
> >>>        ii. the limit number of connections per domain is set to 100
> >>>        iii. tcp port is 25
> >>>    b. Advanced tab
> >>>        i. the max hop count is 30
> >>>        ii. the FQDN is set up
> >>>        iii. it is not performing reverse DNS lookups.
> >>>
> >>> Anyone who can help would be greatly appreciated!
> >>>
> >>> Peace.
> >>>
> >>
> >>
> >
> >

0
10/26/2006 7:19:48 PM
The IP addresses listed in your list are authorized to relay.  All other IP 
addresses must authenticate to do so.  Does that answer your question?
-- 
Ed Crowley
MVP - Exchange
"Protecting the world from PSTs and brick backups!"

"GC Postmaster" <Blake.Whitney@gmail.com> wrote in message 
news:1161890388.917695.113540@f16g2000cwb.googlegroups.com...
> This is fine. The real question I'm trying to answer here is why
> servers are able to send mail via our exchange server whose IP address
> is not in the relay list. This should not be.
>
> Our users are using authentication to send messages. Just not programs
> that send e-mail alerts from other servers. Those servers have been
> given access via IP address.
>
>
>
> Ed Crowley [MVP] wrote:
>> Most Exchange users mostly MAPI clients so the need to relay is generally
>> limited.  When there is such a need, such as with Entourage or Eudora
>> clients, the best practice is to require authentication instead of 
>> allowing
>> relay by IP address.
>> --
>> Ed Crowley
>> MVP - Exchange
>> "Protecting the world from PSTs and brick backups!"
>>
>> "GC Postmaster" <gc_postmaster@newsgroups.nospam> wrote in message
>> news:eKtB9UH%23GHA.4524@TK2MSFTNGP04.phx.gbl...
>> > Leif,
>> >
>> > The messages are destined for both offsite users and internal users.
>> > Shouldn't we be able to make it so you can't send to either unless your 
>> > ip
>> > address is in that list or your username is in the allow users who
>> > authenticate list?
>> >
>> > Is it normal to allow any internal computer to relay through exchange 
>> > if
>> > the rcpt to or mailfrom address is a mydomain.com address?
>> >
>> > Thanks.
>> >
>> > "Leif Pedersen [MVP]" <Leif.pedersenNO-SPAM@get2net.dk> wrote in 
>> > message
>> > news:%23oYMkPH%23GHA.1128@TK2MSFTNGP05.phx.gbl...
>> >> Hi,
>> >>
>> >> Are the mails for internal or external users. If the mails are for
>> >> internal users it is not considered relaying.
>> >>
>> >> Leif
>> >>
>> >> "GC Postmaster" <gc_postmaster@newsgroups.nospam> wrote in message
>> >> news:Otvso4G%23GHA.3456@TK2MSFTNGP02.phx.gbl...
>> >>> Hello,
>> >>>
>> >>> I recently came to know something unsettling. Our internal servers 
>> >>> can
>> >>> send mail via our exchange smtp protocol without the ip address being 
>> >>> in
>> >>> the relay list. I have been using the relay list exclusively, so I'm 
>> >>> not
>> >>> sure how this is possible. Below are the settings we have. If you can
>> >>> think of any way this is possible and how to fix it, please let me 
>> >>> know.
>> >>>
>> >>> mailserver.ourdomain.com is the smtp address people are supposed to 
>> >>> put
>> >>> into programs for the smtp server. it is a dns cname for one of our
>> >>> exchange servers.
>> >>>
>> >>> in the exchange system manager, we have the smtp protocol with these
>> >>> settings:
>> >>>
>> >>> Administrative Groups -> First Admin Group -> exserver -> 
>> >>> protocols ->
>> >>> smtp -> default smtp server ->
>> >>>
>> >>> 1. under IP address advanced settings, then "edit" the setting for
>> >>> "apply sender filter" is checked.
>> >>>
>> >>> 2. Access tab
>> >>>    a. authentication button
>> >>>        i. anonymous access is checked
>> >>>        ii. resolve anonymouse email is not checked
>> >>>        iii. basic authentication is checked
>> >>>        iv. requires TLS is not checked
>> >>>        v. there is no default domain listed
>> >>>        vi. integrated windows authentication is checked
>> >>>        USERS button
>> >>>            1. we have two users listed who can send via the server if
>> >>> they authenticate. they are myself and another admin account. no one
>> >>> knows their pwds but me.
>> >>>    b. connection button
>> >>>        i. the radio button for "all except the list below" is 
>> >>> selected.
>> >>> there are no ip addresses in the list.
>> >>>    c. relay button
>> >>>        i. the radio button for "only the list below" is selected. 
>> >>> many
>> >>> servers' ip addresses are in this list. there are servers who's ip
>> >>> address IS NOT in the list, yet I confirmed that they have programs
>> >>> sending mail via this server. I used telnet from them to the exchange
>> >>> server and it worked fine sending e-mails. I was under the impression
>> >>> that unless i authenticated as one of the users in the list described
>> >>> above or on a machine whose ip address was in this list, that I 
>> >>> wouldn't
>> >>> be able to telnet over port 25 to this server.
>> >>>        ii. the "allow all computers which successfully 
>> >>> authenticate..."
>> >>> check box is not checked.
>> >>>        USERS BUTTON
>> >>>            this lists the same two accounts described above.
>> >>> 3. Messages Tab
>> >>>    a. the first two check boxes are cleared. the next two have 50 and
>> >>> 640000 as their setting, respectively.
>> >>>    b. the setting for sending copies of NDRs is filled in with an
>> >>> address.
>> >>>    c. there is nothing in the "forward all mail with unresolved..."
>> >>> 4. Delivery Tab
>> >>>    a. the intervals are all set up.
>> >>>    b. Outbound security
>> >>>        i. the "anonymous access" radio button is selected.
>> >>>        ii. tls encryption is not checked.
>> >>>    c. Outbound Connections tab
>> >>>        i. the limit number of connections to is set to 1000
>> >>>        ii. the limit number of connections per domain is set to 100
>> >>>        iii. tcp port is 25
>> >>>    b. Advanced tab
>> >>>        i. the max hop count is 30
>> >>>        ii. the FQDN is set up
>> >>>        iii. it is not performing reverse DNS lookups.
>> >>>
>> >>> Anyone who can help would be greatly appreciated!
>> >>>
>> >>> Peace.
>> >>>
>> >>
>> >>
>> >
>> >
> 


