NO IT DOESN'T. They are not open relay!
what are you seeing that makes you think you are an open relay.
From email posted to sbs2k Yahoo Group by Charles Anthe, Microsoft SBS
Program Manager on 2/5/04
"SBS 2003 is not an open relay by default, or after any run of CEICW. We
have done extensive security testing to verify that the default SMTP
relay settings are secure by default. The defaults after the run of
CEICW are to allow relay for:
External WAN IP
Internal LAN IP subnet
Any authenticated user
These defaults are different than Exchange 2003 Server defaults (which
allow no IPs, because Exchange does not have knowledge of the local
network in the same way SBS does, and so requires a higher level of
administration expertise, which is why you see dedicated Exchange admins
in large companies).
Localhost is added because otherwise sometimes items such as the
monitoring report and other server-originating mails do not send
correctly (the SMTP settings for healthmon default to “localhost”). The
external WAN IP is added in case the routing table routes other mails
from the server as coming “from” the WAN IP (not likely but we have seen
this behavior in testing from time to time when the priority of the
network cards get mixed up). Any authenticated user is to enable remote
users using POP3 or IMAP who need to send mail directly to the server,
and is perfectly secure as long as no one guesses one of your
username/password pairs (so stop using “password” J)
Can you remove item 1 and still have 100% functionality? Probably. We
added it because it did not increase the security risk of becoming a
spam relay and solved corner case problems with mail that we found in
Can you remove item 2 and still have 100% functionality? Doubtful. We
found that removing this often caused problems with e-mail alerts and
Can you remove item 3 and still have 100% functionality? Doubtful –
while in theory all of your users will authenticate from Outlook to the
server, I think you risk a lot of functional problems that you’ll end up
having to figure out.
Can you remove item 4 and still have 100% functionality? Sure – as long
as you don’t have remote users trying to send mail directly through SMTP
(such as POP3/IMAP users) and you leave item 3 in the list.
For this entire list, we performed extensive testing to make sure this
was the minimum set we can provide that ensures that all e-mail is sent
correctly that should be, while maintaining the integrity of the server.
These settings are not vulnerable to IP spoofing attempts, as far as we
can tell. If you find that your SBS server is being used as an open
relay, my first suspicion would be that someone has found a
username/password pair to authenticate to your server. In this case,
your first step would be to uncheck the “allow authenticated users”, but
you should also identify the user in question, because they also have
access to OWA, RWW, and VPN, all of which would allow them to send mail
and still be within the other SMTP relay restrictions."
> I have done several Exchange 2003 installations and have now also done
> two SBS 2003 installations. I am confused as to why the default Exchange
> settings in SBS allow the server to be an open relay, while the Exchange
> 2003 (stand-alone product) settings do not??? The following article in
> the MS KB describes how to clear up your mail queues after experiencing
> the effects of your server open relaying:
> fix is to set your server back to the defaults - which were actually the
> cause of the open relay in the first place!!
> The settings in question are in the properties of the Default SMTP
> Virtual Server, on the Access tab and then the Relay button. The default
> settings in SBS 2003 have two IP addresses listed in the "Only the list
> below..." dialog box - the localhost address and the IP address/es of
> the network card/s. THIS SETTING ALLOWS OPEN RELAYS!!!
> I can't understand how Microsoft missed this in their testing? I also
> can't understand how Microsoft think that this should be the default in
> SBS whereas the stand-alone Exchange 2003 has NO addresses listed as
> being able to relay.
> Hopefully somebody will enlighten me...