|
Home > Archive > IIS and SMTP > June 2007 > SMTP Relay
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Ron Hinds 2007-06-27, 1:21 am |
| Is it possible to setup the SMTP server to allow inbound connections from
any machine for messages to my domain, but only allow outbound messages from
computers that successfully authenticate (via Windows username/password)? I
don't seem to see a way to make this happen; it looks like if I enable
anonymous access (required for inbound to my domain) then set the Allow
computers to relay that successfully authenticate then what I am doing is
creating an open relay - not what I wanted! Going to search MS but hopefully
someone here can shorten that process ;-)
| |
| Sanford Whiteman 2007-06-27, 1:21 am |
| > Is it possible to setup the SMTP server to allow inbound connections
> from any machine for messages to my domain, but only allow outbound
> messages from computers that successfully authenticate (via Windows
> username/password)?
Of course!
I have posted quite extensively on related matters in just the past 2
weeks. Take a look at those messages and post back with follow-up
questions.
> ...it looks like if I enable anonymous access (required for inbound
> to my domain) then set the Allow computers to relay that
> successfully authenticate then what I am doing is creating an open
> relay...
Briefly: no, not at all. If the unknown public is going to be allowed
to connect to your VS (as it is your published MX), you have to allow
anonymous connections. Those are not authenticated connections, and it
doesn't mean you're letting them relay. Indeed, the settings you have
described are what you want in those areas -- but you may have
*additional* settings added to those that make your server more open
(what makes you think it is open, anyway?).
--Sandy
| |
| Ron Hinds 2007-06-27, 7:22 am |
| "Sanford Whiteman" <swhitemanlistens-software@cypressintegrated.com> wrote
in message news:op.tukfpwcj6c17zw@gw02.broadleaf.local...
>
> Of course!
>
> I have posted quite extensively on related matters in just the past 2
> weeks. Take a look at those messages and post back with follow-up
> questions.
Thanks I'll look for those.
>
> Briefly: no, not at all. If the unknown public is going to be allowed
> to connect to your VS (as it is your published MX), you have to allow
> anonymous connections. Those are not authenticated connections, and it
> doesn't mean you're letting them relay. Indeed, the settings you have
> described are what you want in those areas -- but you may have
> *additional* settings added to those that make your server more open
> (what makes you think it is open, anyway?).
>
> --Sandy
Because there were thousands and thousands of messages in my Queue folder
that I obviously didn't place there. I'm going to look at your other posts
but briefly this is how I had the VS set:
Under Access | Authentication, I had both Anonymous and Windows Integrated
checked.
Under Relay Restrictions, I had Only the list below, and Allow computers
that authenticate regardless of the list below. At least I think that is
what I had; now I'm not sure ;-(.
| |
| Ron Hinds 2007-06-27, 7:22 am |
| "Sanford Whiteman" <swhitemanlistens-software@cypressintegrated.com> wrote
in message news:op.tukfpwcj6c17zw@gw02.broadleaf.local...
>
> Of course!
>
> I have posted quite extensively on related matters in just the past 2
> weeks. Take a look at those messages and post back with follow-up
> questions.
>
>
> Briefly: no, not at all. If the unknown public is going to be allowed
> to connect to your VS (as it is your published MX), you have to allow
> anonymous connections. Those are not authenticated connections, and it
> doesn't mean you're letting them relay. Indeed, the settings you have
> described are what you want in those areas -- but you may have
> *additional* settings added to those that make your server more open
> (what makes you think it is open, anyway?).
>
> --Sandy
OK - I read through your replies to the earlier poster re: setting up W2K3.
I think where I made a mistake was in leaving the first setting in Relay
Restrictions at the default of All but the list below - which was blank! Now
that I've changed it I'm not relaying a massive flood of SPAM anymore -
thanks Sandy! An interesting side note is they keep trying - when I look at
connections I see anywhere from 2 to 6 at a time - all beginning with
125.110 - hopefully they will give up soon.
| |
| Sanford Whiteman 2007-06-27, 1:21 pm |
| > I think where I made a mistake was in leaving the first setting in
> Relay Restrictions at the default of All but the list below - which
> was blank!
Yep! That'll open things up. 
> Now that I've changed it I'm not relaying a massive flood of SPAM
> anymore - thanks Sandy! An interesting side note is they keep trying
> - when I look at connections I see anywhere from 2 to 6 at a time -
> all beginning with 125.110 - hopefully they will give up soon.
They'll eventually age your server out as an known-vulnerable target,
but, make no mistake, they'll try relaying through it again. Memories
are short. Just keep yourself protected and you'll be fine.
--Sandy
|
|
|
|
|