SEE: http://support.zen.co.uk/kb/Knowledgebase/How-to-disable-authenticated-SMTP-in-MS-Exchange-2003?Keywords=server where this Article is Originally Published. Full credit for original authorship of this knowledge base Article goes to whoever published it at that URL. All copyrights remain with the original author. This article will be immediately removed from here on notice from support.zen.co.uk.
Aim of this article:
This article provides instructions on disabling authenticated delivery of e-mail over the SMTP protocol to a Microsoft Exchange 2003 Server, in order to prevent yourserver from being used as a relay for fraudulent e-mail.
Background
Out of the box MS Exchange 2003 is not an open relay, but it can be used as a relay if the spammer has usernames and passwords for users on your network. This authenticated relay is the most common way that spammers get MS Exchange to send their junk.
In an ideal world this would not be a problem because users would have complex passwords that cannot be guessed by using brute force, continuously attempting log in using possible passwords until a valid one is found. However, users will use as easy to remember a password as they can, thus making brute force password guessing very effective.
By disabling authentication when not on the office network, even if a network password is known, spam cannot be sent through the Exchange server, although other services exposed to the Internet may be exploited – remote desktop etc.
Note: most smartphones do not use SMTP for sending and receiving e-mail so disabling aSMTP in this way should not affect remote employees that use their phones to access e-mail.
Accessing Virtual SMTP server Properties
On the Exchange server, open Server Management, then in the left hand trees view expand the following:
Advanced Management > Domainname (Exchange) > Servers > ServerName > Protocols > SMTP
Right click and select properties of the Default SMTP Virtual Server
Select Access from the tabs at the top, and then click the button named Relay
The Relay Restrictions window should open. By default under the Add button, a checkbox will be ticked. This “Allow all computers…..” checkbox is what allows someone with a valid password to send mail through your server from anywhere on the Internet. Un-tick this box.
Next click the button named Users…
Ensure Authenticated Users only have Submit Permission ticked.
Selecting Relay Permission here will override removing the tick from the previous window.
To finish, click OK until all the properties boxes are closed.
End of Article = = = = = = =
MY COMMENTARY:
I am not sure whether it is necessary or advisable to grant relay access to the localhost at 127.0.0.1 nor the local IP bind to the network interface of the 2k3 exchange server. In other words, if your exchange server is located at 192.168.2.2, for example, it might not be wise to grant that either. It is, however, important to grant access to the exchange smtp relay from any perimeter smart host that you may use to forward email to your exchange server on your LAN.
FURTHER COMMENTARY IF YOU USE A SMART HOST OUTSIDE THE EXCHANGE LAN PERIMETER:
The smart host might have several separate email boxes:
user1 @ myDomain.com
smart host configured to keep a copy of each msg received, and redirect each message to user1 @ ExchangeServer.MyDomain.com
On the other hand, you may merely set the smart host to receive all mail for MyDomain.com) and forward it to ExchangeServer.MyDomain.com where the exchange server will sort the mail by account and deliver it to the appropriate mail box accounts.
Configure the MX records of both the perimeter smart host and the exchange server with the appropriate priorities. The following, for example, will ensure that attempted delivery will be made first to the smart host (standard priority 10) and, if the smart host is offline, then secondary delivery will be made directly to the exchange server (priority 12).
smtp.smarthost.somedomain.com. MX 10
smtp.exchangeserver.MyDomain.com MX 12
Q — Will shutting off relay to anyone other than the smart host and the local.lan prevent reception of internet mail destined for delivery (secondary priority) on the local 2k3 exchange server?
