RE: Exchange IMF Logging
- From: v-chacez@xxxxxxxxxxxxx (chace zhang)
- Date: Fri, 19 May 2006 07:31:14 GMT
Hi Span,
Thanks for posting.
Based on my experience, you can enable the SMTP logging on the virtual
server and check the RBL log files.
To enable the SMTP logging, select the "Enable logging" option on the
properties page of the default SMTP virtual server in the Exchagne system
manager. The log file will be saved in the
"%systemroot%\system32\logfiles\smtpsvc1" folder.
The information below shows how when and how connection filtering and
recipient filtering are applied during the SMTP conversation:
- telnet mail1.contoso.org 25
- Check SMTP VS Access ? Connections Except: match = [server closes
connection]
- EHLO Client
- MAIL FROM: <X>
- Check Connection Filter Accept: match = [bypass Deny List and RBL]
Messages are flagged as having passed Deny List and RBL.
- Check Connection Filter Deny List: match = [server closes connection]
mail from: connection from IP address in Connection Filter Deny list
returns: "550 5.7.0 Access Denied" message.
- Check Sender Filter List: match = [server closes connection] mail from:
email address in Sender Filter List returns a 554 5.1.0 Sender Denied.
- RCPT TO: <y>
- Check Connection Filtering Exceptions for trusted recipient: match =
[bypass RBL]
- Check Recipient Filtering Recipients: match returns: 550 5.7.1 unable to
relay rcpt to: email address in the Recipient Filter List returns: 550
5.7.1 Requested action not taken: mailbox not available
- Check RBL: match = [server closes connection] rcpt to: any address
returns: 550 5.7.1 169.254.1.253 has been blocked by default.
- Check Recipient Filter "filter users not in directory" is enabled, and
no match to Recipient List rcpt to: address not in directory returns: 550
5.1.1 User unknown This message was to an address not in the directory, but
the session is not terminated and the mailer can continue to attempt
delivery to other mail addresses.
- DATA
<CRLF>.<CRLF>
- Sender Filter: match = [server closes connection] mail from: email
address or domain in Sender list returns: 554 5.1.0 Sender Denied
About your second question, I think you want to know how to protect your
Exchange under "Reverse NDR" attack.
To stop the RNDR from happening, follow the following steps:
To Configure Recipient Filtering
When you enable recipient filtering (if you are using SMTP for incoming
emails) on the SMTP virtual server, e-mail messages that are received from
anyone on the recipient filter are not accepted. Recipient filtering is
set globally, but you enable it on a per-Virtual Server basis on each SMTP
virtual server.
To create a recipient filter:
1. Click "Start", point to "Programs", point to "Microsoft Exchange", and
then click "System Manager".
2. Expand "Global Settings", right-click "Message Delivery", and then click
"Properties".
3. Click the "Recipient Filtering" tab, and then click the checkbox at the
bottom (Filter recipients who are not in the directory).
4. Specify any additional filter options that you want to configure,
Select Apply, and then click "OK".
To enable recipient filtering on the SMTP virtual server:
1. Click "Start", point to "Programs", point to "Microsoft Exchange", and
then click "System Manager".
2. Expand "Servers", expand "<ServerName>", and then expand "Protocols".
3. Expand "SMTP", right-click "Default SMTP Virtual Server", and then click
"Properties".
4. Click the "General" tab, and then click "Advanced".
5. In the "Address" list, click the IP address where you want to apply the
recipient filter, and then click "Edit".
6. Click to select the "Apply Recipient Filter" check box, click "OK", and
then click "OK".
Note: Recipient filter rules apply only to anonymous connections.
Authenticated users and Exchange servers bypass these validations.
Also I provide the following methods of protecting Exchange:
1. Disable the Guest account in your SBS 2003 server and enable Stronge
Password Protection. Everytime when you run CEICW you will be asked for
enabling password policies after it ends. I suggest you enable it. You can
also do that in Server Management\Users->Configure Password Policies. For
more information, see:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/bpactlck.mspx
2. We can block unsafe attachments in emails by running through CEICW and
enable Internet Email on the wizard. You should see a page named "Remove
E-mail Attachments" where you can choose to block all or some of the unsafe
attachments. For more information, you can search "Remove E-mail
Attachments" (without the quotes) in SBS 2003 Help and Support Center.
3. If you are using SMTP for incoming emails, you can install IMF
(Intelligent Message Filter):
http://www.microsoft.com/downloads/details.aspx?FamilyId=C1B08F7B-8CAF-4147-
B074-8C9C8F277071&displaylang=en
http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/imfdeploy
mspx
If you are using POP3 Connector to receive emails, your POP3 Connector may
unexpectedly relay emails. To solve this issue, please download and install
the hot fix described in the following KB article:
835734 Many unexpected outbound e-mail messages appear in the SMTP queue in
http://support.microsoft.com/?id=835734
If the issue still occurs, you may need to try the suggestions in the
following KB article:
886208 Exchange queues fill with many non-delivery reports from the
postmaster
http://support.microsoft.com/?id=886208
You can also try third party solutions:
http://www.cmsconnect.com/Praetor/WebHelpG2/zAppendix_B_-_Message_tests/Thwa
rting_reverse_NDR_attacks.htm
http://www.mapilab.com/exchange/mail_guard/
Hope this helps. Please feel free to let me know if you have any further
questions or concerns.
Best Regards,
Chace Zhang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- Prev by Date: Re: My Documents redirect stopped working on one user profile.
- Next by Date: Re: SBS 2003 Slow Local file access
- Previous by thread: RE: SQL Replication error
- Next by thread: Instant Messaging..
- Index(es):
Relevant Pages
|
Loading
