Securing Your Exchange Server
Topic Last Modified: 2005-05-24
This topic focuses on ways that you can secure your Microsoft® Exchange server. You can help protect your servers by performing the tasks below, which are each explained in detail in the following sections:
- Disable open relaying on all SMTP virtual servers. The default relay restrictions prevent unauthorized users from using your Exchange server to send mail to external locations. If your server is open for relaying, unauthorized users can use your server to send spam. As a result, your server may become known to other organizations as a source for open relay and, as a consequence, blocked from sending legitimate mail.
- Prevent anonymous access on internal SMTP virtual servers and dedicated SMTP virtual servers for IMAP and POP clients. Because all Exchange servers within your organization authenticate with each other to send mail, you do not need to enable anonymous access on your internal Simple Mail Transfer Protocol (SMTP) virtual servers. Additionally, all Post Office Protocol (POP) and Internet Message Access Protocol (IMAP) clients authenticate with your SMTP virtual server, so anonymous access is not required on a server that is used exclusively by POP and IMAP clients. If you disable anonymous access on these servers, you can prevent unauthorized users from accessing them.
- Restrict submissions and relaying access on internal SMTP virtual servers. In Microsoft Exchange Server 2003, you can further restrict access to SMTP virtual servers by using security principles through the standard Microsoft Windows® 2000 Server or Windows Server™ 2003 Discretionary Access Control List (DACL). This ability enables you to grant explicit permissions to users and groups that you want to allow to use an SMTP virtual server.
As explained in Setting Relay Restrictions, it is essential that you do not allow anonymous or open relaying on your SMTP virtual servers. Relaying is when a user uses your Exchange server to send mail to an external domain.
In its default configuration, Exchange allows only authenticated users to relay mail—in other words, only authenticated users can use Exchange to send mail to an external domain. If you modify the default relay settings to allow unauthenticated users to relay, or if you allow open relaying to a domain through a connector, unauthorized users can use your Exchange server to send spam. As a result, your server may be block listed and thereby be prevented from sending mail to legitimate remote servers. To prevent unauthorized users from using your Exchange server to relay mail, you should always use the default relay restrictions.
|Relaying is often confused with spam. Relay control does not block spam. For more information about controlling spam, see Configuring Filtering and Controlling Spam.|
For more information about how to control relaying, see Microsoft Knowledge Base article 304897, "XIMS: Microsoft SMTP Servers May Seem to Accept and Relay E-Mail Messages in Third-Party Tests."
For increased security, you can prevent anonymous access on your internal SMTP virtual servers and on any SMTP virtual servers that are dedicated to accepting incoming mail from remote IMAP and POP users. When sending internal mail, Exchange servers automatically authenticate; therefore, by preventing anonymous access on your internal servers, mail flow is not disrupted, and an extra layer of security is provided on your internal SMTP virtual server.
Similarly, IMAP and POP clients authenticate before sending mail to SMTP virtual servers. So, if you use dedicated SMTP virtual servers for your IMAP and POP clients, you can configure these servers to allow only authenticated access. To prevent anonymous access, on the Access tab in the SMTP virtual server properties, click Authentication, and then clear the Anonymous access check box. For step-by-step instructions about how to prevent anonymous access, see How to Configure Access Controls and Authentication Methods.
|Do not disable anonymous access on your Internet bridgehead SMTP virtual servers. SMTP virtual servers that accept mail from the Internet must allow anonymous access.|
In Exchange 2003, you can restrict who can send e-mail messages to an individual user or a distribution list. Restricting submissions on a distribution list prevents non-trusted senders, such as unauthorized Internet users, from sending mail to an internal-only distribution list. For example, an All Employees distribution list should not be available to anyone outside the company (by spoofing or otherwise).
|Restricted distribution lists and submission restrictions for users only function on the bridgehead servers or SMTP gateway servers running Exchange Server2003.|
Consider setting restrictions on your internal distribution lists that pertain to full-time employees and other internal groups. By taking this action, you protect these distribution lists from receiving spam and restrict any anonymous users from sending to these distribution lists.
For detailed instructions about how to set submission restrictions on users and distribution lists, respectively, see How to Set Restrictions on a User and How to Set Restrictions on a Distribution Group.
In Exchange Server 2003, you can restrict submissions and relaying permissions to an SMTP virtual server to a limited number of users or groups though the standard Windows 2000 Server or Windows Server 2003 Discretionary Access Control List (DACL). This allows you to specify groups of users who can submit or relay mail on a virtual server.
Restricting submissions to an SMTP virtual server is useful if you have specific users that you want to allow to send Internet mail on particular virtual servers. You can grant only these users or groups access to submit mail to these SMTP virtual servers.
|Do not restrict submissions on SMTP virtual servers that accept Internet mail.|
For detailed instructions, see How to Restrict Submissions to an SMTP Server Based on a Security Group.
Restricting relaying on virtual servers is useful if you want to allow a group of users to relay mail to the Internet, but you want to deny relay privileges for a different group.
For detailed instructions, see How to Restrict Relaying Based on a Security Group.