Security TechCenter > Security Bulletins > Microsoft Security Program: Frequently Asked Questions: Microsoft Security Bulletin (MS99-027)

Microsoft Security Program: Frequently Asked Questions: Microsoft Security Bulletin (MS99-027)

Originally Posted: July 01, 1999

What's this bulletin about?
Microsoft Security Bulletin MS99-027 announces the availability of a patch that eliminates a vulnerability in Microsoft® Exchange® Server. The vulnerability could allow an attacker to send mail via another system's Internet-connected mail server, in a practice known as "mail relaying". Microsoft takes security seriously, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

What's the scope of the vulnerability?
The vulnerability could allow mail relaying attacks against an Exchange server. Mail relaying is technically a denial of service attack, since it makes at least some of the email server's resources unavailable to legitimate users. The vulnerability does not enable the attacker to disrupt normal mail delivery, or to change any of the legitimate mail on the server.

What is Mail Relaying?
Mail relaying is a practice in which e-mail is routed to an intermediate mail server, which then delivers it to the recipient's mail server. Mail relaying is often a legitimate practice. For example, suppose a company with several servers has designated one of them as a mail gateway to the Internet. Any e-mail sent to the company would arrive at the gateway server, then be relayed to the appropriate server for delivery to the recipient.
However, malicious users also sometimes try to perform unauthorized mail relaying. For example, a spammer who has a low-end server and a slow network connection might use mail relaying in order to get someone else's higher-powered mail server and fast network connection to send spam on their behalf. Mail relaying also has been misused to disguise the point of origination for an email. For instance, there have been cases in which threatening e-mails were relayed in order to prevent the recipient from being able to trace where they came from.

What's the vulnerability?
The vulnerability lies in the way that the Exchange Internet Mail Service (IMS), (named Internet Mail Connector (IMC) in prior versions of Exchange), provides encapsulated addresses when used as a Site Connector. The IMS uses a special form of addressing called "encapsulated SMTP", which is used to encapsulated different message types into SMTP addresses. A malicious user could address emails using this format and route mail through an Exchange Server, even if mail relaying has been disabled.

What's a Site Connector?
First, let's define what a site is. A site is a group of Exchange servers within a network. There can be multiple sites in a network. Frequently, it's desirable to designate one site as a gateway, and have it handle mail to and from the outside world on behalf of the other sites. When this is done, there needs to be a communications channel that links the sites. This channel is known as a Site Connector.
Exchange supports three kinds of Site Connectors: an X.400 connector, the Exchange Site Connector, and the Exchange Internet Mail Service. This vulnerability only affects the Internet Mail Service.

What's an encapsulated address?
When a site acts as a gateway for another site, there needs to be a way to send the mail to the gateway, yet indicate the server that it eventually needs to be sent to. Encapsulated addresses provide a way to do this. Essentially, an encapsulated address consists of an address within an address; the outer address directs the mail to the gateway, which uses the inner address to determine where to send the e-mail. Because the IMS uses SMTP as its e-mail protocol, mails sent to an IMS will use encapsulated SMTP as their addressing scheme.

I have a default Exchange 5.5 installation. Am I affected by the vulnerability?
No. The vulnerability only occurs when an Internet Mail Service is installed, but there is no IMS in a default Exchange 5.5 installation. You must explicitly add an IMS.

I've added a Site Connector. Am I affected by the vulnerability?
Only if you've added an IMS. The X.400 connector and the Exchange Site Connector are not affected by this vulnerability.

I've configured an IMS. Am I affected by the vulnerability?
Yes. There is a configuration option that allows you to specify whether relaying is allowed or not, but the vulnerability exists regardless of this setting.

I thought Exchange had features that prevented malicious mail relaying.
Exchange 5.5 does. It allows you to restrict relaying in two ways:

  • By specifying a list of domains that the server will relay mail to. Any request to relay mail to another domain is denied, and an error message is returned to the sender.
  • By specifying a list of IP addresses that are allowed to request relaying. If an e-mail is received from any other IP address and requests relaying, the request is denied and an error message is returned to the sender.

The vulnerability results because these relaying restrictions are not applied to encapsulated SMTP addresses. The patch works by ensuring that the restrictions are applied to all e-mails, including those that are addressed using encapsulated SMTP.
See Knowledge Base articles 196626 and 199656 for more information on Exchange 5.5 anti-relaying features.

Who should apply the patch?
Any customer who has configured an IMS on an Internet-connected Exchange Server should consider installing the patch.

Once I install the patch, do I need to do anything?
If you're doing site-to-site relaying via an IMS Site Connector, you should check the list of IP addresses that you allow to relay through your server and make sure that it's updated. This is because one side effect of the vulnerability is that, ironically, it could let incorrectly-configured sites operate correctly in some situations where the IMS is used as a Site Connector.
For example, suppose you intended to allow a server whose IP address is 123.45.67.89 to relay mail through your server via an IMS Site Connector. The vulnerability would allow the server to relay mail through your server via the IMS even if you had not added 123.45.67.89 to the list of IP addresses that are authorized to do so. If you then installed the patch, you would find that mail relaying from 123.45.67.89 no longer worked. However, you could restore proper functioning by adding 123.45.67.89 to the list of approved servers. This is done by adding that IMS's the server's IP address or subnet address on the "Routing Restrictions" page (accessed via the "Routing Restrictions" button on the "Routing" tab of the IMS configuration). You can add multiple IP addresses or subnets.

How can I determine if my IMS is vulnerable to regular (non-encapsulated) relaying?
To determine if your IMS is vulnerable to regular relaying, see the "Routing" tab of the IMS configuration page. If "Do not reroute Incoming SMTP mail" is selected, then non-encapsulated addresses cannot be relayed. If "Reroute Incoming SMTP Mail (required for POP3/IMAP4 support)" is selected, then non-encapsulated addresses can be relayed, subject to the restrictions that have been put in place via the "Routing Restrictions" button at the bottom of the page.

What should customers do?
Microsoft recommends that customers assess the risk that this vulnerability poses to their safe computing and determine whether or not to apply the patch. The download location for the patch is provided in the security bulletin.

What is Microsoft doing about this issue?

  • Microsoft has developed a patch that eliminates the vulnerability.
  • Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch.
  • Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
  • Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail.

Where can I learn more about best practices for security?
The Microsoft Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?
Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/contactussupport/?ws=support.

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.