Good Morning,

I have recently configured a new Windows Server 2003 IIS 6.0 SMTP Server. I
am not using Exchange, just SMTP. Everything is working fine, I can send
emails to our SharePoint 3 enabled document library internally as well as
from an external source.

I have relaying restricted except for allowable domains, IP's etc.

When I look at the SMTP Connections I can see 50-57 connections established
at any given time, without them relaying through my server. Are they
"acknowledging our presence" as a MX source? If not, what do they represent.

Thank you in advance.

[ Post a follow-up to this message ]

> When  I  look  at  the  SMTP Connections I can see 50-57 connections
> established  at  any  given  time,  without them relaying through my
> server.  Are  they  "acknowledging  our presence" as a MX source? If
> not, what do they represent.

Without  looking at your logs, couldn't say which of these connections
are  legit  and  which  suspect. Do your logs show attempts to harvest
local usernames (sessions that end after a list of RCPT TOs to users @
your  local domains) and/or attempts to relay (sessions that have RCPT
TOs  @ remote, non-relay domains) with any frequency? Both will create
connections  with  no  resulting  message  and  so may seem gratuitous
relative to the size of your queue.

There's   no   such  thing  as  an  "acknowledgement"  or  "heartbeat"
connection   from  remote  servers.  Inbound  connections  are  either
currently  attempting  to  send  data to you, or have finished sending
data and are pending closure by the TCP/IP stack. Note that because of
the  second  factor,  depending  on  what  utility you're using to get
connection stats, you may appear to have more inbound connections than
are    actually    active.   On   very   high-traffic   servers,   the
half-closed/time_wait  connections  are  found in correspondingly high
numbers and can suck up resources.

The   closest   one   might   find   in   your  logs  to  an  innocent
"acknowledgement"  session  is  a  sender  address  verification (SAV)
callback.  Remote  servers that use SAV will poke back into your MX to
ensure  that  a  sender address exists. Frustratingly -- unless you do
log  correlation to find the outbound connection that prompted the SAV
callback  --  these connections look like one-off directory harvesting
attacks.  [Reading  the  fine print can also help you tell them apart:
for   example,   SAV   callbacks   may   use   sender  addresses  like
"postmaster.sav.callback@example.com" to give you a visual cue.]

--Sandy

[ Post a follow-up to this message ]

->Thank you for the response and information Sandy. After taking a closer
look at the logs, I believe they were relaying through.

->Before I attempted another question, I located and installed your 5xxsink.
Seems to have done the trick. Very straight foreward. Nicely done.

-> I know where to stop for excellent advice.

->Thanks again,

Curious

"Curious_2k3" wrote:

> Good Morning,
>
> I have recently configured a new Windows Server 2003 IIS 6.0 SMTP Server. 
I
> am not using Exchange, just SMTP. Everything is working fine, I can send
> emails to our SharePoint 3 enabled document library internally as well as
> from an external source.
>
> I have relaying restricted except for allowable domains, IP's etc.
>
> When I look at the SMTP Connections I can see 50-57 connections establishe
d
> at any given time, without them relaying through my server. Are they
> "acknowledging our presence" as a MX source? If not, what do they represen
t.
>
> Thank you in advance.
>
>

[ Post a follow-up to this message ]

> ->Thank you for the response and information Sandy. After taking a closer
> look at the logs, I believe they were relaying through.

Sounds very likely.  Any connection you don't understand at first is
usually up to something.

> ->Before I attempted another question, I located and installed your
> 5xxsink.
> Seems to have done the trick. Very straight foreward. Nicely done.

Cool!  Do stop back.

--Sandy

[ Post a follow-up to this message ]