Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
One of the worst crimes that you can commit with an Exchange server connected to the Internet is become and open relay. This allows anyone to send email to anyone else through your server.
Check Whether the Exchange Server is an Open SMTP Relay using a Telnet Test
A Telnet test involves establishing a Telnet session from a computer that is not located on the local network to the external (public) IP address of the Exchange server. You need to carry out the test from a machine at home, or from another office. Doing the test from a machine on your own network will produce useless results. 1. Start a command prompt. Either click start, run and type CMD or Choose Command Prompt from Start, Programs, Accessories, Command Prompt Type "telnet" (minus quotes) and press enter. At the Telnet prompt, type set localecho (minus quotes) and press enter. This lets you see what is going on. Still in the telnet prompt, enter the following command and then press enter open external-ip 25 where external-ip is your external IP address eg: open 111.222.333.444 25 5. You should get a response back similar to the following: 220 mail.server.domain Microsoft ESMTP MAIL Service, Version: 6.0.2790.0 Ready at 6. Type the following command in to the telnet windows: ehlo testdomain.com and press enter (note "testdomain.com" can be anything that isn't a domain that the Exchange server is responsible for. After pressing OK you should get a response back 250 OK 8. Type the following command in to the telnet window: mail from:address@testdomain.com and press enter (again where address@testdomain is an email address that is not on the Exchange server. Note the lack of space between from and the first part of the address). After pressing OK you should get a response back: 250 2.1.0 address@testdomain.com....Sender OK 10. Type the following command in to the telnet window: rcpt to:address@anotherdomain.com and then press enter (where address@anotherdomain.com is not either an address you use internally or the address you entered earlier as the from. Once again note the lack of space between to and the first part of the e-mail address). 11. After pressing enter you will get one of two responses. If you get 550 5.7.1 Unable to relay for address@anotherdomain.com then you are relay secure. However if you get 250 2.1.5 address@anotherdomain.com
2. 3.
4.
7.
9.
SMTP Connectors 1. 2. 3. 4. 5. Start ESM, Connectors. Right click on each SMTP Connector in turn and choose Properties. Click on the "Address Space" tab. If you have a "*" in the address list, check that "Allow messages to be relayed to these domains" is not enabled. Apply/OK until all windows are closed.
Once you have made the changes, repeat the telnet test above to ensure that you have closed everything.
Exchange 2007
With Exchange 2007 it is actually more difficult to turn the server in to an open relay. The server can be turned in to an open relay through Connectors and through the Accepted Domain configuration. Connector Configuration First thing is to check that you have not enabled "Externally Secured" on the Send and Receive Connectors that is exposed to the internet. If the server can be seen from the internet then that needs to be checked. 1. 2. 3. 4. 5. Start Exchange Management Console (EMC). Expand Server Configuration, Hub Transport. Right click on each Receive Connector and choose Properties. Click on the tab "Authentication" and ensure that the Externally Secured option hasn't been enabled. If you need to change any settings, restart the Microsoft Exchange Transport Service for the change to take effect.
For Send Connectors repeat the above process, but look in Organization Configuration, Hub Transport. If you are using an Edge server then force an Edge Sync to take place using the command "Start-EdgeSynchronization" Accepted Domains The other setting that can turn the server in an open relay is Accepted Domains. Ensure that you haven't set an Accepted domain as *, which turns the server in to an open relay. If you configured the Accepted Domain using the Management console then you should have received a warning about it turning the server in to an open relay. 1. 2. 3. Start Exchange Management Console. Expand Organisation Configuration, Hub Transport. Click on the tab "Accepted Domains" and ensure that * is not listed. If it is, remove it.
4.
If you are using an Edge server, then force an Edge Sync to take place using the command "Start-EdgeSynchronization".