• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion for part 1 of the SMTP relay article

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> Server Publishing >> Discussion for part 1 of the SMTP relay article Page: [1]
Login
Message << Older Topic   Newer Topic >>
Discussion for part 1 of the SMTP relay article - 16.Oct.2003 8:43:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing part 1 of the SMTP relay article at http://www.msexchange.org/articles/smtprelaypart1.html

HTH,
Tom
Post #: 1
RE: Discussion for part 1 of the SMTP relay article - 20.Oct.2003 10:31:00 PM   
dmolley

 

Posts: 45
Joined: 12.Aug.2003
Status: offline
Hey Tom! Great article(s). I have successfully installed my Exchange 2003 w/OWA.

I am awaiting your follow-up articles, particularly how to properly setup an anonymous relay. I suspect that I am relaying. I have begun recieving many messages addressed to administrator@ saying my message was not able to be delivered - and these are not messages that I knowingly sent. Also - my exchange Queues have strange entries like lycos.com or sex.com and I have not sent mail to these domains. Maybe they are recieved mail?? Anyway - checked with an "open relay tester" and it tried several different methods to get the system to relay and one of them seems to succeed.
So in your future articles or in a reply post here, can you please tell us how to test and be sure we are not relaying? And explain what those exchange queue entries are?
Thanks

(in reply to tshinder)
Post #: 2
RE: Discussion for part 1 of the SMTP relay article - 21.Oct.2003 2:27:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi D,

The messages you see telling you that a message can't be relayed indicates that the machine is not configured as an open relay. Keep in mind that the next article will focus on relays. From my point of view, you should never allow inbound SMTP connections to the Exchange Server itself from the Internet.

Good idea regarding testing. I hadn't thought about that. I'll include that kind of info in the third part of the article.

Thanks!
Tom

(in reply to tshinder)
Post #: 3
RE: Discussion for part 1 of the SMTP relay article - 21.Oct.2003 4:34:00 AM   
dmolley

 

Posts: 45
Joined: 12.Aug.2003
Status: offline
Regarding your comment "never allow inbound SMTP connections to the exchange server".. I am short of machines and my exchange server is also my smtp server (and also my web server,DHCP, DNS (internal) and FTP server..) at least it is a dual Xeon 2.0 ghz system...

Is this a 'bad' thing to do? It is behind ISA, but should the SMTP server be separate?
I just need it for incomming mail to my exchange server.
Thanks again Tom...

(in reply to tshinder)
Post #: 4
RE: Discussion for part 1 of the SMTP relay article - 21.Oct.2003 12:56:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi D,

If you have just a single SMTP server, and that SMTP server is the Exchange Server's SMTP service, then you don't have an SMTP relay. However, you can make the ISA Server firewall an SMTP relay.

Check out the ISA Server 2000 Exchange 2000/2003 Deployment Kit. There's an article on how to do that there.

HTH,
Tom

(in reply to tshinder)
Post #: 5
RE: Discussion for part 1 of the SMTP relay article - 21.Oct.2003 10:13:00 PM   
lborowski

 

Posts: 18
Joined: 3.Oct.2003
Status: offline
Tom,

First, I think that its great you discuss the topic of open relays. This is an important topic for anyone who is a network, security or email admin. You're discussion of how to do things is great and I hope it educates folks on how to configure their SMTP relays properly.

That said, I was very disappointed in your discussion of RBLS. I don't think you present the whole picture of the role of RBLs and how they are used. While you acknowledge that open relays are bad because they can and will be abused by spammers you don't offer any alternatives to RBLs that address the misuse of open relays. You're alternative is suggest using more ethical spam filtering and that spam filtering is the endusers problem, not the problem of the person with the open relay which is something that I and many others disagree.

Now, I think it's perfectly fine to be critical of RBLs. There are many things to be critical about(questionable black listings, collateral damage, etc) but to dismiss them outright as you have done is a bit much especially when the RBL operators you are criticizing are not representative of all RBLs. I think it would a more balanced article if you talked a bit about some of the more responsible RBL operators such as the MAPs folks(http://www.mail-abuse.org) who I think are fairly responsible RBL operators and more represenative of their peers than other RBL operators.

Personally, I think that using RBLs as a sole mechanism for blocking spam is very short sighted but to not use them at all as a tool to reduce spam for the reasons you suggest is bit like biting off your nose to spite your face.

I'm sure you and I could go round and round and round debating the pros and cons of RBLs but my whole point is, painting RBLs in such a negative light and to suggest that it's mostly lazy and/or busy admins who use RBLs is misleading. You failed to mention that some of the largest ISPs(including Microsoft's Hotmail) routinely use RBLs and I'd be very hesitant to say that the admins at Hotmail are a lazy and/or too busy bunch because they use RBLs.

I hope you will consider re-writing your article in such a way that can both stay critical of the use of RBLs(I happen to think that criticism of RBLs is crucial to helping make them a responsible way of filtering spam) while not painting a misleading picture of the hows and whys various organizations use RBLs.

