SMTP server failed open relay test

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at https://go.microsoft.com/fwlink/?linkid=34707.]  

Topic Last Modified: 2010-06-29

On a server that is running Microsoft Exchange Server 2003 or an earlier version, the Microsoft® Exchange Best Practices Analyzer tries to relay a message through a Simple Mail Transfer Protocol (SMTP) server by performing the following tasks:

  • Opening a socket connection to the SMTP server. If the Analyzer tool receives a response code of 220, this step is considered to have completed successfully.

  • Transmitting the EHLO SMTP command verb. If the Exchange Server Analyzer receives a series of response codes of 250, this step is considered to have completed successfully. This series of response codes of includes 250-X-LINK2STATE and 250-XEXCH50.

  • Transmitting the MAIL FROM: ExBPA-OpenRelayTest@Fabrikam.com SMTP command verb. If the Analyzer tool receives a response code of 250, this step is considered to have completed successfully.

  • Transmitting the RCPT TO: ExBPA-OpenRelayTest@Fabrikam.com SMTP command verb. If the Analyzer tool receives a response code of 250, this step is considered to have completed successfully.

The Analyzer tool also queries the Win32_OperatingSystem Microsoft Windows® Management Instrumentation (WMI) class to determine the value of the OSProductSuite key. The value of this key corresponds to a specific version of a Windows Server operating system. If the Analyzer tool can successfully complete all steps on an Exchange Server computer that is part of a Microsoft Small Business Server 2000 or Microsoft Windows Small Business Server 2003 installation, an error is displayed.

On a server that is running Exchange Server 2007 or a later version, the Analyzer tool determines whether the Anonymous users option is selected on the Permission Groups tab of the Receive Connector. Also, the tool determines whether the user NT AUTHORITY\ANONYMOUS LOGON has been granted to the Ms-Exch-SMTP-Accept-Any-Recipient right on the Receive Connector. If Analyzer determines that Exchange Server does have this configuration, an error message is displayed. The error indicates that this server is configured as an open relay.

Notes

  • It is not a recommended best practice to allow open relay. Open relay occurs when an e-mail server permits e-mail messages to be relayed through the system without exercising any restrictions or any control over the relayed e-mail.

  • If, for some reason, your Exchange organization uses an SMTP domain that is named Fabrikam.com, you may encounter this error. In this event, you may be able to safely ignore this error. The Fabrikam.com domain is owned by Microsoft Corporation and is used for training and for documentation.

Relay is not inherently bad because SMTP was designed for this purpose. (For more information, see the RFC 2821 document, sections 2.1 and 3.7 (http://ietf.org)). However, can be uncontrolled. An uncontrolled host is known as an open relay host. If relay is not controlled, malicious users could potentially use relay to send bulk, unsolicited commercial e-mail messages (spam or UCE). By bouncing these unsolicited e-mail messages off an intermediate host, malicious users tries to hide their identities. This also ties up resources on the relay host, and may prevent the relay host from sending valid e-mail messages. In particular, most users who send such unsolicited e-mail messages can send a single message to an extraordinary number of recipients without using their own bandwidth.

Make sure that you do not allow anonymous relaying on your Internet-facing SMTP virtual servers. In its default configuration, Exchange allows only authenticated users to relay mail. Only authenticated users can use Exchange to send mail to an external domain. If you modify the default relay settings to allow unauthenticated users to relay, or if you allow open relaying to a domain through a connector, unauthorized users or malicious worms can use your Exchange server to send spam. Your server may be block-listed and be prevented from sending mail to legitimate remote servers. To prevent unauthorized users from using your Exchange server to relay mail, at a minimum, use the default relay restrictions.

If you have legitimate reasons for relaying, follow the guidelines for making sure that security is preserved in your implementation. This is mainly done by leaving the deny all defaults and adding only the IP addresses from which you will accept relayed mail, and disabling access for authenticated users.

Review how built-in accounts (local Administrator) and other users are used on your gateway servers. It is unlikely that you are using the built-in accounts for any kind of relaying. If you are relaying, the relaying is probably by a known set of users or computers. Restricting relay rights to explicit users and computers or to an IP address is recommended.

Configuring explicit permission to relay will additionally help fortify your server. Malicious users may use a brute-force attack to try to obtain the passwords for built-in accounts or for user accounts found on the Internet so that they can use your server as a spam proxy. Therefore, the default setting that allows any authenticated computer to relay is not recommended for computers that are accessible from the Internet. Disabling this setting is recommended.

