Exchange 2007 relay security issue
I have the following configuration (everything in the same server):
Windows Server 2008 x64
Exchange Server 2007
POPcon 3.60 (POP3 connector)
I have a mail account at an external ISP that is correctly downloaded to the Exchange via the POP connector, let's say it's mymail@myisp.com. In order for this setup to work, I have to share the myisp.com SMTP domain with my Exchange server. It's important to note that the Exchange server Recieve Connector is configured to listen both: POPcon email and standard Internet email through port 25.
In first place, I created the myisp.com Accepted Domain as Authoritative Domain. After that I setup the Send Connector through smathost, addedmyisp.com to the Default Email Policyand everything was working smoothly.
However, when I had to send a mail to apartner who has his email account at the same ISP that mine (his address is partner@myisp.com), Exchange would fail to deliver the mail, as the Authoritative Domain myisp.com was telling that the "partner" mailbox should be at the Exchange server.
Solving that was easy: I just had to change the accepted domain type from Authoritative to Internal Relay. So, if I sent a mail to @myisp.com and the mailbox was not found at my exchange server, the mail was just relayed to the smarthost and the delivery was completed.
But with this setup it comes a terrible security problem. As I told in the begining of this post, the Exchange server is configured to listen both: POPcon and every Internet anonymous request. So with the current setup, an anonymous user is able to log in the server and freely relay mail as long as the recipent is a @myisp.com address. In other words, this way the Exchange server is acting as open relay as long as the recipient is in the myisp.com domain.
I tested the issue by directly telneting the server:
Code Snippet
220 mymachine.mydomain.local Microsoft ESMTP MAIL Service ready at Sun, 31 Aug 2008 22:54:57 +0200HELO 250 mymachine.mydomain.local Hello [w.x.y.z]MAIL FROM: partner@myisp.com250 2.1.0 Sender OKRCPT TO: partner@myisp.com250 2.1.5 Recipient OKDATA354 Start mail input; end with <CRLF>.<CRLF>Subject: Open Relay testThis is an email intended to test an open relay issue. Don't worry about it ;)
.
250 2.6.0 <3b75c764-86ca-472d-ae7d-2f52874b3104@mymachine.mydomain.local>; Queued mail for deliveryQUIT221 2.0.0 Service closing transmission channel
The this is that partner@myisp.com does not have a mailbox at the Exchange server. But it is relayed through the smathost due to the accepted domain.
I would like to know if there is a way to have myisp.com as accepted domain (internal relay type) only for the address mymail@myisp.comor there is another way to keep the functionality of my setup without the open relay issue.
September 1st, 2008 2:13am
Solved by not accepting inbound connections from anonymous users. That task is now delegated to other third-party STMP software.
Free Windows Admin Tool Kit Click here and download it now
September 1st, 2008 8:45pm