0
curspice6401 (3487)
10/26/2006 7:24:36 PM
That's the way I understood things should work. What I'm saying is that
this isn't happening. Servers's whose IP address is not in our relay
list are able to send mail through our exchange smtp server and they
are also not authenticating. My desktop computer's ip address is not
the in the allow relay and even i could telnet over port 25 to the
exchange server and send mail that way.

I was hoping based on my posted settings someone would see something
wrong with our config and I'd be able to fix it. We only want the
situation described, but right now it seems not to be the case.

Ed Crowley [MVP] wrote:
> The IP addresses listed in your list are authorized to relay.  All other IP
> addresses must authenticate to do so.  Does that answer your question?
> --
> Ed Crowley
> MVP - Exchange
> "Protecting the world from PSTs and brick backups!"
>
> "GC Postmaster" <Blake.Whitney@gmail.com> wrote in message
> news:1161890388.917695.113540@f16g2000cwb.googlegroups.com...
> > This is fine. The real question I'm trying to answer here is why
> > servers are able to send mail via our exchange server whose IP address
> > is not in the relay list. This should not be.
> >
> > Our users are using authentication to send messages. Just not programs
> > that send e-mail alerts from other servers. Those servers have been
> > given access via IP address.
> >
> >
> >
> > Ed Crowley [MVP] wrote:
> >> Most Exchange users mostly MAPI clients so the need to relay is generally
> >> limited.  When there is such a need, such as with Entourage or Eudora
> >> clients, the best practice is to require authentication instead of
> >> allowing
> >> relay by IP address.
> >> --
> >> Ed Crowley
> >> MVP - Exchange
> >> "Protecting the world from PSTs and brick backups!"
> >>
> >> "GC Postmaster" <gc_postmaster@newsgroups.nospam> wrote in message
> >> news:eKtB9UH%23GHA.4524@TK2MSFTNGP04.phx.gbl...
> >> > Leif,
> >> >
> >> > The messages are destined for both offsite users and internal users.
> >> > Shouldn't we be able to make it so you can't send to either unless your
> >> > ip
> >> > address is in that list or your username is in the allow users who
> >> > authenticate list?
> >> >
> >> > Is it normal to allow any internal computer to relay through exchange
> >> > if
> >> > the rcpt to or mailfrom address is a mydomain.com address?
> >> >
> >> > Thanks.
> >> >
> >> > "Leif Pedersen [MVP]" <Leif.pedersenNO-SPAM@get2net.dk> wrote in
> >> > message
> >> > news:%23oYMkPH%23GHA.1128@TK2MSFTNGP05.phx.gbl...
> >> >> Hi,
> >> >>
> >> >> Are the mails for internal or external users. If the mails are for
> >> >> internal users it is not considered relaying.
> >> >>
> >> >> Leif
> >> >>
> >> >> "GC Postmaster" <gc_postmaster@newsgroups.nospam> wrote in message
> >> >> news:Otvso4G%23GHA.3456@TK2MSFTNGP02.phx.gbl...
> >> >>> Hello,
> >> >>>
> >> >>> I recently came to know something unsettling. Our internal servers
> >> >>> can
> >> >>> send mail via our exchange smtp protocol without the ip address being
> >> >>> in
> >> >>> the relay list. I have been using the relay list exclusively, so I'm
> >> >>> not
> >> >>> sure how this is possible. Below are the settings we have. If you can
> >> >>> think of any way this is possible and how to fix it, please let me
