The msExchSmtpRelayForAuth value has been changed from its default of True

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at https://go.microsoft.com/fwlink/?linkid=34707.]  

Topic Last Modified: 2009-09-14

The Microsoft® Exchange Server Analyzer Tool queries the Active Directory® directory service to determine whether the configured value for the msExchSmtpRelayForAuth attribute has been changed from the default value. By default, the msExchSmtpRelayForAuth attribute is configured with a value of True. If the Exchange Server Analyzer finds that the msExchSmtpRelayForAuth attribute does not have a value of True, a non-default configuration message is displayed.

When this value is set to True, only authenticated SMTP connections can relay SMTP messages through this SMTP virtual server. If this setting has been changed to False, this indicates that the check box for "Allow all computers which successfully authenticate to relay, regardless of the list above" in the Relay settings on the SMTP virtual server Properties dialog box, is clear.

Relaying is the action of an inbound connection to your SMTP server being used to send e-mail messages to external domains. With unsolicited commercial e-mail messages, sending a single e-mail message to your SMTP server with multiple recipients in domains external to your organization does this. Because the default setting for SMTP servers is to use anonymous authentication, the system being used to propagate the unsolicited commercial e-mail messages accepts the inbound message as typical.

After the message is accepted, the SMTP server recognizes that the message recipients belong to external domains, and then the SMTP server delivers the messages. Therefore, the unauthorized users who send unsolicited commercial e-mail messages only have to send one inbound message to your SMTP server so that it can then be delivered to thousands of recipients, which slows down your Exchange Server computer's responsiveness, congests queues, and causes dissatisfaction to the recipients when the messages arrive in their Inboxes.

The primary means of controlling relaying is by not granting relay permissions to any other hosts. However, sometimes relaying is required. For example, if you have Post Office Protocol (POP3) and Internet Message Access Protocol (IMAP4) clients who rely on SMTP for message delivery and have legitimate reasons for sending e-mail messages to external domains. You can work around this issue by creating a second SMTP virtual server that is dedicated to receiving e-mail messages from POP3 and IMAP4 clients. This additional SMTP virtual server can use authentication combined with Secure Sockets Layer (SSL)-based encryption and can be configured to enable relaying for authenticated clients. For more information about implementing this configuration, see the Microsoft Knowledge Base article 319267, "HOW TO: Secure Simple Message Transfer Protocol Client Message Delivery in Exchange 2000" (https://go.microsoft.com/fwlink/?linkid=3052&kbid=319267).

To view or modify the msExchSmtpRelayForAuth value in System Manager

  1. Open Exchange System Manager.

  2. Expand Servers, expand an Exchange server, expand Protocols, and then expand SMTP.

  3. Right-click an SMTP virtual server (for example, Default SMTP Virtual Server) and click Properties.

  4. Select the Access tab, and then click Relay.

  5. Clear or select the Allow all computers which successfully authenticate to relay, regardless of the list above check box.

  6. Click OK to save the changes.

If the box is checked, the msExchSmtpRelayForAuth attribute should be set to True. If the box is clear, the msExchSmtpRelayForAuth attribute should be set to False.

For additional information about controlling which accounts can relay messages, see the following Microsoft Knowledge Base article: