RE: Does In-Place Upgrade of Microsoft Exchange Create Open Relays?

From: jmcguire@sbcs.com
Date: 04/18/03

  • Next message: Hillensbeck, Preston: "Auditing a reboot" 
    Date: Fri, 18 Apr 2003 14:49:18 -0400
To: RPAmarante@directvla.com, Thor@HammerofGod.com, Jon.Kibler@aset.com, focus-ms@securityfocus.com
From: jmcguire@sbcs.com

    I have worked around Exchange SMTP relay by allowing relay for
    authenticated users only. Since no one can authenticate it fails. Have
    had problems with Exchange 5.5 and 2000 through different service packs
    that when relaying appears to be turned off, it still functions.

     

    __________________________________________

    JOHN MCGUIRE CISSP, MCSE2k, MCSE+I

    Network Security Specialist

    888.529.0401

    jmcguire@sbcs.com

    Strictly Business

    www.sbcs.com

    -----Original Message-----
    From: Amarante, Rodrigo P. [mailto:RPAmarante@directvla.com]
    Sent: Thursday, April 17, 2003 5:43 PM
    To: Deus, Attonbitus; Jon R. Kibler; focus-ms@securityfocus.com
    Subject: RE: Does In-Place Upgrade of Microsoft Exchange Create Open
    Relays?

    Some people don't realize that there are also a connector configuration
    that could allow relaying. In the properties for the SMTP Connector for
    the routing group, in the address space tab there's a check box that
    states: "Allow messages to be relayed to these domains"
    Since this is a SMTP connector to the "world" (AKA Internet Mail
    Service), the "these domains" that the check box refer to are basic
    everything (*). The connector's setting overrides the SMTP Virtual
    Server settings....So if you don't want to relay, make sure the box is
    not checked and that the SMTP Virtual Server is also not allowing
    relaying.

    -----Original Message-----
    From: Deus, Attonbitus [mailto:Thor@HammerofGod.com]
    Sent: Thursday, April 17, 2003 3:22 PM
    To: Jon R. Kibler; focus-ms@securityfocus.com

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    At 11:18 AM 4/17/2003, Jon R. Kibler wrote:
    >Over the past few months, we have seen a significant and steady
    >increase in the number of open relay MTAs that are running Microsoft
    >Exchange. In every case where we have been able to talk to someone at
    >the organization running the open relay, the universal comment is "Our

    >network consultant just upgraded our mail system."
    >
    >Since we are not an Exchange user, Microsoft will not discuss the issue

    >with us. However, we have been able to talk to a few "network
    >consultants" and the problem appears to occur when an existing (and
    >secure) version of Exchange is upgraded in-place on the same host. We
    >have been told that the problem is occurring on upgrades of Exchange
    >5.x to Exchange 2000, and Exchange 2000 to Exchange 2000 Service Pack
    >3.
    >
    >Apparently, either of these two upgrades will cause a previously secure

    >version of Exchange to become an open relay that must be manually
    >closed.
    >
    >One person also told us that they were told that the "Exchange 2000
    >Post-Service Pack 3 (SP3) Rollup Patch 6396.1" was supposed to fix
    >the problem, but they had not tried to find and apply the patch
    >,and did not know anyone who had used it.
    >
    >Does anyone have any specific details on this problem?

    I had the exact same thing happen some time ago when I applied SP3 to
    one
    of my remote office Exchange Servers. I could not figure it out for the

    life of me, and could not get any help from MS on it. What was most
    strange is that the IP restrictions were in the config, but anyone could

    still relay mail through. I just figured I was temporarily insane,
    which
    these days is pretty common. I had to put the Exchange Server one hop
    in,
    and use a mail gateway to restrict my traffic. Since that was really
    the
    best way to do it anyway, I pretty much forgot about the issue until I
    read
    your post. I'll check out the rollup patch (which is not on that
    machine
    now) and see what happens.

    T

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0

    iQA/AwUBPp7+4YhsmyD15h5gEQL1YACg1LXflZ7+sGVok1n5kpqqzkpLe2AAnip/
    SctU03KvRfsmPfY3vEG4iMJe
    =JS3w
    -----END PGP SIGNATURE-----

    ------------------------------------------------------------------------
    -----
    Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam,
    the
    world's premier event for IT and network security experts. The two-day
    Training features 6 hand-on courses on May 12-13 taught by
    professionals.
    The two-day Briefings on May 14-15 features 24 top speakers with no
    vendor
    sales pitches. Deadline for the best rates is April 25. Register today
    to
    ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
    ------------------------------------------------------------------------
    ------

    ------------------------------------------------------------------------
    -----
    Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam,
    the
    world's premier event for IT and network security experts. The two-day
    Training features 6 hand-on courses on May 12-13 taught by
    professionals.
    The two-day Briefings on May 14-15 features 24 top speakers with no
    vendor
    sales pitches. Deadline for the best rates is April 25. Register today
    to
    ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
    ------------------------------------------------------------------------
    ------

    -----------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
    world's premier event for IT and network security experts. The two-day
    Training features 6 hand-on courses on May 12-13 taught by professionals.
    The two-day Briefings on May 14-15 features 24 top speakers with no vendor
    sales pitches. Deadline for the best rates is April 25. Register today to
    ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
    ------------------------------------------------------------------------------

  • Next message: Hillensbeck, Preston: "Auditing a reboot"

    Relevant Pages

    • Re: SMTP is not relaying messages from outsite authenticated users
      ... double-checked the relay connection settings on your virtual SMTP server? ... I presume that only *external* users are collecting Exchange mail via POP, ...
      (microsoft.public.exchange2000.misc)
    • Re: Authenticated SMTP
      ... Are you allowing authenticated users to relay? ... Check smtp virtual server ... MVP - Exchange ... I am having a few problems with authenticated SMTP, ...
      (microsoft.public.exchange.setup)
    • Re: W3k - Internet Mail SMTP Connector
      ... sollte Exchange immer über dieses Relay ... Was hast du für einen Adressraum am SMTP Connector eingetragen? ... Hast du vielleicht diesen Relay auch am virtuellen SMTP Server ... Exchange Solutions - Bernd Kruczek - Stuttgart ...
      (microsoft.public.de.exchange)
    • Re: Exchange issues
      ... Are you up to date on all your Service Packs, both Windows and Exchange? ... > all traffic on port 25 to the SBS Exhange server. ... I suspected SMTP relaying becuase ... > You should verify that the server really isn't an open relay: ...
      (microsoft.public.exchange2000.admin)
    • Re: MS Exchange Relay Authentication
      ... Make sure you are logging Exchange SMTP interface events. ... Relay restrictions are set to "allow all computers ... > eventlog errors to track down the compromised accounts. ...
      (NT-Bugtraq)