> >> >>> know.
> >> >>>
> >> >>> mailserver.ourdomain.com is the smtp address people are supposed to
> >> >>> put
> >> >>> into programs for the smtp server. it is a dns cname for one of our
> >> >>> exchange servers.
> >> >>>
> >> >>> in the exchange system manager, we have the smtp protocol with these
> >> >>> settings:
> >> >>>
> >> >>> Administrative Groups -> First Admin Group -> exserver ->
> >> >>> protocols ->
> >> >>> smtp -> default smtp server ->
> >> >>>
> >> >>> 1. under IP address advanced settings, then "edit" the setting for
> >> >>> "apply sender filter" is checked.
> >> >>>
> >> >>> 2. Access tab
> >> >>>    a. authentication button
> >> >>>        i. anonymous access is checked
> >> >>>        ii. resolve anonymouse email is not checked
> >> >>>        iii. basic authentication is checked
> >> >>>        iv. requires TLS is not checked
> >> >>>        v. there is no default domain listed
> >> >>>        vi. integrated windows authentication is checked
> >> >>>        USERS button
> >> >>>            1. we have two users listed who can send via the server if
> >> >>> they authenticate. they are myself and another admin account. no one
> >> >>> knows their pwds but me.
> >> >>>    b. connection button
> >> >>>        i. the radio button for "all except the list below" is
> >> >>> selected.
> >> >>> there are no ip addresses in the list.
> >> >>>    c. relay button
> >> >>>        i. the radio button for "only the list below" is selected.
> >> >>> many
> >> >>> servers' ip addresses are in this list. there are servers who's ip
> >> >>> address IS NOT in the list, yet I confirmed that they have programs
> >> >>> sending mail via this server. I used telnet from them to the exchange
> >> >>> server and it worked fine sending e-mails. I was under the impression
> >> >>> that unless i authenticated as one of the users in the list described
> >> >>> above or on a machine whose ip address was in this list, that I
> >> >>> wouldn't
> >> >>> be able to telnet over port 25 to this server.
> >> >>>        ii. the "allow all computers which successfully
> >> >>> authenticate..."
> >> >>> check box is not checked.
> >> >>>        USERS BUTTON
> >> >>>            this lists the same two accounts described above.
> >> >>> 3. Messages Tab
> >> >>>    a. the first two check boxes are cleared. the next two have 50 and
> >> >>> 640000 as their setting, respectively.
> >> >>>    b. the setting for sending copies of NDRs is filled in with an
> >> >>> address.
> >> >>>    c. there is nothing in the "forward all mail with unresolved..."
> >> >>> 4. Delivery Tab
> >> >>>    a. the intervals are all set up.
> >> >>>    b. Outbound security
> >> >>>        i. the "anonymous access" radio button is selected.
> >> >>>        ii. tls encryption is not checked.
> >> >>>    c. Outbound Connections tab
> >> >>>        i. the limit number of connections to is set to 1000
> >> >>>        ii. the limit number of connections per domain is set to 100
> >> >>>        iii. tcp port is 25
> >> >>>    b. Advanced tab
> >> >>>        i. the max hop count is 30
> >> >>>        ii. the FQDN is set up
> >> >>>        iii. it is not performing reverse DNS lookups.
> >> >>>
> >> >>> Anyone who can help would be greatly appreciated!
> >> >>>
> >> >>> Peace.
> >> >>>
> >> >>
> >> >>
> >> >
> >> >
> >