-Len

(in reply to tshinder)
Post #: 6
RE: Discussion for part 1 of the SMTP relay article - 23.Oct.2003 11:15:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Len,

Since you're a fellow Texan, I'll be nice [Wink]

However, I do not agree with you and won't ever agree. RBLs are unregulated and irresponsible entities that actually do more harm than the spammers themselves. If they would take legal liability for their behavior, and quickly remove hosts from their dreaded databases when they are found in error or when the situation in question is corrected, it would be fine. But I haven't found any of those.

MAPS seems to be, from what others have told me, one of the most horrendous abusers out there, so I would not take them as an example of responsible database management.

I don't think I said that the admins were lazy, although I do recall saying that they are overworked. This leads them to take a path of least resistance. That's why RBLs are so popular, because it *seems* like someone else is doing the responsible work. Unfortuantely, the faith these admins have in RBLs is totally unwarrented.

RBLs are a good example of the unintended effects of a "do gooder". No good dead goes unpunished, and the RBLs punish far, far too many innocent victims to legitimize their efforts. Hotmail may use them, but I never will. Its downright "Un-Texan" to smear an innocent man. [Smile]

Thanks!
Tom

[ October 23, 2003, 11:17 PM: Message edited by: tshinder ]

(in reply to tshinder)
Post #: 7
RE: Discussion for part 1 of the SMTP relay article - 31.Oct.2003 6:52:00 PM   
lborowski

 

Posts: 18
Joined: 3.Oct.2003
Status: offline
Tom,

I suppose we'll have to agree to disagree. I guess I see the irresponsibility of an incompetent admin that costs me bandwidth with his/her open relay as being more of a problem than RBLs who have allegedly make it difficult to get folks off their lists.

Btw, how did you know I was from Texas? I thought that information was private?

-Len

[ October 31, 2003, 06:52 PM: Message edited by: Lenster ]

(in reply to tshinder)
Post #: 8
RE: Discussion for part 1 of the SMTP relay article - 31.Oct.2003 11:06:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Lenster,

That's cool. I know that mine is a minority opinion and based on my personal politics.

The interface shows me the IP address of the poster. I won't divulge anymore than the State you're in. I was just tickled to see another Lone Star State citizen on the board! [Big Grin]

Thanks!
Tom

(in reply to tshinder)
Post #: 9
RE: Discussion for part 1 of the SMTP relay article - 31.Oct.2003 11:32:00 PM   
lborowski

 

Posts: 18
Joined: 3.Oct.2003
Status: offline
Ah, okies, I was just curious [Smile]

Anyway, I understand where you are coming from even if I disagree!

Thanks!

-Len

(in reply to tshinder)
Post #: 10
RE: Discussion for part 1 of the SMTP relay article - 6.May2008 10:11:39 PM   
ahoover

 

Posts: 1
Joined: 6.May2008
Status: offline
Hey Tom,

I had a quick question about SMTP relays and Microsoft Exchange.

I am new to the Windows Server world, but it looks like I'll be getting more and more familiar with them, as I am going to upgrade our servers at work.

It looks like we are running Exchange 2000, on Windows Server 2000, and I am having trouble with email from work spamming out.  I know this, as most of it is getting bounced back to our secretaries email account.  I am due to wipe her PC this weekend, but I stumbled on your site, and thought I'd get your opinion.

I noticed that our SMTP Properties, under the relay access area is listed to only accept from our Wireless Router / Firewall.  I am wondering if there is any reason to do this, or should I delete this allow from the routing table for relays?

Thanks,

AH from Ohio

< Message edited by ahoover -- 7.May2008 11:45:32 AM >

(in reply to lborowski)
Post #: 11
RE: Discussion for part 1 of the SMTP relay article - 14.May2008 11:19:19 PM   
AHIT

 

Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline
AH,

Your 'problem' could be deeper that that observed on the surface.
Firstly, whilst NDR;s (bounce backs) of the spam may be ending up in the secretaries account, that DOESN'T necessarily mean she sent it... or her machine.. or in fact anyone on your network. Most spam now uses 'spoofed' or "made up" from addresses in an attempt to either try and legitimise the source... or tunnel its way through mail filters are (stupidly in my opinion) accept mail "from their own domain" or whatever other reason.

As far as SMTP properties set to only relay from your router & firewall, let me ask, do you have the ISA server as edge firewall device publishing to an internal SMTP server (or IIS SMTP server installed on the ISA box) as well as an internal exchange  server? If so, the 'edge' SMTP should generally set to "only" relay for the exchange server IP address. Anything else that sends mail should do it via the exchange server which can realy as much as it wants - stuff like smtp alerts from routers etc all get sent to the Exchange box.

And then lastly, configure ISA such that access to SMTP is DENIED to internal users. outbound SMTP shgould only be permitted to your exchange box. If you run SMTP on the ISA machine as well, even exchange should be denied outbound SMTP and Exchange should be configured to forward outbound mail to a smart-host, being your ISA server with its SMTP server. In this way packet filters still allow outbound mail on the ISA machine itself.

HTH.



_____________________________

http://www.ahit.com.au/isa
(Previous nick: Tolk)

(in reply to ahoover)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> Server Publishing >> Discussion for part 1 of the SMTP relay article Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts