RE: Relaying question

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Sat, 27 Sep 2003 15:24:49 -0500

Hi Chris,

Are you using the machine for inbound and outbound relay?  Do you need to allow 
external users to use this SMTP server for outbound relay? 

If you were using an IIS 5/6 SMTP server, you could require a client 
certificate before the connection request is accepted. Its unlikely the 
scumbags would have a client certificate. Anonymous relay would only be allowed 
for the remote domains, which comprise the domains you want to allow inbound 
relay to the Exchange Server.

HTH,
Tom

Thomas W Shinder 
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1 
Configuring ISA Server: http://tinyurl.com/1llp 
________________________________________
From: Allen, Chris [mailto:CAllen@xxxxxxxxxxxxxxxx] 
Sent: Friday, September 26, 2003 2:54 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Relaying question

http://www.MSExchange.org/
The firewall is, I believe, store and forward. It passes the internal IP as the 
originator on all SMTP traffic. I believe this is due to Natting, but shutting 
relay off to it did the trick as far as closing the open relay. The bluestelnn 
gang is pounding us with several thousand relay requests though in an attempt 
to find a user that they can authenticate and use.  We have blocked their 
netblocks though and have stopped the attack, but I want to be prepared for the 
next gang that tries it. I am forcing password changes on everyone, enforcing 
stricter passwords and possibly turning off the authenticated user override of 
the relay rule. I am hoping this will work without breaking our processes, but 
I guess only a test will tell. Thanks for the inputs.
 
-----Original Message-----
From: Mulnick, Al [mailto:Al.Mulnick@xxxxxxxxxx] 
Sent: Friday, September 26, 2003 3:15 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Relaying question
 
http://www.MSExchange.org/
Last I checked, yes.  You can specify by ip address as I recall. I'm not near a 
machine to say exactly which setting path that's down but take a look.
 
One issue you need to be aware of is the relay vs. the accept mail.  You want 
to be able to accept mail inbound but not relay to everywhere on the internet.  
Understood.  You want internal users' machines to be able to relay so as long 
as they have a particular addr block then you should be able to manage that.  
That won't prevent address spoofing, but it might be done at the firewall 
instead.  
 
As for your firewall being allowed, is your firewall passing the conversation 
through or is it store-and-forward (running a SMTP daemon of sort?)
 
Al
-----Original Message-----
From: Allen, Chris [mailto:CAllen@xxxxxxxxxxxxxxxx] 
Sent: Friday, September 26, 2003 2:10 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Relaying question
http://www.MSExchange.org/
We actually need it for internal and external smtp traffic, but only internal 
relaying. One of our customers has us send email on their behalf from their 
domain but relayed from ours. We need that capability to continue, however, the 
ones we have the problem with are the external entities that are relaying 
through us malicious. We are not an open relay site, yet they still get in 
relay by smtp/auth. Is there anyway to close the door to pass-through relaying 
while leaving it open to outbound only and only a specific set of IPs 
regardless of whether they are authenticated or not?
 
-----Original Message-----
From: Golden, James [mailto:jgolden@xxxxxxxxxxxxxxxxxxxxx] 
Sent: Friday, September 26, 2003 1:52 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Relaying question
 
http://www.MSExchange.org/
If you are using exchange for internal email only you can turn off relaying. 
The way we have it setup is our exchange box doen's relay at all. If it is 
going outbound then we put all that SMTP traffic to a MTA (we use sendmail on a 
linux box). Our MTA only accepts smtp traffic from our exchange server, the 
firewall and a few specific servers for applications that need to send out 
SMTP. On top of that, at our firewall level we only allow smtp to and from the 
Linux box and no other SMTP traffic is allowed through. We don't have any 
problems with relaying now that we have this system fully implemented. 
I noticed that you said there are some custom apps... In this instance you can 
setup the sendmail server to accept SMTP traffic from the firewall, and 
whatever the other machines are and that's it.  This will then deny any other 
SMTP traffic in your internal network.  That should fish them out, so to 
speak.  This will also get around Exchanges authenticated relay's.
Hope this helps. 
James 
"Risk more than others think is safe. Care more than others think is wise. 
Dream more than others think is practical. Expect more than others think is 
possible."
-----Original Message----- 
From: Allen, Chris [mailto:CAllen@xxxxxxxxxxxxxxxx] 
Sent: Friday, September 26, 2003 8:34 AM 
To: [ExchangeList] 
Subject: [exchangelist] Relaying question  
  
  
 http://www.MSExchange.org/ <http://www.MSExchange.org/> 
                         
Per SpamCop and SpamHaus, "Spammers are taking advantage of weak passwords on 
systems using smtp/auth and brute force finding name/password combinations that 
work and then sending spam thru these servers. There are various characteristic 
footprints for this and one of them is the use of a "from" address of the 
format bluestallnn@some legit ISP and the "nn" iterates in each successive spam.
                         
                        bluestelllf@xxxxxxx 
                        bluestellpg@xxxxxxxxxxx 
                        bluestelluf@xxxxxxxxx " 
                         
                        My question is this, if I uncheck "Allow all computers 
which successfully authenticate to relay, regardless of the list above", will 
this effectively stop brute force attacks on weak passwords as far as exchange 
is concerned and what will this break?
                         
                        I am also taking measure by blocking their entire block 
of IPs. The ranges are as follows: 
                         
                        211.158.32.0/20 
                        211.158.48.0/21 
                        211.158.80.0/20 
                        219.153.144.0/20 
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as: 
callen@xxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as: 
al.mulnick@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as: 
callen@xxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as: 
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 



Other related posts: