Re: SBS 2003 open relay...

From: StuartM (superstu75_at_liamtoh.com)
Date: 02/10/04 

Date: Wed, 11 Feb 2004 07:50:32 +1300

Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
> NO IT DOESN'T. They are not open relay!
>
> what are you seeing that makes you think you are an open relay.
>
> From email posted to sbs2k Yahoo Group by Charles Anthe, Microsoft SBS
> Program Manager on 2/5/04
>
> "SBS 2003 is not an open relay by default, or after any run of CEICW. We
> have done extensive security testing to verify that the default SMTP
> relay settings are secure by default. The defaults after the run of
> CEICW are to allow relay for:
>
> External WAN IP
> Localhost (127.0.0.1)
> Internal LAN IP subnet
> Any authenticated user
> These defaults are different than Exchange 2003 Server defaults (which
> allow no IPs, because Exchange does not have knowledge of the local
> network in the same way SBS does, and so requires a higher level of
> administration expertise, which is why you see dedicated Exchange admins
> in large companies).
>
> Localhost is added because otherwise sometimes items such as the
> monitoring report and other server-originating mails do not send
> correctly (the SMTP settings for healthmon default to “localhost”). The
> external WAN IP is added in case the routing table routes other mails
> from the server as coming “from” the WAN IP (not likely but we have seen
> this behavior in testing from time to time when the priority of the
> network cards get mixed up). Any authenticated user is to enable remote
> users using POP3 or IMAP who need to send mail directly to the server,
> and is perfectly secure as long as no one guesses one of your
> username/password pairs (so stop using “password” J)
>
> Can you remove item 1 and still have 100% functionality? Probably. We
> added it because it did not increase the security risk of becoming a
> spam relay and solved corner case problems with mail that we found in
> testing.
>
> Can you remove item 2 and still have 100% functionality? Doubtful. We
> found that removing this often caused problems with e-mail alerts and
> monitoring reports.
>
> Can you remove item 3 and still have 100% functionality? Doubtful –
> while in theory all of your users will authenticate from Outlook to the
> server, I think you risk a lot of functional problems that you’ll end up
> having to figure out.
>
> Can you remove item 4 and still have 100% functionality? Sure – as long
> as you don’t have remote users trying to send mail directly through SMTP
> (such as POP3/IMAP users) and you leave item 3 in the list.
>
> For this entire list, we performed extensive testing to make sure this
> was the minimum set we can provide that ensures that all e-mail is sent
> correctly that should be, while maintaining the integrity of the server.
> These settings are not vulnerable to IP spoofing attempts, as far as we
> can tell. If you find that your SBS server is being used as an open
> relay, my first suspicion would be that someone has found a
> username/password pair to authenticate to your server. In this case,
> your first step would be to uncheck the “allow authenticated users”, but
> you should also identify the user in question, because they also have
> access to OWA, RWW, and VPN, all of which would allow them to send mail
> and still be within the other SMTP relay restrictions."
>
>
>
>
> StuartM wrote:
>
>> I have done several Exchange 2003 installations and have now also
>> done two SBS 2003 installations. I am confused as to why the default
>> Exchange settings in SBS allow the server to be an open relay, while
>> the Exchange 2003 (stand-alone product) settings do not??? The
>> following article in the MS KB describes how to clear up your mail
>> queues after experiencing the effects of your server open relaying:
>> http://support.microsoft.com/default.aspx?scid=kb;EN-US;324958 but the
>> fix is to set your server back to the defaults - which were actually
>> the cause of the open relay in the first place!!
>>
>> The settings in question are in the properties of the Default SMTP
>> Virtual Server, on the Access tab and then the Relay button. The
>> default settings in SBS 2003 have two IP addresses listed in the "Only
>> the list below..." dialog box - the localhost address and the IP
>> address/es of the network card/s. THIS SETTING ALLOWS OPEN RELAYS!!!
>>
>> I can't understand how Microsoft missed this in their testing? I also
>> can't understand how Microsoft think that this should be the default
>> in SBS whereas the stand-alone Exchange 2003 has NO addresses listed
>> as being able to relay.
>>
>> Hopefully somebody will enlighten me...
>>
>> Stuart.
>
>

I hear you loud and clear - and I had actually read the above article
before posting, BUT please do not tell me that by default SBS 2003 is
not an open relay because I KNOW that it is! I installed it at a
client's site a few weeks back and after the server had been up for just
over a day, I had tens of thousands of spam in the queues. I followed
the steps in KB article 324958 to test for open relay from a remote IP
address (my home broadbanc connection) and I COULD relay off the server.
I then compared the settings in SBS to a stand-alone version of Exchange
2003 and I removed the IP addresses listed in "Only the list below" Once
  I did this, I tested it again and I was unable to relay.

Last Friday I ran one of the wizards (I think it was the internet and
email wizard) so that I could create a certificate for the server and
allow access from the web to OWA. On the Monday afterwards I checked the
  queues because the server was slow, and again I had tens of thousands
of junk emails in the queues. I checked the relay settings, and the
wizard must have put those addresses back in the "Only the list below"
box, because the server had been open to relaying again!

These are the facts (not just my opinion), can you explain to me how you
can say that it is not an open relay when I have experienced it twice?
 From newsgroup postings, it seems like I am not the only one to
experience this either.

Stuart.

Quantcast