0
10/26/2006 8:38:01 PM
Reply:

Similar Artilces:

Sql Server Indexing With Two or More Columns
I got a question with indexing. If I create an index and select 2 or more columns, what is the difference with that and creating 2 (or more separate ) indexes for them? Thanks mark It depends on what you are doing If you have WHERE Last=@p1 AND First=@p2 there no need to have two indexes , however having WHERE First=@p2 the first index on Last,First may or may not be useful, so in that case having two NCI may be a good idea I mean you need testing it, and make a decision.Also there is no need to create NCI on every column, it is especially true in SQL Server 2005 and onwards w...

Exchange server hang
Hi,I have an exchange 5.5 sp4 running on Nt4 as PDC. Right now when i came in to office in the morning the server was hang. I checked on the event viewer found out server was shutdown between 2.50am to 3am everyday. I guess thats when the server hang. Strange thing is the monitor display about 6 vertical lines on the monitor with garbage characters when the server hung. The server installed with norton antivirus for exchange and installed with latest virus definition.After i reset the server the server will not hang during business hours i wonder what could have caused the server to ...

Front-end servers and DMZ
Pardon the double post, but I was hoping someone would help me on this forum. ====================== I have a setup Exch 2K3 as a front-end server that I'd like to handle OWA and Internet based SMTP traffic for my users. This server will be placed in our company's DMZ. My questions are: a) Are there any ports other that SMTP, DNS, and HTTP that need to be allowed to travel from the DMZ to the internal network for the front-end server to be able to handle OWA and SMTP? b) Does this server have to be a member server of our AD domain and does the Exchange server have to be a membe...

Outlook 2003
I just upgraded from Outlook 2000 to 2003. When I type in a name (ex. "Erin") I get an error meesage "Can't contact LDAP Directory server (81)" What do I need to do to my address book so I don't need to type in the whole e-mail address everytime I send a message? Thank you Tim TIM <anonymous@discussions.microsoft.com> wrote: > I just upgraded from Outlook 2000 to 2003. When I type > in a name (ex. "Erin") I get an error meesage > > "Can't contact LDAP Directory server (81)" If you don't use an LDAP server, d...

Can I change Domain membership of an Exchange server?
Here is my setup. I have two child domains in the same forest. Call them DomainA.company.com and Domainb.company.com. I have 1 front end Exchange server and 7 backend exchange servers. All of these servers are in Domaina except for one. We are eventually going to collapse Domainb. Since these are in the same forest and the same exchange org, can i change the domain membership of the one exchange server? I am nervous about doing this and wanted to check to see if it is possible. My other option is to move the mailboxes to one of the other servers, remove exchange from the domainb serv...

Server-Wide Auto-Reply / Address Change Notice
We are in the process of changing domains as far as email/web addresses are concerned and I wonder if it would be possible to have Exchange reply for each user with a message stating something like, "This is an automated reply letting you know that the email address for User Smith is now usmith@fakedomain.org." I realize that each user could create a rule in Outlook... but we would need the rules to apply for a long period of time and that could be very annoying for senders... getting hit with constant auto-replies. Even if it would be possible for a user to create a rule th...

5.5 server move
Just in the process of working my way through the Ed Crowley server move FAQ off swinc. Been hit by brain fade though. Created the replicas of the public folders to the new server and from the exchange server admin program can see that they are being used instead of the ones on the original server. The bit thats causing brain fade is how do i delete the replicas from the old server? Done this once b4 but was over 2 years ago and have slept since then/got a kiddie/bought a big fast bike any clues most appreciated -- Robb '97 Firestorm I am assuming you are using 5.5 to remove the repli...

"You are over the size limit allowed on the server"
We have an Exchange 2003 server with IMF implemented. Our users are primarily using Outlook Web Clients. A couple months back, several of our users started being unable to manage their Junk Email lists. Some were unable to even turn it on and off through Options, but all were getting this error, at various stages: "An error occurred processing your Junk Email lists. You are over the size limit allowed on the server. Contact your server administrator" None of these users has more than 10-12 blocked senders in their entire list. I have doubled the default amount of space each u...

outlook 2000 client is very slow with exchange 2003 server
we migrate from Exchange 5.5 to Exchange 2003 Server but after migration our outlook 2000 Client is very slow If any one know about this pls let me know.If i have to check any configuration.. Thank Biswajit De Install Outlook 2003 on one machine. Once you connect with it you can hold CTRL - Right click on the Outlook icon by the clock and choose Connection Status. Then let us know which service is slow in there. -- Hope that helps, Dan Townsend This posting is provided "AS IS" with no warranties, and confers no rights. Please do not send email to this address, post a reply to...

