The settings in question are in the properties of the Default SMTP
Virtual Server, on the Access tab and then the Relay button. The default
settings in SBS 2003 have two IP addresses listed in the "Only the list
below..." dialog box - the localhost address and the IP address/es of
the network card/s. THIS SETTING ALLOWS OPEN RELAYS!!!
I can't understand how Microsoft missed this in their testing? I also
can't understand how Microsoft think that this should be the default in
SBS whereas the stand-alone Exchange 2003 has NO addresses listed as
being able to relay.
Hopefully somebody will enlighten me...
Stuart.
what are you seeing that makes you think you are an open relay.
From email posted to sbs2k Yahoo Group by Charles Anthe, Microsoft SBS
Program Manager on 2/5/04
"SBS 2003 is not an open relay by default, or after any run of CEICW. We
have done extensive security testing to verify that the default SMTP
relay settings are secure by default. The defaults after the run of
CEICW are to allow relay for:
External WAN IP
Localhost (127.0.0.1)
Internal LAN IP subnet
Any authenticated user
These defaults are different than Exchange 2003 Server defaults (which
allow no IPs, because Exchange does not have knowledge of the local
network in the same way SBS does, and so requires a higher level of
administration expertise, which is why you see dedicated Exchange admins
in large companies).
Localhost is added because otherwise sometimes items such as the
monitoring report and other server-originating mails do not send
correctly (the SMTP settings for healthmon default to “localhost”). The
external WAN IP is added in case the routing table routes other mails
from the server as coming “from” the WAN IP (not likely but we have seen
this behavior in testing from time to time when the priority of the
network cards get mixed up). Any authenticated user is to enable remote
users using POP3 or IMAP who need to send mail directly to the server,
and is perfectly secure as long as no one guesses one of your
username/password pairs (so stop using “password” J)
Can you remove item 1 and still have 100% functionality? Probably. We
added it because it did not increase the security risk of becoming a
spam relay and solved corner case problems with mail that we found in
testing.
Can you remove item 2 and still have 100% functionality? Doubtful. We
found that removing this often caused problems with e-mail alerts and
monitoring reports.
Can you remove item 3 and still have 100% functionality? Doubtful –
while in theory all of your users will authenticate from Outlook to the
server, I think you risk a lot of functional problems that you’ll end up
having to figure out.
Can you remove item 4 and still have 100% functionality? Sure – as long
as you don’t have remote users trying to send mail directly through SMTP
(such as POP3/IMAP users) and you leave item 3 in the list.
For this entire list, we performed extensive testing to make sure this
was the minimum set we can provide that ensures that all e-mail is sent
correctly that should be, while maintaining the integrity of the server.
These settings are not vulnerable to IP spoofing attempts, as far as we
can tell. If you find that your SBS server is being used as an open
relay, my first suspicion would be that someone has found a
username/password pair to authenticate to your server. In this case,
your first step would be to uncheck the “allow authenticated users”, but
you should also identify the user in question, because they also have
access to OWA, RWW, and VPN, all of which would allow them to send mail
and still be within the other SMTP relay restrictions."
StuartM wrote:
I hear you loud and clear - and I had actually read the above article
before posting, BUT please do not tell me that by default SBS 2003 is
not an open relay because I KNOW that it is! I installed it at a
client's site a few weeks back and after the server had been up for just
over a day, I had tens of thousands of spam in the queues. I followed
the steps in KB article 324958 to test for open relay from a remote IP
address (my home broadbanc connection) and I COULD relay off the server.
I then compared the settings in SBS to a stand-alone version of Exchange
2003 and I removed the IP addresses listed in "Only the list below" Once
I did this, I tested it again and I was unable to relay.
Last Friday I ran one of the wizards (I think it was the internet and
email wizard) so that I could create a certificate for the server and
allow access from the web to OWA. On the Monday afterwards I checked the
queues because the server was slow, and again I had tens of thousands
of junk emails in the queues. I checked the relay settings, and the
wizard must have put those addresses back in the "Only the list below"
box, because the server had been open to relaying again!
