Re: Does In-Place Upgrade of Microsoft Exchange Create Open Relays?

From: Peter VE (peter.ve@pandora.be)
Date: 04/21/03

  • Next message: Logan F.D. Greenlee: "RE: Auditing a reboot" 
    From: "Peter VE" <peter.ve@pandora.be>
To: "David Vincent" <david.vincent@mightyoaks.com>, <focus-ms@securityfocus.com>
Date: Mon, 21 Apr 2003 19:25:01 +0200

    I'm using openrelay tool from http://kickme.to/dpsecurity,
    it has about 30 checks and includes some general vulnerability scanning as
    well..

    They have binaries for Win32 and unix...

    ----- Original Message -----
    From: "David Vincent" <david.vincent@mightyoaks.com>
    To: <focus-ms@securityfocus.com>
    Sent: Monday, April 21, 2003 5:50 PM
    Subject: RE: Does In-Place Upgrade of Microsoft Exchange Create Open Relays?

    > on the subject of open relays, i started using
    > http://www.abuse.net/relay.html to test my servers after a large increase
    in
    > people trying to relay through us and failing. anyone have an idea how
    > comprehensive their tests are? there's 17 of 'em.
    >
    > -d
    >
    >
    > > -----Original Message-----
    > > From: jmcguire@sbcs.com [mailto:jmcguire@sbcs.com]
    > > Sent: April 18, 2003 11:49 AM
    > > To: RPAmarante@directvla.com; Thor@HammerofGod.com;
    > > Jon.Kibler@aset.com;
    > > focus-ms@securityfocus.com
    > > Subject: RE: Does In-Place Upgrade of Microsoft Exchange Create Open
    > > Relays?
    > >
    > >
    > > I have worked around Exchange SMTP relay by allowing relay for
    > > authenticated users only. Since no one can authenticate it fails. Have
    > > had problems with Exchange 5.5 and 2000 through different
    > > service packs
    > > that when relaying appears to be turned off, it still functions.
    > >
    > >
    > >
    > > __________________________________________
    > >
    > > JOHN MCGUIRE CISSP, MCSE2k, MCSE+I
    > >
    > > Network Security Specialist
    > >
    > > 888.529.0401
    > >
    > > jmcguire@sbcs.com
    > >
    > > Strictly Business
    > >
    > > www.sbcs.com
    > >
    > >
    > >
    > > -----Original Message-----
    > > From: Amarante, Rodrigo P. [mailto:RPAmarante@directvla.com]
    > > Sent: Thursday, April 17, 2003 5:43 PM
    > > To: Deus, Attonbitus; Jon R. Kibler; focus-ms@securityfocus.com
    > > Subject: RE: Does In-Place Upgrade of Microsoft Exchange Create Open
    > > Relays?
    > >
    > >
    > > Some people don't realize that there are also a connector
    > > configuration
    > > that could allow relaying. In the properties for the SMTP
    > > Connector for
    > > the routing group, in the address space tab there's a check box that
    > > states: "Allow messages to be relayed to these domains"
    > > Since this is a SMTP connector to the "world" (AKA Internet Mail
    > > Service), the "these domains" that the check box refer to are basic
    > > everything (*). The connector's setting overrides the SMTP Virtual
    > > Server settings....So if you don't want to relay, make sure the box is
    > > not checked and that the SMTP Virtual Server is also not allowing
    > > relaying.
    > >
    > > -----Original Message-----
    > > From: Deus, Attonbitus [mailto:Thor@HammerofGod.com]
    > > Sent: Thursday, April 17, 2003 3:22 PM
    > > To: Jon R. Kibler; focus-ms@securityfocus.com
    > >
    > >
    > > -----BEGIN PGP SIGNED MESSAGE-----
    > > Hash: SHA1
    > >
    > > At 11:18 AM 4/17/2003, Jon R. Kibler wrote:
    > > >Over the past few months, we have seen a significant and steady
    > > >increase in the number of open relay MTAs that are running
    > > Microsoft
    > > >Exchange. In every case where we have been able to talk to
    > > someone at
    > > >the organization running the open relay, the universal
    > > comment is "Our
    > >
    > > >network consultant just upgraded our mail system."
    > > >
    > > >Since we are not an Exchange user, Microsoft will not
    > > discuss the issue
    > >
    > > >with us. However, we have been able to talk to a few "network
    > > >consultants" and the problem appears to occur when an existing (and
    > > >secure) version of Exchange is upgraded in-place on the
    > > same host. We
    > > >have been told that the problem is occurring on upgrades of
    > > Exchange
    > > >5.x to Exchange 2000, and Exchange 2000 to Exchange 2000
    > > Service Pack
    > > >3.
    > > >
    > > >Apparently, either of these two upgrades will cause a
    > > previously secure
    > >
