SMTP server accepts basic authentication

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at]  

Topic Last Modified: 2005-11-18

The Microsoft® Exchange Server Analyzer Tool queries the Active Directory® directory service to determine the value for the msExchAuthenticationFlags attribute in the protocolCfgSMTPServer class for the Exchange Server object. The protocolCfgSMTPServer class contains the settings for an SMTP virtual server. The msExchAuthenticationFlags attribute represents the type of authentication that is allowed on the SMTP server. If the Exchange Server Analyzer determines that basic authentication has been configured on the SMTP server and the server is not Microsoft Small Business Server 2000 or Microsoft Windows® Small Business Server 2003, the Exchange Server Analyzer displays a warning message.

If basic authentication is configured on the SMTP server, the risk of a security breach increases. Basic authentication allows user names and passwords to be sent across the network in clear text. Without encryption, user names and passwords can be easily intercepted on the Internet.

If you use basic authentication, it is strongly recommended that you also use Transport Layer Security (TLS) encryption for more security. TLS encrypts user names, passwords, and message data. You can require that clients who are connecting to the SMTP virtual server use TLS encryption. TLS is designed to help protect outgoing messages, but TLS does not help protect traffic that travels from clients to the server.

TLS is supported by Microsoft Outlook Express. To use TLS encryption for the SMTP virtual server, you must create key pairs and configure key certificates. Clients can then use TLS to encrypt the session with the SMTP service. Therefore, all messages are sent. The SMTP service can also use TLS to encrypt sessions with remote servers.

Clients that do not support TLS cannot relay e-mail messages through the virtual server.

If you cannot disable authenticated access on your SMTP virtual server for business reasons, such as authentication by a partner company, follow these steps to help enhance security on your gateway server:

  • Enforce a strong password policy for all user accounts, particularly the administrator account.

  • Disable the guest account. For more information about disabling the guest account, see the Microsoft Knowledge Base article 320053, "How to rename the administrator and guest account in Windows 2000" ( Although this article applies to Microsoft Windows 2000 Server, similar principles apply for Windows Server™ 2003.

To disable basic authentication
  1. In Exchange System Manager, expand Servers, expand <your inbound Exchange server>, expand Protocols, and then expand SMTP.

  2. Right-click your inbound SMTP virtual server, and then click Properties.

  3. Click the Access tab, and then click Authentication.

    Authentication dialog box

  4. In Authentication, clear the Basic Authentication check box.

    If you use basic authentication, consider implementing TLS for more security. Use the Requires TLS encryption check box if you have a digital certificate. Digital certificates are common in a high-security environment. If you select this check box, in the corresponding Default domain box, you must type the Windows 2000 Server domain name or Windows Server 2003 domain name that the user should authenticate against if the user does not specify a domain. For more information about TLS encryption, see the Exchange online documentation.

For more information about how to configure your Exchange Server 2003 organization to send and receive Internet mail more securely, see the Exchange Server 2003 Transport and Routing Guide (


Community Additions