In Exchange 2003 in Default SMTP Virtual Server, Properties, Access, Relay...if I select "Only the list below" putting in the spam filter IP and deselect "Allow all computers which successfully authenticate to relay, regardless of the list above," will users using Outlook be able to send internet email?

On Wed, 16-Dec-09 19:14:46 GMT, DrewW NFS wrote:>In Exchange 2003 in Default SMTP Virtual Server, Properties, Access, Relay...if I select "Only the list below" putting in the spam filter IP and deselect "Allow all computers which successfully authenticate to relay, regardless of the list above," will users using Outlook be able to send internet email? "Yes" to the Outlook question. But why do you want to retain theability to use authenticated SMTP relays? If you have no SMTP clientsyou don't need that, either.---Rich MatheisenMCSE+I, Exchange MVP--- Rich Matheisen MCSE+I, Exchange MVP

If the Allow all computers which successfully authenticate to relay regardless of the list above check box is not selected on the SMTP virtual server, you may receive NDRs that contain error code 5.7.1 ----------Refer to <How to troubleshoot mail relay issues in Exchange Server 2003 and in Exchange 2000 Server> Relay is the ability to send messages to the domains other than your own, if even the authenticated users cant be allowed to relay, I dont think the users can send internet messages Recourses: Setting Relay Restrictions Users Without Permissions to Relay Messages Can Still Send Messages Through the SMTP Virtual ServerJames Luo TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx) If you have any feedback on our support, please contact tngfb@microsoft.com

I am trying to correct a network that is sending spam from an unknown machine. However, it was likely that a hacker had comprised the server and was relaying spam through the server via authentication. Therefore, I wanted to see if turning off authentication for relay would stop the spam. I was doing several things to stop the spam. Anyway, the list of IP's included the IP of the spam filter (inbound), the IP of a copier/scanner that sent scans via email to users' mailboxes, and the IP of the server itself. When I turned off authentication for relay, the users were able to send and receive external (internet) email.I ended up having to turn it back on for a user that has his phone setup for IMAP...gonna try to get him setup on EAS instead.

“However, sometimes relaying is required. For example, if you have Post Office Protocol (POP3) and Internet Message Access Protocol (IMAP4) clients who rely on SMTP for message delivery and have legitimate reasons for sending e-mail messages to external domains. You can work around this issue by creating a second SMTP virtual server that is dedicated to receiving e-mail messages from POP3 and IMAP4 clients” -------------Refer to <The msExchSmtpRelayForAuth value has been changed from its default of True> Resources: Stop Spam From the Inside by Locking Down SMTPJames Luo TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx) If you have any feedback on our support, please contact tngfb@microsoft.com

"Yes" to the Outlook question. But why do you want to retain theability to use authenticated SMTP relays? If you have no SMTP clientsyou don't need that, either.--- I didn't say that I needed to retain the ability to use authenticated SMTP relays.

On Thu, 24-Dec-09 16:13:00 GMT, DrewW NFS wrote:>"Yes" to the Outlook question. But why do you want to retain theability to use authenticated SMTP relays? If you have no SMTP clientsyou don't need that, either.---I didn't say that I needed to retain the ability to use authenticated SMTP relays. You're right, you didn't. You said "DEselect" and I read "select". Mybad.---Rich MatheisenMCSE+I, Exchange MVP--- Rich Matheisen MCSE+I, Exchange MVP

BTW, in case anyone is interested, I found out how this setting affects Exchange Active Sync (EAS)...it doesn't affect either way. The "Allow all computers which successfully authenticate to relay, regardless of the list above" setting is selected (checked) by default. So if you want to have a pretty secure Exchange 2003 config that is very resistant to being used as a rogue relay, deselect (uncheck) the above and force OWA and EAS to use SSL. Internal (LAN) based Outlook clients will work fine, but external (internet) based POP/IMAP clients will not work (however, most people I know don't support those clients on corporate Exchange setups).