    > > >version of Exchange to become an open relay that must be manually
    > > >closed.
    > > >
    > > >One person also told us that they were told that the "Exchange 2000
    > > >Post-Service Pack 3 (SP3) Rollup Patch 6396.1" was supposed to fix
    > > >the problem, but they had not tried to find and apply the patch
    > > >,and did not know anyone who had used it.
    > > >
    > > >Does anyone have any specific details on this problem?
    > >
    > > I had the exact same thing happen some time ago when I applied SP3 to
    > > one
    > > of my remote office Exchange Servers. I could not figure it
    > > out for the
    > >
    > > life of me, and could not get any help from MS on it. What was most
    > > strange is that the IP restrictions were in the config, but
    > > anyone could
    > >
    > > still relay mail through. I just figured I was temporarily insane,
    > > which
    > > these days is pretty common. I had to put the Exchange Server one hop
    > > in,
    > > and use a mail gateway to restrict my traffic. Since that was really
    > > the
    > > best way to do it anyway, I pretty much forgot about the issue until I
    > > read
    > > your post. I'll check out the rollup patch (which is not on that
    > > machine
    > > now) and see what happens.
    > >
    > > T
    > >
    > > -----BEGIN PGP SIGNATURE-----
    > > Version: PGP 8.0
    > >
    > > iQA/AwUBPp7+4YhsmyD15h5gEQL1YACg1LXflZ7+sGVok1n5kpqqzkpLe2AAnip/
    > > SctU03KvRfsmPfY3vEG4iMJe
    > > =JS3w
    > > -----END PGP SIGNATURE-----
    > >
    > >
    > > --------------------------------------------------------------
    > > ----------
    > > -----
    > > Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam,
    > > the
    > > world's premier event for IT and network security experts.
    > > The two-day
    > > Training features 6 hand-on courses on May 12-13 taught by
    > > professionals.
    > > The two-day Briefings on May 14-15 features 24 top speakers with no
    > > vendor
    > > sales pitches. Deadline for the best rates is April 25.
    > > Register today
    > > to
    > > ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
    > > --------------------------------------------------------------
    > > ----------
    > > ------
    > >
    > >
    > >
    > >
    > > --------------------------------------------------------------
    > > ----------
    > > -----
    > > Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam,
    > > the
    > > world's premier event for IT and network security experts.
    > > The two-day
    > > Training features 6 hand-on courses on May 12-13 taught by
    > > professionals.
    > > The two-day Briefings on May 14-15 features 24 top speakers with no
    > > vendor
    > > sales pitches. Deadline for the best rates is April 25.
    > > Register today
    > > to
    > > ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
    > > --------------------------------------------------------------
    > > ----------
    > > ------
    > >
    > >
    > > --------------------------------------------------------------
    > > ---------------
    > > Attend Black Hat Briefings & Training Europe, May 12-15 in
    > > Amsterdam, the
    > > world's premier event for IT and network security experts.
    > > The two-day
    > > Training features 6 hand-on courses on May 12-13 taught by
    > > professionals.
    > > The two-day Briefings on May 14-15 features 24 top speakers
    > > with no vendor
    > > sales pitches. Deadline for the best rates is April 25.
    > > Register today to
    > > ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
    > > --------------------------------------------------------------
    > > ----------------
    > >
    >
    > -------------------------------------------------------------------------- 

    ---
> Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
> world's premier event for IT and network security experts.  The two-day
> Training features 6 hand-on courses on May 12-13 taught by professionals.
> The two-day Briefings on May 14-15 features 24 top speakers with no vendor
> sales pitches.  Deadline for the best rates is April 25.  Register today
to
> ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
> --------------------------------------------------------------------------
----
>
>
>
-----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
------------------------------------------------------------------------------
  • Next message: Logan F.D. Greenlee: "RE: Auditing a reboot"