Hey Tom! Great article(s). I have successfully installed my Exchange 2003 w/OWA.
I am awaiting your follow-up articles, particularly how to properly setup an anonymous relay. I suspect that I am relaying. I have begun recieving many messages addressed to administrator@ saying my message was not able to be delivered - and these are not messages that I knowingly sent. Also - my exchange Queues have strange entries like lycos.com or sex.com and I have not sent mail to these domains. Maybe they are recieved mail?? Anyway - checked with an "open relay tester" and it tried several different methods to get the system to relay and one of them seems to succeed. So in your future articles or in a reply post here, can you please tell us how to test and be sure we are not relaying? And explain what those exchange queue entries are? Thanks
The messages you see telling you that a message can't be relayed indicates that the machine is not configured as an open relay. Keep in mind that the next article will focus on relays. From my point of view, you should never allow inbound SMTP connections to the Exchange Server itself from the Internet.
Good idea regarding testing. I hadn't thought about that. I'll include that kind of info in the third part of the article.
Regarding your comment "never allow inbound SMTP connections to the exchange server".. I am short of machines and my exchange server is also my smtp server (and also my web server,DHCP, DNS (internal) and FTP server..) at least it is a dual Xeon 2.0 ghz system...
Is this a 'bad' thing to do? It is behind ISA, but should the SMTP server be separate? I just need it for incomming mail to my exchange server. Thanks again Tom...
First, I think that its great you discuss the topic of open relays. This is an important topic for anyone who is a network, security or email admin. You're discussion of how to do things is great and I hope it educates folks on how to configure their SMTP relays properly.
That said, I was very disappointed in your discussion of RBLS. I don't think you present the whole picture of the role of RBLs and how they are used. While you acknowledge that open relays are bad because they can and will be abused by spammers you don't offer any alternatives to RBLs that address the misuse of open relays. You're alternative is suggest using more ethical spam filtering and that spam filtering is the endusers problem, not the problem of the person with the open relay which is something that I and many others disagree.
Now, I think it's perfectly fine to be critical of RBLs. There are many things to be critical about(questionable black listings, collateral damage, etc) but to dismiss them outright as you have done is a bit much especially when the RBL operators you are criticizing are not representative of all RBLs. I think it would a more balanced article if you talked a bit about some of the more responsible RBL operators such as the MAPs folks(http://www.mail-abuse.org) who I think are fairly responsible RBL operators and more represenative of their peers than other RBL operators.
Personally, I think that using RBLs as a sole mechanism for blocking spam is very short sighted but to not use them at all as a tool to reduce spam for the reasons you suggest is bit like biting off your nose to spite your face.
I'm sure you and I could go round and round and round debating the pros and cons of RBLs but my whole point is, painting RBLs in such a negative light and to suggest that it's mostly lazy and/or busy admins who use RBLs is misleading. You failed to mention that some of the largest ISPs(including Microsoft's Hotmail) routinely use RBLs and I'd be very hesitant to say that the admins at Hotmail are a lazy and/or too busy bunch because they use RBLs.
I hope you will consider re-writing your article in such a way that can both stay critical of the use of RBLs(I happen to think that criticism of RBLs is crucial to helping make them a responsible way of filtering spam) while not painting a misleading picture of the hows and whys various organizations use RBLs.
However, I do not agree with you and won't ever agree. RBLs are unregulated and irresponsible entities that actually do more harm than the spammers themselves. If they would take legal liability for their behavior, and quickly remove hosts from their dreaded databases when they are found in error or when the situation in question is corrected, it would be fine. But I haven't found any of those.
MAPS seems to be, from what others have told me, one of the most horrendous abusers out there, so I would not take them as an example of responsible database management.
I don't think I said that the admins were lazy, although I do recall saying that they are overworked. This leads them to take a path of least resistance. That's why RBLs are so popular, because it *seems* like someone else is doing the responsible work. Unfortuantely, the faith these admins have in RBLs is totally unwarrented.
RBLs are a good example of the unintended effects of a "do gooder". No good dead goes unpunished, and the RBLs punish far, far too many innocent victims to legitimize their efforts. Hotmail may use them, but I never will. Its downright "Un-Texan" to smear an innocent man.
I suppose we'll have to agree to disagree. I guess I see the irresponsibility of an incompetent admin that costs me bandwidth with his/her open relay as being more of a problem than RBLs who have allegedly make it difficult to get folks off their lists.
Btw, how did you know I was from Texas? I thought that information was private?
I had a quick question about SMTP relays and Microsoft Exchange.
I am new to the Windows Server world, but it looks like I'll be getting more and more familiar with them, as I am going to upgrade our servers at work.
It looks like we are running Exchange 2000, on Windows Server 2000, and I am having trouble with email from work spamming out. I know this, as most of it is getting bounced back to our secretaries email account. I am due to wipe her PC this weekend, but I stumbled on your site, and thought I'd get your opinion.
I noticed that our SMTP Properties, under the relay access area is listed to only accept from our Wireless Router / Firewall. I am wondering if there is any reason to do this, or should I delete this allow from the routing table for relays?
AH from Ohio
< Message edited by ahoover -- 7.May2008 11:45:32 AM >
From: Sydney, Australia
Your 'problem' could be deeper that that observed on the surface. Firstly, whilst NDR;s (bounce backs) of the spam may be ending up in the secretaries account, that DOESN'T necessarily mean she sent it... or her machine.. or in fact anyone on your network. Most spam now uses 'spoofed' or "made up" from addresses in an attempt to either try and legitimise the source... or tunnel its way through mail filters are (stupidly in my opinion) accept mail "from their own domain" or whatever other reason.
As far as SMTP properties set to only relay from your router & firewall, let me ask, do you have the ISA server as edge firewall device publishing to an internal SMTP server (or IIS SMTP server installed on the ISA box) as well as an internal exchange server? If so, the 'edge' SMTP should generally set to "only" relay for the exchange server IP address. Anything else that sends mail should do it via the exchange server which can realy as much as it wants - stuff like smtp alerts from routers etc all get sent to the Exchange box.
And then lastly, configure ISA such that access to SMTP is DENIED to internal users. outbound SMTP shgould only be permitted to your exchange box. If you run SMTP on the ISA machine as well, even exchange should be denied outbound SMTP and Exchange should be configured to forward outbound mail to a smart-host, being your ISA server with its SMTP server. In this way packet filters still allow outbound mail on the ISA machine itself.