|
Home > Archive > IIS and SMTP > April 2004 > Exchange 2003: Virtual smtp server, wan side, auth possible for local domain only?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Exchange 2003: Virtual smtp server, wan side, auth possible for local domain only?
|
|
| David Lightman Robles 2004-04-11, 3:37 pm |
| Is there any way in Exchange 2003 to prevent remote smtp servers to connect
to my own server forging addresses from my own domain?
Let's suppose I have mydomain.com up and running. I keep on receiving emails
claiming to come from unexistantaddress@mydomain.com. Can Exchange refuse
accepting emails from the outside when the MAIL FROM command issues an
invalid mailbox in my local domain? I know Exchange cannot check the
validity of foreign email adresses, but when the email claims to be from my
own domain it should do that check (in my oppinion). The problem is even
worse when the incoming email claims to come from a valid user in the
domain. Anyone can send emails within my domain from/to <->
existant/unexistant e-mail addresses (4 combinations in total*) without
having to authenticate. In this case (when not authenticated), the incomming
email address is not resolved to the full name of the user in my domain and
the sender appears as an email address instead of a full user name. However,
this slight difference is quite difficult for my users to understand, and
frecuently they forget it and come and ask me why did they receive such a
message.
* We have 4 possibilities:
from unexistant -> to unexistant
from unexistant -> to existant
from existant -> to unexistant
from existant -> to existant
Whatever the case, I think Exchange should not allow any user from my own
domain to send any kind of email without autenticating first.
220 mydomain.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.0 ready at
Thu, 25 Mar 2004 11:49:23 +0100
EHLO whatever.com
250-mydomain.com Hello [XX.XX.XX.XX]
250-TURN
250-SIZE
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-X-EXPS GSSAPI NTLM
250-AUTH GSSAPI NTLM
250-X-LINK2STATE
250-XEXCH50
250 OK
MAIL FROM:<unexistant@mydomain.com>
250 2.1.0 unexistant@mydomain.com....Sender OK
RCPT TO:<validaddress@mydomain.com>
250 2.1.5 validaddress@mydomain.com
DATA
354 Start mail input; end with <CRLF>.<CRLF>
hello this is a test.
..
250 2.6.0 <MESSAGEID@mydomain.com> Queued mail for delivery
QUIT
221 2.0.0 mydomain.com Service closing transmission channel
I cannot force AUTH on the Wan SMTP virtual server because if I do so, I
could not receive incomming emails from the outside. However, if the
incomming email claims to come from a user in my domain, I think Exchange
should force that connection to be AUTH'ed since in that case, the
authentication could and should successfully be done (or at least, I would
like Exchange to behave that way).
Is it possible? Are there any security concerns about setting Exchange this
way that I have not considered? Thanks in advance.
| |
| Matt Kuzior [MSFT] 2004-04-12, 3:37 pm |
| Exchange cannot be configured through the UI to treat incoming mail in the
manner described. The one security concern is that some bulletin boards and
mailers will "spoof" the sender address so that the item appears to
originate from the person who posts. Theoretically you would block those
messages. Personally, I feel that these mailers should use the Reply to
fields and reserve From addresses for originating domain.
Caller-Id should indirectly resolve this problem because the spoofed mail
would have originated from another server then your own and would be
detectable. However, it will not be available until the next version of
Exchange.
Until then, if you would like to create that functionality you can do so by
authoring a custom Transport Sink and registering it on your SMTP
bridgeheads.
One way to do this is to create a VB dll much like the Disclaimer Sink
described in:
http://support.microsoft.com/defaul...kb;en-us;317327
you will need to customize the behavior to check for the problem senders and
then discard it with the following code
Set Flds = Msg.EnvelopeFields
Flds("http://schemas.microsoft.com/cdo/smtpenvelope/messagestatus") =
cdoStatusAbortDelivery
Flds.Update
EventStatus = cdoSkipRemainingSinks
Keep in mind that you need to carefully test this sink before deploying
because you do not want to risk losing legitimate mail. If you prefer a C++
solution you can find information at http://msdn.microsoft.com look for
Platform SDK: "CDO for Windows 2000" and "Microsoft Exchange SDK"
--
Please do not send email directly to this alias. This alias is for newsgroup
purposes only.
This posting is provided "AS IS" with no warranties, and confers no rights.
"David Lightman Robles" <_NOSPAM_dlightman@iname_NOSPAM_.com> wrote in
message news:%23C7%23SKxHEHA.2928@TK2MSFTNGP10.phx.gbl...
> Is there any way in Exchange 2003 to prevent remote smtp servers to
> connect
> to my own server forging addresses from my own domain?
>
> Let's suppose I have mydomain.com up and running. I keep on receiving
> emails
> claiming to come from unexistantaddress@mydomain.com. Can Exchange refuse
> accepting emails from the outside when the MAIL FROM command issues an
> invalid mailbox in my local domain? I know Exchange cannot check the
> validity of foreign email adresses, but when the email claims to be from
> my
> own domain it should do that check (in my oppinion). The problem is even
> worse when the incoming email claims to come from a valid user in the
> domain. Anyone can send emails within my domain from/to <->
> existant/unexistant e-mail addresses (4 combinations in total*) without
> having to authenticate. In this case (when not authenticated), the
> incomming
> email address is not resolved to the full name of the user in my domain
> and
> the sender appears as an email address instead of a full user name.
> However,
> this slight difference is quite difficult for my users to understand, and
> frecuently they forget it and come and ask me why did they receive such a
> message.
>
> * We have 4 possibilities:
> from unexistant -> to unexistant
> from unexistant -> to existant
> from existant -> to unexistant
> from existant -> to existant
> Whatever the case, I think Exchange should not allow any user from my own
> domain to send any kind of email without autenticating first.
>
> 220 mydomain.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.0 ready
> at
> Thu, 25 Mar 2004 11:49:23 +0100
> EHLO whatever.com
> 250-mydomain.com Hello [XX.XX.XX.XX]
> 250-TURN
> 250-SIZE
> 250-ETRN
> 250-PIPELINING
> 250-DSN
> 250-ENHANCEDSTATUSCODES
> 250-8bitmime
> 250-BINARYMIME
> 250-CHUNKING
> 250-VRFY
> 250-X-EXPS GSSAPI NTLM
> 250-AUTH GSSAPI NTLM
> 250-X-LINK2STATE
> 250-XEXCH50
> 250 OK
> MAIL FROM:<unexistant@mydomain.com>
> 250 2.1.0 unexistant@mydomain.com....Sender OK
> RCPT TO:<validaddress@mydomain.com>
> 250 2.1.5 validaddress@mydomain.com
> DATA
> 354 Start mail input; end with <CRLF>.<CRLF>
> hello this is a test.
> .
> 250 2.6.0 <MESSAGEID@mydomain.com> Queued mail for delivery
> QUIT
> 221 2.0.0 mydomain.com Service closing transmission channel
>
>
> I cannot force AUTH on the Wan SMTP virtual server because if I do so, I
> could not receive incomming emails from the outside. However, if the
> incomming email claims to come from a user in my domain, I think Exchange
> should force that connection to be AUTH'ed since in that case, the
> authentication could and should successfully be done (or at least, I would
> like Exchange to behave that way).
>
> Is it possible? Are there any security concerns about setting Exchange
> this
> way that I have not considered? Thanks in advance.
>
>
|
|
|
|
|