Restrict Anonymous Access to SMTP


Topic Last Modified: 2005-06-21

By default, Exchange 2003 sets up in a secure mode for anonymous SMTP access. Anonymous or open relay is disabled, and non-authenticated mail submitted to Exchange 2003 from within the organization is not displayed as resolved on the Outlook client. Therefore, restricting anonymous access to SMTP is partially done by default, in that anonymous relaying is disabled. However, internal anonymous SMTP access is not disabled. This section gives recommendations for reviewing and verifying your relay configuration and further restricting internal anonymous SMTP access.

It is essential that you do not allow anonymous relaying on your SMTP virtual servers. Relaying is when someone uses your Exchange server to send mail to an external domain. An open relay allows someone sending spam to use your external SMTP servers to send messages on their behalf. This activity will likely cause your gateway servers to be listed as a spam relay on Internet block lists.

In its default configuration, Exchange allows only authenticated users to relay mail. Only authenticated users can use Exchange to send mail to an external domain. If you modify the default relay settings to allow unauthenticated users to relay, or if you allow open relaying to a domain through a connector, unauthorized users or malicious worms can use your Exchange server to send spam. Your server may be block-listed and be prevented from sending mail to legitimate remote servers. To prevent unauthorized users from using your Exchange server to relay mail, at a minimum, use the default relay restrictions.

If you have legitimate reasons for relaying, you should follow the guidelines for making sure that security is preserved in your implementation. This is mainly done by leaving the deny all defaults and adding only the IP addresses from which you will accept relayed mail, and disabling access for authenticated users.

Review how built-in accounts (local Administrator) and other users are used on your gateway servers. It is unlikely that you are using the built-in accounts for any kind of relaying. If you are relaying, the relaying is probably by a known set of users or computers. Restricting relay rights to explicit users and computers or to an IP address is recommended.

Configuring explicit permission to relay will further help to fortify your server. Malicious users may use a brute-force attack to try to obtain the passwords for built-in accounts or for user accounts found on the Internet so that they can use your server as a spam proxy. Therefore, the default setting that allows any authenticated computer to relay is not recommended for computers that are accessible from the Internet. Disabling this setting is recommended.

Exchange 2003 does provide the ability for client-side users to recognize spoofed mail by displaying the actual SMTP address of nonauthenticated mail as opposed to the display name as it appears in the global address list (GAL). However, disabling anonymous SMTP access on all internal Exchange servers is recommended. The Outlook behavior concerning nonauthenticated (or potentially spoofed) mail is subtle. It takes an attentive and experienced user to recognize that an actual SMTP address means that the sender did not authenticate. Therefore, disabling anonymous access ensures that only authenticated users can submit messages within your organization. Additionally, requiring authentication forces client programs such as Outlook Express and Outlook in Internet Mode (Post Office Protocol version 3, or POP3, or Internet Message Access Protocol version 4rev1, or IMAP4) to authenticate before sending mail.


  • Review your relay configuration. Configure all SMTP virtual servers such that only explicit users, computers, or IP addresses are allowed to relay to other organizations.

  • Disable the ability for all authenticated computers to relay.

  • Disable anonymous SMTP access on all internal Exchange servers.



Community Additions