OpenRelay Questions (Closing)

T

TechieSooner

Supreme [H]ardness
Joined
Nov 7, 2007
Messages
7,601
I've never messed with this before... But it turns out I've got an open relay!

So, my question, is how do I close this on SBS 2003?

And does closing it have any consequences for anything else utilizing the server?

Mainly, here is what I've got:
Internally, all Outlook clients configured for Exchange.
Externally on desktops, all Outlook clients with Exchange over HTTP.
Handhelds (Windows-based): ActiveSync
Handhelds (Treo or Blackberry based): SMTP

I have a couple apps running on the server that send mail to a mailbox on the server, but I'd assume however to close this relay will continue to allow anything internally.
 
TechieSooner said:
I've never messed with this before... But it turns out I've got an open relay!

So, my question, is how do I close this on SBS 2003?

And does closing it have any consequences for anything else utilizing the server?

Mainly, here is what I've got:
Internally, all Outlook clients configured for Exchange.
Externally on desktops, all Outlook clients with Exchange over HTTP.
Handhelds (Windows-based): ActiveSync
Handhelds (Treo or Blackberry based): SMTP

I have a couple apps running on the server that send mail to a mailbox on the server, but I'd assume however to close this relay will continue to allow anything internally.
Click to expand...

http://support.microsoft.com/kb/324958
 
I do not have an SMTP Connector. Is this an issue?
Otherwise, under the Virtual Sever looks fine (It has only loopback and the IP of my internal *nix server listed.)


How do I configure the SMTP Connector? This is a fear of mine, in this KB article it said the configuration wizard was supposed to have set that up. Just not sure what all settings should be in the SMTP Connector.

Hopefully, one day, I'll have Blackberry Enterprise Server, ditch all the Treos, and won't need SMTP open at all.
 
Jgedeon said:
Have you tested it as suggested?
Click to expand...

Can't... They want to telnet into that server from externally. All my IP addresses have telnet forwarded to some other device (all critical... can't switch it out), so I don't have telnet access externally.

Just so happens (since I never had a use for external telnet on this server), the telnet port on that IP address is used for my main router.
 
They tell you to connect to the SMTP port using a telnet client, not really the same thing as normal telnet. Unless you have port 25 forwarded to a different box, it should allow you to test in this manner. If you do have port 25 forwarded somewhere else, then you don't need to be too concerned about open relaying, as your server wouldn't be reachable for smtp traffic from the outside anyway.
 
joblo37pam said:
They tell you to connect to the SMTP port using a telnet client, not really the same thing as normal telnet. Unless you have port 25 forwarded to a different box, it should allow you to test in this manner. If you do have port 25 forwarded somewhere else, then you don't need to be too concerned about open relaying, as your server wouldn't be reachable for smtp traffic from the outside anyway.
Click to expand...

Port 25 IS open, like I said my handhelds use it (some of them anyway).

But unable to open a telnet session on that port- does the server need to be configured to use telnet on that port?

I know it's an open relay because I ran one of those tests on dnsgoodies and it found it open...
Don't think it's an issue because it's not blocked anywhere (ran that test as well), but would rather prevent it if possible!
 
You shouldn't need to configure anything, just make sure you are using port 25 for telnet instead of 23. Microsoft gives the example for the window telnet client:

telnet mail.contoso.com 25

meaning telnet will connect to the server at mail.contoso.com over port 25. If you are using a version of windows that doesn't have the built in telnet client, you can use Putty and tell it to use port 25. The server should reply just as it would to SMTP traffic, just like the previously linked knowledgebase article talks about. You can actually send emails this way to test with if you need to.
 
joblo37pam said:
You shouldn't need to configure anything, just make sure you are using port 25 for telnet instead of 23. Microsoft gives the example for the window telnet client:

telnet mail.contoso.com 25
Click to expand...

I know what it's talking about as far as that goes... I telnet to my routers all the time.

However it just isn't opening that connection on port 25.
 
I assume this is from outside of the network? Have you tried it from the inside?

Do you get any error messages or just no response at all?
 
joblo37pam said:
I assume this is from outside of the network? Have you tried it from the inside?

Do you get any error messages or just no response at all?
Click to expand...

Geeze... worked fine inside (why does it request you do it from outside)???

Might have to dive into router config I guess... Now that I think about it, telnetting to port 25 might require 23 AND 25 in order to work...
 
Telnet to port 25 does not require port 23. When you telnet to port 25 you are opening a direct connection to port 25, and port 23 is not touched. Telnet is one of the simplest ways to test your SMTP server because all you are doing is opening a connection to the server on port 25, you can also do this with your web servers also. (Telnet www.contoso.com:80, and this will allow you to send commands just like your web browser does).

Telnet from the outside world allows you to test your SMTP server.

telnet mail.contoso.com 25
ehlo somewhere.tla
mail from: [email protected]
RCPT TO:[email protected]
(or you may need to bracket your e-mail address:
RCPT TO:<[email protected]>)
DATA
suject: this is a test
This is a test, testing 1 2 3.
QUIT

If you are able to put in a Recipient of anything other than your domain, you have an open relay. If you are not able to put in a recipient at another domain, then you might not be a open relay.
 
TechieSooner said:
I've got port 25 opened. I use SMTP...

But I cannot telnet from the outside???
Click to expand...

If you can't telnet on port 25 from the outside world you aren't getting e-mail from the outside world either. (Unless you are doing something really funky with another relay in which case you probably wouldn't be posting about closing this one here.) :)

Go back and run the test from inside - the rules/permissions will still be the same. As ianshot said, if you can put a recipient of someone else not on your domain, you have an open relay. If you can't, you don't.
 
Unless your firewall is doing some funky packet inspections (or ACL) or your telnet client is using encryption or something that required other ports, you should be able to get through from the outside. Regardless, the same rules apply on the inside. If it tests ok there, you're fine.
 
You must log in or register to reply here.
Back
Top