OWA 5.5 to Exchange 2003 Server
I've customized OWA 5.5 to emulate the custom message form we use in OL. This doenst appear to be as doable in OWA 2003. Is there a way to run OWA 5.5 against the EX2003 server? On a clone of the old OWA 5.5 sever I've tried modifying the org, site, and server entries under the MSExchangeWEB\Parameters entries to point to the EX2003 server but I get "The Microsoft Exchange server is down or the HTTP service has been disabled...". Originally I tried it when I tried migrating and I thought it worked, but now I loaded EX2003 from scratch and subsequently it doesnt. If I ...

Excel Add-In for SQL Server Analysis Services Error -- Need Help
I have the add-in installed and it was working. However, lately I keep getting an error stating: Excel Add-in for Analysis Services has not been initialized I have uninstalled and reinstalled but no luck. Anyone help out here? Alan ...

sql server displays
I would like to know what I can use in sql server report 2008 to display several sentences or paragraphs prior to where I have a table generated. Each table in each report will display the data. To display the paragraph(s) and/or sentence(s) before the table containing data what toolbox item would I use? Should I use a matrix, rectangle, textbox, and or another table? Your question is not really clear, but I think you are trying to do would be done using a list box. Add the list box to the report, put the text boxes you want to display here, then add the table control to the ...

Downloading of Attachments from a POP3 Server
Is there a way to configure Outlook 2007 to download headers and bodies of emails with attachments but not download the attachments? When needing to use a dial-up connection, having this ability will allow reading emails but not tie up the connection for hours downloading the attachments. Thanks! -- System Administrator Sprotte + Watson Architecture and Planning Vista, CA System Administrator wrote: > Is there a way to configure Outlook 2007 to download headers and > bodies of emails with attachments but not download the attachments? > When needing to use a dial-up c...

SQL Server Enterprise Manager
Anybody know how I would go about in loading this ?? It was installed on my PC by someone who no longer works for my company. My hard drive crashed and I had to rebuild everything but I can't find any doc's to re-install the SQL Server Enterprise Manager from M/S online help. You would need the SQL server Installation CD. Install client tools only on your PC. HS "Eddy_L" <Eddy_L@discussions.microsoft.com> wrote in message news:E00D5ED1-B879-4F30-BBB5-C4073182E316@microsoft.com... > Anybody know how I would go about in loading this ?? It was installed on > my...

Incoming Outlook Rules with Exchange Server
Hi, Please could some one help me out with this. I have exchange server hosting multiple SMTP domains. Eg each user will have: bob@domain1.com bob@domain2.com bob@domain3.com All I am trying to accoplish is an incoming mail rule that moves all mail from domain1.com to folderA, domain2.com to folderB. But because exchange doesn't show outlook the SMTP Address the mail was received on the Rules cant work. Something that is so easily configured with a POP account is a real pain on exchange. Any help will be greatly appreciated. Thank You Have you tried modifying to rule to work off th...

Moving CRM from one server to another error at step 5
I've only got one server on the network. I wanted to reinstall it from scratch as when CRM was installed Exchange had not been and is coming up with a corrupt metabase if I try to install. The server has 2 disks mirrored, so I've broken the mirror and now have the old installation on one disk and a brand new install on the other. The machine name, domain name etc are identical. I've gone through the redeployment guide, but on step 5 the process bombs with a series of errors: 06/14/2005 15:39:44 Backup BusinessUnitBase table. 06/14/2005 15:39:45 Could not use view or function...

One or more rules could not be uploaded to Exchange server and have been deactivated.
I originally posted this topic in the Outlook newsgroup but I am not sure if it was the right section for that so I will try here. We are running Exchange 2003 and we have a problem with just one user receiving the following error: "One or more rules could not be uploaded to Exchange server and have been deactivated. This could be because some of the parameters are not supported or there is insufficient space to store all your rules." I already checked the following MS KB and it does not apply: http://support.microsoft.com/?kbid=886616 This user does not have too many rules - this...

