Before we proceed with learning on how to prevent Exchange 2000/2003 from being used as a mail relay, let’s see what a relay is?,
1. A user in your domain wants to send e-mail to another user in your domain – This is NOT relaying.
2. An outside user (from the Internet) wants to send e-mail to another user in your domain – This is NOT relaying.
3. A user in your domain wants to send e-mail to an outside user (on the Internet) – This IS relaying.
4. An outside user (from the Internet) wants to send e-mail to an outside user (on the Internet) – This IS relaying.
The default Exchange 2000/2003 configuration does not allow unauthenticated users to relay through the server.
Exchange 2000/2003 provides full Simple Mail Transfer Protocol (SMTP) mail services. The Exchange 2000 SMTP server can be used to receive and relay e-mail messages to other Exchange 2000/2003 servers on your network or to other SMTP servers on the Internet. Mail relay allows Exchange 2000 mail clients to send mail to users in other organisations. If mail relay is not allowed, the Exchange 2000 server can only receive and send mail for users in the same mail domain as the Exchange 2000/2003 servers.
When the Exchange 2000/2003 server relays e-mail messages, the Exchange 2000/2003 server can forward mail that is addressed to mail domains other than its own. This allows Exchange 2000 to forward mail to any internal or external network SMTP server.
There are dangers inherent in making an Exchange 2000/2003 server accessible to Internet users. The Exchange 2000/2003 server might be used as a mail relay by Internet users, which is undesirable because unscrupulous users might forward mail to your Exchange 2000/2003 SMTP server to distribute unsolicited commercial e-mail messages to large numbers of computers. This can have a severe adverse impact on available bandwidth for your Internet connection and might lead to your mail server being placed on “black hole” lists of open mail relays. If your server is placed on such a list, other mail servers may not accept mail from your domain.
It is important to know that for a user or computer to relay e-mail messages through an Exchange 2000/2003 SMTP server, two conditions must be met:
· The user or computer must be able to gain access to the Exchange 2000/2003 server.
· The Exchange 2000/2003 server must be configured to relay e-mail messages to other domains.
If these conditions are not both met, the server does not relay e-mail messages.
How to prevent Exchange 2000/2003 server from relaying e-mail messages:
In order to prevent the Exchange 2000/2003 server from relaying e-mail messages:
1. Start Exchange System Manager.
2. Expand the organisation_name object, and then expand the Servers node. Expand the server_name object of the server on which you want to prevent mail relay, and then expand the Protocols node.
3. Expand the SMTP node, right-click the virtual SMTP server on which you want to prevent mail relay, and then click Properties.
4. Click the Access tab, and then click Authentication.
5. Click to select either the Basic Authentication check box, or the Windows security package check box, or both of these check boxes, and then click to clear the Anonymous access check box. When you select the Basic Authentication check box, you need to provide a default user domain. Click OK.
6. If you click to select the Anonymous access check box and do not select any other check box on this page, all of the users and computers can gain access to the Exchange 2000/2003 SMTP server. This setting disables inbound authentication.
7. If you click to select either the Basic Authentication check box, or the Windows security package check box, or both of these check boxes, and you click to clear the Anonymous access check box, authentication is required to gain access to the Exchange 2000/2003 SMTP server. If the user or computer does not successfully authenticate, the user or computer cannot send mail to the server.
8. Click Relay.
9. In the Relay Restriction dialog box, several options are available. The only the list below option is enabled by default; the list below this option is empty. The Allow all computers which successfully authenticate to relay, regardless of the list above option is also enabled by default, which allows users and computers that can authenticate with the server to relay through the server. This option allows the Exchange 2000/2003 server to relay mail from your internal network clients. Note that if you allow only anonymous access, the server cannot authenticate users or computers.
10. Click Add. You can allow a single computer, a group of computers, or an entire domain to relay through the server by making the appropriate selection in the Computer dialog box.
11. Allowing access by IP address or domain name is helpful for users who do not authenticate with the Exchange server (for example, in an Internet service provider [ISP] implementation).
12. Click Cancel if you do not want to make any changes.
13. In the Relay Restrictions dialog box, click OK.
14. Click Apply, and then click OK in the Default SMTP Virtual Server Properties dialog box.
Keeping the SMTP Virtual Server’s default settings (the authentication and relay buttons) will safely protect you from relaying un-authorised messages while still enabling outside users to send e-mail to your domain.