Much of the spam we receive is sent through open relays and insecure mail servers.
Relaying is the transfer of messages via SMTP from one server to another. You'll want to prevent unauthorized senders -- in other words, spammers -- from using your Exchange Server as an SMTP relay to hide the real origin of their messages.
By default Exchange 2007 and 2010 are configured to only accept SMTP email for domains configured as authoritative and will only relay email to other domains for authenticated local users. If you need to allow a server to relay, you'll need to create a Receive Connector and allow relaying for that server's IP address.
IIS SMTP Server settings
If you are using an IIS SMTP virtual server as an edge server, you'll check the authentication and relay settings on IIS.
Open the IIS Management Console. In Default SMTP virtual server, right click and select Properties, then the Access tab.
Click the Authentication button. Anonymous should NOT be enabled. Using Basic and Integrated Windows authentication is fine. Also set the default domain to your internal Windows domain.
After exiting the Authentication dialog, click on the Relay button. Choose "Only the List Below" to relay and only those IP's that are listed will be able to send through the server. Enable the option to allow all computers that successfully authenticate to relay regardless of the above list is selected or your internal servers will be unable to send outbound mail. While you could add the IP addresses of internal servers to the list, this is less safe and not recommended in most situtations. If the server can't authenticate, then you will need to add their IP address to the list.
Exchange 2003
Check your SMTP virtual server configuration. Open the Exchange Management Console, browse to the Server name, Protocols and locate SMTP virtual server. Right click and choose Properties. As with the IIS instructions above, Anonymous should NOT be enabled for Authentication. However, using Basic and Integrated Windows authentication is ok. Set the default domain to your internal Windows domain.
Next check the Relay settings on the SMTP server. This setting allows you to specify which IP addresses can relay. You want to choose "Only the List Below" so that only those IP's that are listed will be able to send through the server. Enable the option to allow all computers that successfully authenticate to relay.
Exchange 2000
- Understanding Relaying and Spam with Exchange 2000
More Information
- XFOR: Online Resources for Spam Mail Testing and Information
- XFOR: Configuring Message Filtering on the Internet Mail Service
- XIMS Microsoft SMTP Servers May Seem to Accept and Relay E-Mail Messages in Third-Party Tests
I agree. Thank you for the quick response!
Hi Diane. I've enjoyed reading your posts over the years and wanted to follow-up on this one. Other experts suggest to not enable the "Allow all computers that successfully authenticate to relay." option due to potential increase in spam activity. Which position provides the least negative impact?
If you list all IPs that should be allowed to relay, then it's not necessary to enable it. I feel it's as safe to use it as it is to list a large range of IPs because a spammer could easily infect a computer that is white-listed. Obviously, the most secure is a limited # of IPs and not allowing authenticated computers, but that is not always possible.