AAPT Home > Support Information > Exchange Server and Relay

Preventing third-party relay in Microsoft Exchange Server

What is third party relay?

Third party relay refers to somone outside your network (ie. a third party) using your mail server to deliver email (ie. relaying mail via your server). A server that accepts such unauthorised mail is generally referred to as an open relay.

It is important to prevent third party relay for several reasons:

• Open relays are frequently abused by spammers, who find and use unsecured mail servers to send out unsolicted commercial email (UCE).
• Spammers are harder to track down when they hide behind unsecured servers. This is because the email appears to be coming from your server, rather than from the original sender.
• Spam being delivered by your mail server can give your company a bad reputation, especially if you don't take action quickly.
• Large volumes of unauthorised mail may be sent through your mail server, increasing your traffic costs and slowing down your system. If the load is excessive, legitimate mail may not get through.

What do I change?

If your Exchange Server is accepting mail for relaying, then you need to make changes to its configuration. Before you start, check which version you are running. Versions through to 5.0 cannot be secured - you must upgrade. As of version 5.5, it is possible to configure Exchange to deny relaying attempts.

1. Go to the Internet Mail Service Properties dialog box.

2. Select the Routing tab at the top.

3. Select the option Reroute incoming SMTP mail (required for POP3/IMAP4 support).

   Although Do not reroute incoming SMTP mail may seem like the obvious choice, selecting it will not provide proper protection from relayed mail.

4. For each domain you host, you need an entry in the Routing section. eg:

5. Click the Routing Restrictions button.

6. Ensure Hosts and clients with these IP addresses is ticked. Leave the list of IP addresses blank.

How do I check it?

To test that your server is secure, you need try relaying mail through it from a location outside your network. For example, you may have a dialup account you can use temporarily. If you have no external Internet access, please contact AAPT Support and ask for a relay test on your mail server's IP address.

Sending mail manually

In this example, mail.example.com is the mail server you are checking and example.com is your domain name. The parts you type are show in bold text and replies from the server are shown in italics. Key parts are shown in colour.

% telnet mail.example.com 25
Trying 192.0.2.3...
Connected to mail.example.com.
Escape character is '^]'.
220 mail.example.com ESMTP Postfix
HELO host.example
250 mail.example.com
MAIL FROM:<sender@example.com>
250 Ok
RCPT TO:<rcpt@test.org.au>
554 <rcpt@test.org.au>: Recipient address rejected: Relay access denied
QUIT
221 Bye
Connection closed by foreign host.

As you can see, this server is secure, because it rejected the email ("554 ... Relay access denied"), even though we pretended that the sender was from our own domain (example.com). Now let's look at an unsecured server:

[first part omitted - same as above]
MAIL FROM:<sender@example.com>
250 Ok
RCPT TO:<rcpt@test.org.au>
250 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
From: sender@example.com
To: rcpt@test.org.au
Subject: Relay test

Test
.
250 Ok: queued as 93C403566C
QUIT
221 Bye
Connection closed by foreign host.

In this case, the mail server said "250 Ok" and allowed us to give it a message to deliver. That is, it is vulnerable to third party relay.

Copyright © AAPT Limited