Prevent open relays on Exchange Server

by Michael "Mullins CCNA, MCP" | Apr 06, 2006 7:45:00 PM

Tags: E-mail servers, Servers, Michael Mullins CCNA, MCP, server, e-mail, e-mail server, Type Set, Microsoft Exchange Server, relay, Security Solutions Newsletter

23 comment(s)

Takeaway: Open relays on corporate networks are a contributing factor to the volume of unsolicited e-mail currently flying around the Internet�and the presence of such relays is often unbeknownst to the owners of those networks. Are your e-mail servers vulnerable to mail relaying? In this edition of Security Solutions, Mike Mullins tells you how to determine if they are.

Open mail relays�e-mail servers that allow third-party transmission of messages�are a significant contributing factor to the volume of unsolicited e-mail currently flying around the Internet. Spammers send millions of junk e-mail messages daily, and open mail relays make the process easier.

However, most companies are unaware that spammers are taking advantage of the organization's e-mail servers for such nefarious purposes. Depending on the version of Exchange server that your organization is running, you might be vulnerable to mail relaying. Let's look at how you can find out.

Defining the problem

Mail relaying occurs when e-mail sent from one server routes to an intermediate e-mail server, which then delivers it to the recipient's e-mail server. But there are, in fact, legitimate uses for a mail relay.

For example, you might have a e-mail server that serves as your Internet bridge server. That server receives e-mail from the Internet and distributes it to a cluster of internal e-mail servers.

However, spammers who want to disguise the point of origin for their spam messages will route their junk e-mail through a mail relay to confuse the recipient. Seeing an e-mail from a legitimate address can easily dupe users into thinking the message is worthy of attention.

Checking your vulnerability

You can check your organization's Exchange servers to determine whether they're vulnerable to mail relay. The best way to do so is using a workstation from outside the company's network.

To check your servers, you need to know the fully qualified domain name (FQDN) for your e-mail server. If you don't know the FQDN, you can find it rather easily. Follow these steps:

Go to Start | Run, type cmd, and click OK.
At the command prompt, type nslookup, and press [Enter].
Type set type=mx, and press [Enter].
Type the domain name of your organization (e.g., techrepublic.com).

The results will show an MX preference that lists the name(s) of the Exchange server.

To determine whether your Exchange servers are vulnerable to open relays, follow these steps:

Go to Start | Run, type telnet, and click OK.
At the Telnet command prompt, type set localecho, and press [Enter].
Type open <name.of.exchange.server> 25, replacing <name.of.exchange.server> with the FQDN of the Exchange server. 25 signifies the port you want to connect to. (TCP/IP port 25 is for SMTP.)

Your telnet console should return a result that looks something like the following. (The Version will vary, depending on the version of your Exchange server.)

220 <name.of.exchange.server> Microsoft ESMTP MAIL Service, 
Version: 6.0.3790.1830 ready at �date- -0500

Next, type ehlo <anotherdomain.com>, replacing <anotherdomain.com> with any domain except your own, and press [Enter].

This will return some output, and the last line of the result should be:

250 OK

Type mail from:<youremailaddress@anotherdomain.com>, replacing youremailaddress@anotherdomain.com with a valid e-mail address, and press [Enter].

This will return some more output, and the last line of the result should say:

250 2.1.0 youremailaddress@anotherdomain.com...Sender OK

Type rcpt to:hacker@spammail.com, and press [Enter].

If you see the following result, you have an open relay and need to take action.

250 2.1.5 hacker@spammail.com

Stopping the relay

If you discover that your organization has an open relay, you need to stop it. To stop open relaying on the Default SMTP Virtual Server, follow these steps:

Go to Start | All Programs | Microsoft Exchange | Exchange System Manager.
Expand Servers, expand <Servername> (the name of your Exchange server), expand Protocols, and expand SMTP.
Right-click Default SMTP Virtual Server, and select Properties.
On the Access tab, click the Relay button at the bottom.
Select the Only The List Below check box, and remove any entries in the list that aren't a part of your business network.
Select the Allow All Computers Which Successfully Authenticate To Relay, Regardless Of The List Above check box.
Close all dialog boxes.

Your Exchange server will now only relay mail for authenticated computers and computers that you have specifically allowed.

Final thoughts

Exchange Server 2003 disables open mail relay by default. And unless you've made some major changes to its SMTP configuration, Exchange Server should have this disabled as well.

However, if you suspect that your server is vulnerable to mail relaying, it's worth checking out. Make sure your organization is part of the security solution�and not part of the problem.

Miss a column?

Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

23 comment(s)