Microsoft Exchange and Blackberry Server Specialists

Open Relay Test

One of the worst crimes that you can commit with an Exchange server connected to the Internet is become and open relay. This allows anyone to send email to anyone else through your server.

Check Whether the Exchange Server is an Open SMTP Relay using a Telnet Test

A Telnet test involves establishing a Telnet session from a computer that is not located on the local network to the external (public) IP address of the Exchange server. You need to carry out the test from a machine at home, or from another office. Doing the test from a machine on your own network will produce useless results.

  1. Start a command prompt.
    Either click start, run and type CMD
    or Choose Command Prompt from Start, Programs, Accessories, Command Prompt
  2. Type "telnet" (minus quotes) and press enter.
  3. At the Telnet prompt, type

    set localecho

    (minus quotes) and press enter. This lets you see what is going on.
  4. Still in the telnet prompt, enter the following command and then press enter

    open external-ip 25

    where external-ip is your external IP address eg:

    open 111.222.333.444 25
     
  5. You should get a response back similar to the following:

    220 mail.server.domain Microsoft ESMTP MAIL Service, Version: 6.0.2790.0 Ready at
     
  6. Type the following command in to the telnet windows:

    ehlo testdomain.com

    and press enter (note "testdomain.com" can be anything that isn't a domain that the Exchange server is responsible for.
  7. After pressing OK you should get a response back

    250 OK
     
  8. Type the following command in to the telnet window:

    mail from:address@testdomain.com

    and press enter (again where address@testdomain is an email address that is not on the Exchange server. Note the lack of space between from and the first part of the address).
  9. After pressing OK you should get a response back:

    250 2.1.0 address@testdomain.com....Sender OK
     
  10. Type the following command in to the telnet window:

    rcpt to:address@anotherdomain.com

    and then press enter (where address@anotherdomain.com is not either an address you use internally or the address you entered earlier as the from. Once again note the lack of space between to and the first part of the e-mail address). 
  11. After pressing enter you will get one of two responses.
    If you get

    550 5.7.1 Unable to relay for address@anotherdomain.com

    then you are relay secure.
    However if you get

    250 2.1.5 address@anotherdomain.com
     
    Then you are an open relay.

What now?

Exchange 2003

There are a number of parts of the Exchange server that can make your Exchange server an open relay. On Exchange 2003 this is the Default SMTP Virtual Server and SMTP connectors. You need to check both to ensure that you haven't configured them wrongly and turned your machine in to a spammers target.

Default SMTP Virtual Server

To check or correct the configuration of the Default SMTP Virtual Server:

  1. Start Exchange System manager (ESM)
  2. Expand Servers, <your server>, Protocols, SMTP.
  3. Right click on "Default SMTP Virtual Server" and choose Properties.
  4. Click on the "Access" Tab.
  5. There are four buttons, click on "Relay..." at the bottom.
  6. Ensure that "Only the list below" is enabled and the list is empty.
  7. If you don't have users sending email through your email server with Outlook Express or another POP3 client then you can disable "Allow all users that successfully authenticate to relay regardless of the list above".
  8. Apply/OK until all windows are closed.
SMTP Connectors
  1. Start ESM, Connectors.
  2. Right click on each SMTP Connector in turn and choose Properties.
  3. Click on the "Address Space" tab.
  4. If you have a "*" in the address list, check that "Allow messages to be relayed to these domains" is not enabled.
  5. Apply/OK until all windows are closed.

Once you have made the changes, repeat the telnet test above to ensure that you have closed everything.

Exchange 2007/Exchange 2010

With Exchange 2007 it is actually more difficult to turn the server in to an open relay. The server can be turned in to an open relay through Connectors and through the Accepted Domain configuration.

Connector Configuration

First thing is to check that you have not enabled "Externally Secured" on the Send and Receive Connectors that is exposed to the internet. If the server can be seen from the internet then that needs to be checked.

  1. Start Exchange Management Console (EMC).
  2. Expand Server Configuration, Hub Transport.
  3. Right click on each Receive Connector and choose Properties.
  4. Click on the tab "Authentication" and ensure that the Externally Secured option hasn't been enabled.
  5. If you need to change any settings, restart the Microsoft Exchange Transport Service for the change to take effect.

For Send Connectors repeat the above process, but look in Organization Configuration, Hub Transport.

If you are using an Edge server then force an Edge Sync to take place using the command "Start-EdgeSynchronization"

Accepted Domains

The other setting that can turn the server in an open relay is Accepted Domains. Ensure that you haven't set an Accepted domain as *, which turns the server in to an open relay. If you configured the Accepted Domain using the Management console then you should have received a warning about it turning the server in to an open relay.

  1. Start Exchange Management Console.
  2. Expand Organisation Configuration, Hub Transport.
  3. Click on the tab "Accepted Domains" and ensure that * is not listed. If it is, remove it.
  4. Restart the Microsoft Exchange Transport Service.

If you are using an Edge server, then force an Edge Sync to take place using the command "Start-EdgeSynchronization".