Relay Permissions –> SMTP Virtual Server

2009-05-07 Initial Post

Exchange Server 2003 Enterprise Edition, SP2

NOTE: It looks like some of the default settings mentioned below were not set the same way in the RTM version of Exchange Server 2003.

The relay settings are some of the most confusing that I’ve run across and I haven’t read anything that can explain them in detail clearly—I had searched through a few ebooks and online today.

Anyway, by DEFAULT, the server does NOT allow relaying by any client. If you want to allow a particular client to relay, the simplest way is to add the client computer’s IP address to SMTP Virtual Server properties --> Access tab --> Relay button --> Add button.

You might notice in SMTP Virtual Server properties --> Access tab --> Relay button that “Allow all computers which successfully authenticate to relay, regardless of the list above” is enabled. That setting is enabled by DEFAULT. This correlates with the settings in SMTP Virtual Server properties --> Access tab --> Authentication button. In the Authentication settings, only the following are enabled by default:

• Anonymous Access

• Basic authentication . . .

• Integrated Windows Authentication

From what I can deduce, a client that “authenticates” via Anonymous Access doesn’t really authenticate, hence the “Allow all computers which successfully authenticate to relay, regardless of the list above” setting doesn’t apply to Anonymous Access. Anonymous Access really means any client that doesn’t authenticate using either Basic authentication or Integrated Windows Authentication.

In a normal setting, you can leave Anonymous Access enabled; otherwise any SMTP server that tries to connect to your server will be required to authenticate. Authentication might seem like a good security practice at first, but it interferes with openness of the SMTP protocol.

The standard SMTP protocol doesn’t require authentication, so all external SMTP servers should be allowed to submit mail to yours without authenticating. If the submitted mail is not destined for a domain in your Exchange org, your server won’t accept it (this means your server won’t relay the message). So now you can see why having “Anonymous Access” along with “Allow all computers which successfully authenticate to relay, regardless of the list above” enabled is not something that should be a cause for concern.

Note that in the Users button of either SMTP Virtual Server properties --> Access tab --> Relay button or SMTP Virtual Server properties --> Access tab --> Authentication button, the group “Authenticated Users” only has Allow for “Submit Permission.” That group does not have “Relay Permission” selected, so members can’t relay by default, even if they authenticate successfully (I need to verify this).

The two major situations that I can think of for changing the permissions is either in a highly secure environment to lock down the server, or in an environment with POP3/IMAP users who need to authenticate to Exchange for SMTP relay.

If you change the permissions from either tab, the change will be reflected in the other tab. This just adds to the confusion. Why is the same setting in two places?

See http://support.microsoft.com/kb/895853 and search for the section “Allow all computers which successfully authenticate to relay.” Also see http://www.petri.co.il/preventing_exchange_2000_2003_from_relaying.htm and http://support.microsoft.com/kb/823019.

Leave a Reply

*