The following procedures explain how to disable anonymous relaying based on whether the SMTP virtual server is Internet-facing. As mentioned earlier in this article, enabling any form of anonymous relay should be done only in cases where the security risk is understood and acceptable to your organization. The references at the end of this article provide more information about how to use relaying.

If an SMTP virtual server is not accessible from the Internet, it is recommended that you reset the relay configurations to the default values. This will result in SMTP virtual servers that allow only internal relaying from authenticated computers.

For SMTP virtual servers that are accessible from the Internet, it is recommended that you additionally secure the default relay configurations, so that only users and computers with explicit permission are allowed to relay.

If you have verified that Exchange is configured to block relaying and you are still receiving this error in the Exchange Server Analyzer, you should verify that any proxy server or process, such as firewall, antivirus, or anti-spam software is not allowing anonymous relaying.

To reset anonymous relay configurations to the default settings on internal SMTP virtual servers

  1. Open Exchange System Manager.

  2. In the console tree, expand Servers, expand the server that you want, expand Protocols, and then expand SMTP.

  3. Right-click the SMTP virtual server on which you want to apply relay restrictions, and then click Properties.

  4. In <SMTP Virtual Server> Properties, click the Access tab, and then click Relay.

  5. In Relay Restrictions, under Select which computer may relay through this virtual server, select Only the list below, select the Allow all computers which successfully authenticate to relay, regardless of the list below check box, and then click OK.

To configure explicit relay permission on Internet-facing SMTP Virtual Servers in Exchange Server 2003

  1. Open Exchange System Manager.

  2. In the console tree, expand Servers, expand the server that you want, expand Protocols, and then expand SMTP.

  3. Right-click the SMTP virtual server on which you want to apply relay restrictions, and then click Properties.

  4. In <SMTP Virtual Server> Properties, click the Access tab, and then click Relay.

  5. In Relay Restrictions, clear the Allow all computers which successfully authenticate to relay, regardless of the list below check box, and then click Users to specify a subset of users that you want to grant relay permissions on this SMTP virtual server.

  6. In Permissions for Submit and Relay, to remove a user or group, select the group or user, and then click Remove.

  7. To add a group or user, click Add, and then select the users or group for which you want to specify permissions. Select from one of the following options:

    • On Microsoft Windows Server™ 2003, in Select Users, Computers or Groups, under Enter the object name to select, type the name of the user or the group. If you want to search for the user or group, click Advanced, search for the user or group name, and then click Check Names to validate your entry.

      Tip

      Click the examples link to view the acceptable formats for your entries.

    • On Windows 2000 Server, in Select Users, Computers or Groups, select the group or user that you want to grant submit permissions, and then click Add.

  8. Click OK to return to the Permissions for Submit and Relay dialog box.

  9. Under Group or user names list, select the group you just added.

  10. Under Permissions for <selected group>, next to Submit Permission, if necessary, select the check box under Allow to allow the selected user or group to submit mail through this SMTP virtual server.

  11. Next to Relay Permissions, select the check box under Allow to permit the selected object to relay through this SMTP virtual server, or select the check box under Deny to prevent the selected object from relaying through this virtual server.

    Note

    You must allow Submit Permissions if you want to allow Relay Permissions.

  12. Click OK.

To configure relay permissions on Internet-facing SMTP Virtual Servers in Exchange 2000 Server

  1. Open Exchange System Manager.

  2. In the console tree, expand Servers, expand the server you want to configure, expand Protocols, and then expand SMTP.

  3. Right-click the SMTP virtual server on which you want to apply relay restrictions, and then click Properties.

  4. In <SMTP Virtual Server> Properties, click the Access tab, and then click Relay.

  5. In Relay Restrictions, under Select which computer may relay through this virtual server, select Only the list below.

  6. Click Add to add a single computer, group of computers or an SMTP domain name, and then click OK. Repeat this step for each additional entry you want to add.

  7. Select Allow all computers which successfully authenticate to relay, regardless of the list above check box, and then click OK twice.

For more information about message relaying and security see the following guides from the Exchange Server 2003 Technical Library:

For more information about testing and about how to secure open relay behavior in your Exchange and Microsoft Windows environment, see the Microsoft Knowledge Base article 304897, "SMTP relay behavior in Windows 2000, Windows XP, and Exchange Server."