Prevent open relays on Exchange Server - TechRepublic
Software
TEILEN
Facebook X Pinterest WhatsApp

Prevent open relays on Exchange Server

Open relays on corporate networks are a contributing factor to the volume of unsolicited e-mail currently flying around the Internet—and the presence of such relays is often unbeknownst to the owners of those networks. Are your e-mail servers vulnerable to mail relaying? In this edition of Security Solutions, Mike Mullins tells you how to determine if they are.

Verfasst von
Michael Mullins
Michael Mullins
Apr 6, 2006
We may earn from vendors via affiliate links or sponsorships. This might affect product placement on our site, but not the content of our reviews. See our Terms of Use for details.

Open mail relays—e-mail servers that allow third-party
transmission of messages—are a significant contributing factor to the volume of
unsolicited e-mail currently flying around the Internet. Spammers send millions
of junk e-mail messages daily, and open mail relays make the process easier.

However, most companies are unaware that spammers are taking
advantage of the organization’s e-mail servers for such nefarious purposes. Depending
on the version of Exchange server that your organization is running, you might
be vulnerable to mail relaying. Let’s look at how you can find out.

Defining the problem

Mail relaying occurs when e-mail sent from one server routes
to an intermediate e-mail server, which then delivers it to the recipient’s e-mail
server. But there are, in fact, legitimate uses for a mail relay.

For example, you might have a e-mail server that serves as
your Internet bridge server. That server receives e-mail from the Internet and
distributes it to a cluster of internal e-mail servers.

However, spammers who want to disguise the point of origin
for their spam messages will route their junk e-mail through a mail relay to
confuse the recipient. Seeing an e-mail from a legitimate address can easily
dupe users into thinking the message is worthy of attention.

Checking your vulnerability

You can check your organization’s Exchange servers to
determine whether they’re vulnerable to mail relay. The best way to do so is
using a workstation from outside the company’s network.

To check your servers, you need to know the fully qualified
domain name (FQDN) for your e-mail server. If you don’t know the FQDN, you can
find it rather easily. Follow these steps:

  1. Go
    to Start | Run, type cmd, and
    click OK.
  2. At
    the command prompt, type nslookup,
    and press [Enter].
  3. Type
    set type=mx, and press [Enter].
  4. Type
    the domain name of your organization (e.g., techrepublic.com).

The results will show an MX preference that lists the
name(s) of the Exchange server.

To determine whether your Exchange servers are vulnerable to
open relays, follow these steps:

  1. Go to
    Start | Run, type telnet, and click
    OK.
  2. At
    the Telnet command prompt, type set
    localecho    , and press [Enter].
  3. Type open <name.of.exchange.server> 25,
    replacing <name.of.exchange.server> with the FQDN of the Exchange
    server. 25 signifies the port you want to connect to. (TCP/IP port 25 is
    for SMTP.)

Your telnet console should return a result that looks something
like the following. (The Version will vary, depending on the version of your
Exchange server.)

220 <name.of.exchange.server> Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at –date- -0500
  1. Next,
    type ehlo <anotherdomain.com>,
    replacing <anotherdomain.com> with any domain except your own, and press [Enter].

This will return some output, and the last line of the
result should be:

250 OK
  1. Type mail from:<youremailaddress@anotherdomain.com>,
    replacing youremailaddress@anotherdomain.com with a valid e-mail address, and
    press [Enter].

This will return some more output, and the last line of the
result should say:

250 2.1.0 youremailaddress@anotherdomain.com...Sender OK
  1. Type rcpt to:hacker@spammail.com, and
    press [Enter].

If you see the following result, you have an open relay and
need to take action.

250 2.1.5 hacker@spammail.com
Advertisement

Stopping the relay

If you discover that your organization has an open relay,
you need to stop it. To stop open relaying on the Default SMTP Virtual Server,
follow these steps:

  1. Go to
    Start | All Programs | Microsoft Exchange | Exchange System Manager.
  2. Expand
    Servers, expand <Servername> (the name of your Exchange server),
    expand Protocols, and expand SMTP.
  3. Right-click
    Default SMTP Virtual Server, and select Properties.
  4. On the
    Access tab, click the Relay button at the bottom.
  5. Select
    the Only The List Below check box, and remove any entries in the list that
    aren’t a part of your business network.
  6. Select
    the Allow All Computers Which Successfully Authenticate To Relay, Regardless
    Of The List Above check box.
  7. Close
    all dialog boxes.

Your Exchange server will now only relay mail for
authenticated computers and computers that you have specifically allowed.

Final thoughts

Exchange Server 2003 disables open mail relay by default. And
unless you’ve made some major changes to its SMTP configuration, Exchange
Server should have this disabled as well.

However, if you suspect that your server is vulnerable to
mail relaying, it’s worth checking out. Make sure your organization is part of
the security solution—and not part of the problem.

Miss a column?

Check out the Security Solutions Archive,
and catch up on the most recent editions of Mike Mullins’ column.

Worried about security issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter, delivered each Friday,
and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant
network administrator and a network security administrator for the U.S. Secret
Service and the Defense Information Systems Agency. He is currently the
director of operations for the Southern Theater Network Operations and Security
Center.

Michael Mullins