Broadband - Exchange
Login Scripts - Net Admin
Outlook - Windows Mobile
Windows

Contact - Advertise

Exchange Consultancy

Amazon Store

Basic Email Gateway Server

Company wide Contact List

Disabled User Account

Distribution Lists

DNS Configuration

Exchange and a
Dynamic IP Address

Event ID 1221

Filter Unknown Users

Global Mailbox Folder
Permissions from Server

Intelligent Message Filter

Internal Email Address
for External People

Internet Tools

Mailbox and Management
Account

Message Tracking

Migrating to a new server

Multiple Domains

Offline Address Book Errors

Options when a Staff Member
Leaves

Outlook Web Access

PDAs, OMA and EAS

Permissions Best Practises

Post Install Configuration

Public Folders

Prerequisites for Exchange
System Tools

RPC over HTTPS

Secure your SMTP Relay

Shutdown Script

SMTP Services and Exchange

SMTP Diagnostics

Spam Cleanup

Switching From POP3
to SMTP Delivery

Telnet Test

Tools for Admin of
Exchange Server

Username Change

One of the worst crimes that you can commit with an Exchange server connected to the Internet is become and open relay. This allows anyone to send email to anyone else through your server.

Check Whether the Exchange Server is an Open SMTP Relay using a Telnet Test

A Telnet test involves establishing a Telnet session from a computer that is not located on the local network to the external (public) IP address of the Exchange server. You need to carry out the test from a machine at home, or from another office. Doing the test from a machine on your own network will produce useless results.

1. Start a command prompt.
   Either click start, run and type CMD
   or Choose Command Prompt from Start, Programs, Accessories, Command Prompt
2. Type "telnet" (minus quotes) and press enter.
3. At the Telnet prompt, type
   
   set localecho
   
   (minus quotes) and press enter. This lets you see what is going on.
4. Still in the telnet prompt, enter the following command and then press enter
   
   open external-ip 25
   
   where external-ip is your external IP address eg:
   
   open 111.222.333.444 25
    
5. You should get a response back similar to the following:
   
   220 mail.server.domain Microsoft ESMTP MAIL Service, Version: 6.0.2790.0 Ready at
    
6. Type the following command in to the telnet windows:
   
   ehlo testdomain.com
   
   and press enter (note "testdomain.com" can be anything that isn't a domain that the Exchange server is responsible for.
7. After pressing OK you should get a response back
   
   250 OK
    
8. Type the following command in to the telnet window:
   
   mail from:address@testdomain.com
   
   and press enter (again where address@testdomain is an email address that is not on the Exchange server. Note the lack of space between from and the first part of the address).
9. After pressing OK you should get a response back:
   
   250 2.1.0 address@testdomain.com....Sender OK
    
10. Type the following command in to the telnet window:
    
    rcpt to:address@anotherdomain.com
    
    and then press enter (where address@anotherdomain.com is not either an address you use internally or the address you entered earlier as the from. Once again note the lack of space between to and the first part of the e-mail address). 
11. After pressing enter you will get one of two responses.
    If you get
    
    550 5.7.1 Unable to relay for address@anotherdomain.com
    
    then you are relay secure.
    However if you get
    
    250 2.1.5 address@anotherdomain.com
     
    Then you are an open relay.

What now?

There are two parts of the Exchange that can make your Exchange server an open relay, the Default SMTP Virtual Server and SMTP connectors. You need to check both to ensure that you haven't configured them wrongly and turned your machine in to a spammers target.

Default SMTP Virtual Server

To check or correct the configuration of the Default SMTP Virtual Server:

1. Start Exchange System manager (ESM)
2. Expand Servers, <your server>, Protocols, SMTP.
3. Right click on "Default SMTP Virtual Server" and choose Properties.
4. Click on the "Access" Tab.
5. There are four buttons, click on "Relay..." at the bottom.
6. Ensure that "Only the list below" is enabled and the list is empty.
7. If you don't have users sending email through your email server with Outlook Express or another POP3 client then you can disable "Allow all users that successfully authenticate to relay regardless of the list above".
8. Apply/OK until all windows are closed.

SMTP Connectors

1. Start ESM, Connectors.
2. Right click on each SMTP Connector in turn and choose Properties.
3. Click on the "Address Space" tab.
4. If you have a "*" in the address list, check that "Allow messages to be relayed to these domains" is not enabled.
5. Apply/OK until all windows are closed.

Once you have made the changes, repeat the telnet test above to ensure that you have closed everything.

Back to the Top
Contact Us - Advertise on amset.info
Exchange Index - Home Page

Broadband - Exchange - Login Scripts - Network Admin - Outlook - Windows Mobile - Windows

© Amset IT Solutions Ltd. 1998 - 2008. All rights reserved. Reproduction of any content on this web site is prohibited without express written consent. Use of this web site is subject to our terms and conditions. All trademarks and registered trademarks are property of their respective owners. This site is not endorsed or recommended by any company or organisation mentioned on this site. This site is to provide guidance only and as such we cannot be held responsible for any consequences of following the advice given.