Server Policy?
Hi all, I have a spam filter in place from Symantec, which will modify the subject line of the message. Is it possible to create a "global server rule" that basically says if the subject line = 'X' then move the message to a public folder, and not deliver the message to the original recipient? Hmmm - I cant believe I am the only person who would like this...and no replies... Can anyone help on this matter? "Jerry Dubuke" <jdubuke@not.gpdservices.com> wrote in message news:Ori$MydbFHA.3032@TK2MSFTNGP10.phx.gbl... > Hi all, > I have a spam filter in p...

554 error client host rejected wrong mail relay using Exchange 2003 /w SP2
I seem to be getting this error on a few domains that I'm sending mail to. We are using Windows 2003 /w Exchange 2003 SP2. Any idea's? Is this caused by a external DNS issue on the A or PTR record? Or... In external DNS we have our email server setup as mail2.abc.com but within Exchange we have our email server setup as mail1.abc.com would this be causing the issue? The following recipient(s) could not be reached: john@abc.com on 21/04/2006 9:54 AM There was a SMTP communication problem with the recipient's email server. Please contact your system ad...

Access server name?
Hi Experts: I have been using SQL Server 2005 and I'm now trying to move to Access (Microsoft Office Access 2007). One question, with SQL Server 2005, there is a Windows Service called "SQL Server" which is running all the time and ready to be connected from a database application. In the case of Access, what is the equivalent program? I do not see any Access program in the Windows Service List. Thanks in advance! Polaris In news:OC1gc%23kpHHA.4872@TK2MSFTNGP03.phx.gbl, Polaris <etpolaris@hotmail.com> wrote: > Hi Experts: > > I have been using SQ...

How to verify if Service Pack installed in Exchange Server
I am not able to find if Exchange Service pack installed in Blackberry server through ESM, Is there any way to check if SP is installed ?? Thanks in Advance.. -- Regards Sanjay Kumar On Fri, 23 Feb 2007 11:46:31 -0800, Sanjay Kumar <SanjayKumar@discussions.microsoft.com> wrote: >I am not able to find if Exchange Service pack installed in Blackberry >server through ESM, Is there any way to check if SP is installed ?? > >Thanks in Advance.. Look in ESM, go down to "Servers" and look in the right pane. You will see all the servers there, together with what t...

Exchange Server 2003 - pop3 connector
Hello all Our Exchange Server 2003 calls our ISP hourly and downloads all email for our domain from a catch-all pop3 account. When users are reading mail the time stamp which appears is the time which the email was downloaded by our server. What we want to be able to see is the time the email was created by the sender. Does anybody know how to do this? Many thanks Fin The way to go is to use SMTP rather than POP. You'll then see the time that the mail was received into the system, which will be a better representation. If you need to know where a delay was you can look at th...

Exchange 5.5 SP4 IMS relaying
Hello: I must be missing a step here. I'm trying to setup the IMS so that it allows an internal FTP server to send e-mails to external addresses. I've added that FTP server's IP address to the following settings in the IMS: Connections tab > Accept Connections section > From any host (secure or non-secure) is selected > Specify by Host button > added FTP server's IP address/mask and selected Accept connection from this host. Routing tab > Reroute incoming SMTP mail (required for POP3/IMAP4 support) is selected > Routing Restrictions button > Host an...

Can not retire Server
We have an old windows 2000 server that we would like to turn off. But when we do turn it off applications that never existed on that server begin to function slowly. When I do a netstat I see microsoft-ds SYN_SEND to the server that is off. How can I make it so I can turn this server off. Run an ipconfig /all on one of the servers that have problems when you turn the Win 2k server off. Note the DNS server IP address. Is it the IP address of the Win 2k server that you turned off? If so you will need to supply another DNS server for the clients in your domain to use instead if ...

Ghosting an Exchange 5.5. server
I have an Exchange 5.5 server that was running out of hard disk space. So I ghosted the drive onto a larger drive. However, the next day I started getting errors with my database, and am now in the throes of getting things back in order. Is there a known issue with ghosting Exchange databases? Should I not have done it that way? Tim I would never trust ghost with something as important as Exchange 5.5. Did you try to run the defrag utilities for Exch 5.5 before you decided to ghost? Running "eseutil /d" on the priv files will defragment the database files. Once, I was able ...