Wednesday, July 25, 2007

Antirelay configuration in Microsoft Exchange Server 6.0


Background of Antirelay Provisioning

In the "good old days", mail servers would happily forward mail to anybody who used them, and this was offered as a kind of service to the internet community at large: if your own mail server was having troubles, you could temporarily use your neighbor's mail server to route around it.

No more: those days are long gone.

Dirtball spammers have come to "hijack" mail servers owned by others to do the hard work of delivering their trash, and this has caused enormous problems for the internet. Spammers routinely scan for these "open relays" and abuse them, and eventually this gets the mail server owner either flooded with bounced mail, put on a blacklist, or both. It's much like the bad guy sneaking a box of unstamped mail into your company's mail room: you pay the postage and send out the letters.

Securing a mail server to allow only authorized users to use is important, and this paper describes the process. Modern versions of Exchange (6, and 5.5 with the latest service packs) are not hard to secure, but some common principles are applied to all antirelay provisions.

The idea is that we tell the mail server which remote users are "trusted", and in practice this is the entire internal network. Since no outside users could ever connect from these internal IP addresses, they are "trusted".

Then, when Exchange receives a connection attempting to deliver mail, it looks at the "trusted" list: those on the list can send mail anywhere, but those not on the list can only deliver to the local machine. Others are told to get lost.

Securing Microsoft Exchange Server 6.0

  • First run the Exchange administrator tool, often from the desktop

    [Exchange Admin desktop icon]

  • Navigate down the tree to get to the "Default SMTP Virtual Server" and right-click to select Properties:

    [Exchange Admin SMTP Properties]

  • Click the Access tab and click the Relay... button:

    [Exchange Admin: Access tab]

  • Select the Only the list below radio button, check the @B{Allow all computers with successfully authenticate" box, and click the Add button:

    [Exchange Admin: Relay Restrictions tab]

  • Add the "Group of Computers" with the local network number and netmask.

    [Exchange Admin: IP address ranges]

  • In our case, we had two sets of "internal" networks that must be allowed to relay, plus we've found that adding the "localhost" entry ( is a good idea: we had to go through this process three times. This shows the result.

    [Granting access]

    Click OK to dismiss this and the rest of the dialog boxes.

  • We believe that the SMTP service has to be restarted, so select Stop from the pop-up menu as shown, wait a moment, and when it's stopped all the way, click it again to Start the service.

    [Stop and Restart the service]

Antirelay configuration in Microsoft Exchange Server 6.0

No comments: