Setting Relay Restrictions
Topic Last Modified: 2005-05-04
Relaying is the ability to forward mail to domains other than your own. More specifically, relaying occurs when an inbound connection to your SMTP server is used to send e-mail messages to external domains. By default, your Exchange server accepts mail submitted by internal or authenticated users and sends it to an external domain. If your server is open for relaying, or if relaying is unsecured on your server, unauthorized users can use your server to send unsolicited commercial e-mail (spam). Therefore, to secure your SMTP virtual server, it is crucial that you set relay restrictions.
It is important to understand the difference between authenticated relaying and anonymous or open relaying:
Authenticated relaying Authenticated relaying allows your internal users to send mail to domains outside of your Exchange organization, but requires authentication before the mail is sent. By default, Exchange allows only authenticated relaying.
Anonymous relaying Anonymous relaying allows any user to connect to your Exchange server and use it to send mail outside your Exchange organization.
The following examples demonstrate how Exchange Server 2003 accepts and relays mail by using authenticated relaying:
An anonymous user connects to the SMTP virtual server and attempts to deliver mail to an internal user in the Exchange organization.
In this situation, the SMTP virtual server accepts the message because it is destined for an internal domain and because the user exists in Active Directory.
An anonymous user connects to the SMTP virtual server and attempts to deliver mail to an external user in an external domain.
In this situation, the SMTP virtual server rejects the mail because it is destined for an external domain for which the Exchange server is not responsible. Because the user is not authenticated, the SMTP virtual server does not relay this mail outside of the Exchange organization.
A user connects to the SMTP virtual server using a Post Office Protocol (POP) or Internet Message Access Protocol (IMAP) client (for example, Microsoft Outlook® Express), authenticates, and then attempts to send a message to a user in an external domain.
In this situation, the e-mail client connects directly to the SMTP virtual server and authenticates the user. Although the message is destined for a remote domain, the SMTP virtual server accepts and relays this mail because the user is authenticated.
By using the relay control features of Exchange Server 2003, you can prevent third parties from relaying mail through your server. Relay control allows you to specify a list of incoming remote IP address and subnet mask pairs that have permission to relay mail through your server. Exchange checks an incoming SMTP client's IP address against the list of IP networks that are allowed to relay mail. If the client is not allowed to relay mail, only mail that is addressed to local recipients is allowed. You can also implement relay control by domain. However, this approach requires the implementation of reverse DNS resolution, which is controlled at the SMTP virtual server level.
By default, the SMTP virtual server allows relaying only from authenticated users. This configuration is designed to prevent unauthorized users from using your Exchange server to relay mail. The virtual server's default configuration allows only authenticated computers to relay mail.
Unsolicited commercial e-mail generally comes from a spoofed or forged address and is often relayed by using a server that is not secured for relay. For this reason, by default Exchange Server 2003 allows only authenticated users to relay. Be cautious when changing this setting—many Internet providers block servers that allow open relaying.