These are the facts (not just my opinion), can you explain to me how you
can say that it is not an open relay when I have experienced it twice?
From newsgroup postings, it seems like I am not the only one to
experience this either.
Stuart.
StuartM wrote:
I have checked that spammers are not using a username and password to
log on to the server first. These are the steps I followed to test for
open relay: (taken from KB article 324958)
From the remote client, follow these steps:
1. Click Start, click Run, type telnet, and then click OK.
2. At the Telnet command prompt, type set local_echo, and then press
ENTER.
3. At the Telnet command prompt, type open sbs-IP-address 25, and
then press ENTER (where sbs-IP-address is the external public IP address
of the Small Business Server computer).
The output is similar to the following:
220 server.smallbusiness.local Microsoft ESMTP MAIL Service,
Version: 5.0.2195.4905 ready at "date" -0500
Note The "Version" reference may vary, depending on the version
of Small Business Server.
4. Type ehlo anydomain.com, and then press ENTER (where anydomain is
not the Small Business Server computer's e-mail domain. Make sure that
the last line is:
250 OK
5. Type mail from:your...@anydomain.com, and then press ENTER
(where youremail@anydomain is an SMTP address that is not hosted on the
Small Business Server computer). Make sure that the result is:
250 2.1.0 your...@anydomain.com....Sender OK
6. Type rcpt to:us...@spam.com, and then press ENTER (where user@spam
is not your e-mail domain). Make sure that the result is one of the
following two responses:
550 5.7.1 Unable to relay for us...@spam.com
-or-
250 2.1.5 us...@spam.com
7. If the result is "550 5.7.1 Unable to relay for us...@spam.com,"
the Exchange server is not an open SMTP relay. If you previously
configured Exchange Server to block open SMTP relaying and you want to
clean up the Exchange server, go to the "Clean Up the Exchange Server's
SMTP Queues" section of this article.
8. If the result is "250 2.1.5 us...@spam.com," the Exchange server
is an open SMTP relay. Go to the "Configure the Exchange Server to Block
Open SMTP Relaying" section of this article.
The end result I received with the default settings of SBS 2003 was:
"250 2.1.5 us...@spam.com," which means that the server was an open relay!
Stuart.
"StuartM" <super...@liamtoh.com> schrieb im Newsbeitrag
news:erAKDbA8...@TK2MSFTNGP09.phx.gbl...
> >> default settings in SBS 2003 have two IP addresses listed in the "Only
> >> the list below..." dialog box - the localhost address and the IP
> >> address/es of the network card/s. THIS SETTING ALLOWS OPEN RELAYS!!!
Yes, that's right. ICW sets these IPs. Our server was used as a relay for 2
days - I'm just cleaning up the whole mess here. After removing these IP's
(we use Outlook as Exchange-client only) everything was fine again.
Chris
Stuart.
StuartM wrote:
Both of you ping me offline with your external ip addresses.
Chris Dolar wrote:
Here's a slant on things for you Susan.
Whilst experimenting with ISA's SMTP filtering
1. I set exchange SMTP to listen only on the internal IP
2. Published the SMTP service to the external IP using ISA's secure mail
server wizard.
SMTP logs then resolved all connections as 127.0.0.1, plus the usually fake
domain name.
Now, If I have 'allow relay' for 127.0.0.1, and ISA and providing 127.0.0.1
as the connection IP, would that not fool the SMTP server into relaying for
any connection?
I wasn't happy with the lack of logging details so reverted back to the
default CEICW settings.
Regards,
ahl
> Both of you ping me offline with your external ip addresses.
thx, but no need to. Our server is reconfigured and no longer relaying.
I did a test via ordb which was negative, and my smtp-queues are clean since
yesterday.
Chris