If you have an Exchange 2007 or Exchange 2010 server and you discover that you are an Open Relay, there is a very simple command that you can run from the Exchange Management Shell to close this down.
The command is:
Get-ReceiveConnector “YourReceiveConnectorName” | Remove-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”
Replace “YourReceiveConnector” with the name of your Receive Connector and then run the command.
To test if you are an open relay, you can visit MXToolbox or Checkor.com.
Advertisement
Filed under: Exchange 2007, Exchange 2010, Exchange Server Tagged: | Exchange 2007, exchange 2010, Open Relay
I want to close the open relay. But after closing, pop/imap users cannot send emails from outlook.
Any solution for this…
Not sure why you are using POP3 / IMAP as Outlook Anywhere would be a more secure / preferred option, but if you want to allow your POP3 users to be able to send, you will need to create a new Receive Connector and assign the relevant permissions / authentication accordingly:
Exchange 2007:
http://technet.microsoft.com/en-us/library/bb125139(EXCHG.80).aspx
Exchange 2010:
http://technet.microsoft.com/en-us/library/bb125139.aspx
Hi and thanks for the great tips….
I am entering the commands and it is asking me to supply identity values.
What should I be entering here?
Are you entering the name of your Receive Connector in the command correctly?
Get-ReceiveConnector “YourReceiveConnectorName” | Remove-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”
Exchange won’t be an open relay by default, so are you sure you are an open relay?
I got it to work, not sure why it wasnt before…
Its strange, because it wanst an open relay before.
It just became one. Im not sure how. The only way I knew is because Messagelabs (who provide us with our email anti spam and filtering) suddenly informed us that our server was an open relay….
And after checking myself, saw that they were right.
Strange….
This is very important… I have two connectors, one for internal usage for outlook/exchange clients, while another is used for the outside network. (“windows sbs internet receive “). If I close the relay as instructed, will the connector still be able to receive mail for the authoritative domains defined elsewhere ?
Absolutely. That won’t affect normal mail-flow for your internal domains, it will only stop people being able to send mail to your server destined for other domains not handled by your server.