RE: Open Relay on exchange 2000
- From: "Allen, Chris" <CAllen@xxxxxxxxxxxxxxxx>
- To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
- Date: Thu, 18 Sep 2003 14:33:26 -0400
Well, it doesn't work well in a non-enterprise setup for an enterprise
network for one. Our boss wanted to save some money and bought standard
version which pretty much tied our hands on a lot of things. It took us
over a year to get it configured correctly as there was scant
documentation when we started using it. (Thank God for Google.) We had
problems with the services dying but not appearing to be dead. The
services all running, but no traffic was getting out or in. We couldn't
use the web publishing rules without setting up host files on the server
and the web servers. We had to install certificates in both the firewall
and the web servers for all of our hosted web sites. Not to mention the
fact that web publishing rules do not pass the origination IP address to
the web servers. We had to switch all of our web rules over to server
publishing rules with custom protocols set up for HTTP. Also, there is
no scripting for remote management. You can use the ISA MMC console, but
you cannot script in standard edition from a remote machine. Most of the
issues could have been resolved with an upgrade to enterprise edition
and an array created with more than one ISA server. The concept is not a
bad one; however, firewall and proxy should probably be kept on separate
devices. I also didn't like having to restart the firewall and proxy
services every time I made a change. The new firewall we are using was
much simpler to configure, manage and is more featured. We will probably
bring ISA back up at some point as a proxy only so we can control our
internal users' accesses. I wish I had kept a log of all of our issues,
but then, no sense spamming this list with pages of bad stuff. :)
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Thursday, September 18, 2003 2:11 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Open Relay on exchange 2000
http://www.MSExchange.org/
Hi Chris,
Just out of curiousity, what was the problem with ISA? I host about 15
email domains, compete SMTP, POP3, IMAP3, secure OWA, and secure RPC,
SMTP spam whacking, the whole nine yards, complete inbound and outbound.
No problems at all with about 99.99% uptime. All ISA on all gateways.
I'd like to see in what kind of scenario that ISA doesn't work.
Thanks!
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Allen, Chris [mailto:CAllen@xxxxxxxxxxxxxxxx]
Sent: Thursday, September 18, 2003 12:07 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Open Relay on exchange 2000
http://www.MSExchange.org/
Yeah, it's a fortinet firewall/av/content filter appliance. We just
switched from MSISA to this as ISA was causing us no end of grief. We
can live with this issue now that open relay is closed off. Thanks for
the inputs though.
-----Original Message-----
From: Mark Fugatt [mailto:mark@xxxxxxxxx]
Sent: Thursday, September 18, 2003 12:20 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Open Relay on exchange 2000
http://www.MSExchange.org/
Well, I just tested it via telnet and your not an open relay now, this
is
very interesting, so your firewall is actually modifying the SMTP
Header, so
its more than just a firewall right?
Mark Fugatt
MCT, MCSE, Microsoft Exchange MVP
Pentech Office Solutions Inc
Tel: 585 586 3890
Cell: 585 576 4750
Fax: 585 249 0316
www.4mcts.com
www.exchangetrainer.com
-----Original Message-----
From: Allen, Chris [mailto:CAllen@xxxxxxxxxxxxxxxx]
Sent: Thursday, September 18, 2003 11:56 AM
To: [ExchangeList]
http://www.MSExchange.org/
No. It is set up just like in your document and in the MS documents.
This is were my dilemma comes in. I have made the requested change that
I
told you about however and have submitted to ordb for a retest. I will
let
you know their results. All my other smtp traffic seems to be carrying
on.
Though I do have a queue of over 9000 aol emails that can't seem to go
out
now. :)
-----Original Message-----
From: Mark Fugatt [mailto:mark@xxxxxxxxx]
Sent: Thursday, September 18, 2003 11:46 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Open Relay on exchange 2000
http://www.MSExchange.org/
And is the checkbox selected?
Mark Fugatt
MCT, MCSE, Microsoft Exchange MVP
Pentech Office Solutions Inc
Tel: 585 586 3890
Cell: 585 576 4750
Fax: 585 249 0316
www.4mcts.com
www.exchangetrainer.com
-----Original Message-----
From: Allen, Chris [mailto:CAllen@xxxxxxxxxxxxxxxx]
Sent: Thursday, September 18, 2003 11:45 AM
To: [ExchangeList]
http://www.MSExchange.org/
It is a *.
-----Original Message-----
From: Mark Fugatt [mailto:mark@xxxxxxxxx]
Sent: Thursday, September 18, 2003 11:28 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Open Relay on exchange 2000
http://www.MSExchange.org/
I would find it highly unlikely that your firewall is causing the
problem, I
have never seen a firewall cause Exchange to relay.
On the SMTP Connector, is the address space * and do you have the "Allow
messages to be relayed to these domains" checked?
Mark Fugatt
MCT, MCSE, Microsoft Exchange MVP
Pentech Office Solutions Inc
Tel: 585 586 3890
Cell: 585 576 4750
Fax: 585 249 0316
www.4mcts.com
www.exchangetrainer.com
-----Original Message-----
From: Allen, Chris [mailto:CAllen@xxxxxxxxxxxxxxxx]
Sent: Thursday, September 18, 2003 11:22 AM
To: [ExchangeList]
http://www.MSExchange.org/
We do, but I have verified their settings as well. It looks like
possibly it
is relaying because the firewall is passing its internal address as the
sender. One suggestion was to change "only the list below" with the
internal
IP range to "All except the list below" and add the internal IP of the
firewall. I will give that a shot and let you know. If this is the
solution,
feel free to add it to your article.
My IT team got this information from the following:
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=u9Q3
TwpeDHA.1760%40TK2MSFTNGP09.phx.gbl&rnum=1&prev=/groups%3Fhl%3Den%26lr%3
D%26ie%3DUTF-8%26oe%3DUTF-8%26q%3Dprevent%2Bopen%2Brelay%2Bexchange%2B20
00%2Bbehind%2Bfirewall
-----Original Message-----
From: Mark Fugatt [mailto:mark@xxxxxxxxx]
Sent: Thursday, September 18, 2003 9:57 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Open Relay on exchange 2000
http://www.MSExchange.org/
Yes, you are indeed an open relay, unplug your Exchange server NOW, read
my
article again and double-check all your settings, do you have any SMTP
Connectors?
Mark Fugatt
MCT, MCSE, Microsoft Exchange MVP
Pentech Office Solutions Inc
Tel: 585 586 3890
Cell: 585 576 4750
Fax: 585 249 0316
www.4mcts.com
www.exchangetrainer.com
-----Original Message-----
From: Chris Allen [mailto:callen@xxxxxxxxxxxxxxxx]
Sent: Thursday, September 18, 2003 9:40 AM
To: [ExchangeList]
http://www.MSExchange.org/
I have read the article on
http://www.msexchange.org/pages/article.asp?id=54 and Microsoft's
knowledge
base articles (310380, 314734, and 304897) and verified through each of
these that my exchange server is not set up as an open relay.
However, ORDB.org ran a test on it and list it as such. When I found out
about this, I attempted to send an open relay message from outside my
network and was also able to do it. Any advise on how to stop open relay
beyond what was published in these articles? We put in a new firewall
two
days ago (also the same day the site was submitted to ORDB) but I am not
sure how a firewall would open relaying when exchange has it turned off.
Any advise would be appreciated. Thanks in advance.
Chris Allen
Systems Administrator
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
mark@xxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
callen@xxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
mark@xxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
callen@xxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
mark@xxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
callen@xxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
mark@xxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
callen@xxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
callen@xxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
Other related posts:
