INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Exchange Server 2007 relaying

Exchange Server 2007 relaying

(OP)
He everyone,

I have a client with an exchange 2007 server install. I have used various relay testing mechanisms and they all report the system does not support relaying. The problem is that the server is relaying, mail is coming from an external IP. Have any of you found this possible before?

Thanks for your help.

No2broady

RE: Exchange Server 2007 relaying

It is probably an authenticated relay, meaning one of your AD accounts had a very easy password and now email is being relayed using those credentials. In that scenario, your tests would report that no relaying was possible, but relaying could still be happening. If you look at your Transport logs, you should be able to see the inbound SMTP traffic and see which account is being used to relay.

Dave Shackelford
ThirdTier.net

RE: Exchange Server 2007 relaying

(OP)
Hi Dave,

I did begin to think that, but when I was looking at the mail items sat in the queue the source was from an external IP. If a user has authenticated (genuine or hacked) would the mail still not look like it's come from a local connection as OWA and active sync does?

The bouts of relaying are not constant and seem to be running through small lists of emails. I have already made sure that the system is 100% patched. I am tempted to force password changes onto all the users to see if your advice works.

Thanks for the response. Much appreciated.

RE: Exchange Server 2007 relaying

Nope, it would not come from a local connection if it's authenticated SMTP--the source IP could be anywhere, but you will also see the name of the user authenticating in the logs. Beyond that, if you know the times that the emails started being sent on one particular day, you could look at the security log on the server and find an authentication entry there that maps a user name and the same remote IP that you see in your SMTP logs.

I would look at your user accounts that have generic names: info, sales, office, etc. Often those are the ones most easily hacked, and I've seen several networks in which the passwords were the same as the username!

Dave Shackelford
ThirdTier.net

RE: Exchange Server 2007 relaying

(OP)
Hi Dave,

Could you tell me which logs the authenticating users would show in, I've been trawling logs for a while now and can't see any user name showing up in them?

Here's a sample of the send connector SMTP log. The address cstmscares@amazons.ca comes up on all the emails as sender, should exchange not deny sending mail from this address based on relaying being disabled?

Thanks for your help.

2014-03-06T11:11:59.065Z,To Internet,08D10594E0D3C7E6,29,192.168.10.8:7523,142.239.254.30:25,<,250 Sender <cstmscares@amazons.ca> OK,
2014-03-06T11:11:59.096Z,To Internet,08D10594E0D3C7CA,25,192.168.10.8:7529,64.12.91.196:25,<,250-mtaig-mab02.mx.aol.com,
2014-03-06T11:11:59.096Z,To Internet,08D10594E0D3C7CA,26,192.168.10.8:7529,64.12.91.196:25,<,250 DSN,
2014-03-06T11:11:59.096Z,To Internet,08D10594E0D3C7CA,27,192.168.10.8:7529,64.12.91.196:25,*,60968,sending message
2014-03-06T11:11:59.096Z,To Internet,08D10594E0D3C7CA,28,192.168.10.8:7529,64.12.91.196:25,>,MAIL FROM:<cstmscares@amazons.ca>,
2014-03-06T11:11:59.112Z,To Internet,08D10594E0D3C7E5,16,192.168.10.8:7522,24.246.104.108:25,<,"420 deferred due to suspect content, please try again later",
2014-03-06T11:11:59.112Z,To Internet,08D10594E0D3C7E5,17,192.168.10.8:7522,24.246.104.108:25,>,QUIT,
2014-03-06T11:11:59.112Z,To Internet,08D10594E0D3C7E7,14,192.168.10.8:7524,107.14.73.70:25,<,221 2.3.0 dnvrco-iedge06 closing connection,
2014-03-06T11:11:59.112Z,To Internet,08D10594E0D3C7E7,15,192.168.10.8:7524,107.14.73.70:25,-,,Local
2014-03-06T11:11:59.221Z,To Internet,08D10594E0D3C7CA,29,192.168.10.8:7529,64.12.91.196:25,<,250 2.1.0 Ok,
2014-03-06T11:11:59.221Z,To Internet,08D10594E0D3C7CA,30,192.168.10.8:7529,64.12.91.196:25,>,RCPT TO:<rchap1237@cs.com>,
2014-03-06T11:11:59.221Z,To Internet,08D10594E0D3C7E5,18,192.168.10.8:7522,24.246.104.108:25,<,"221 barracuda.hawthorne.k12.nj.us Goodbye mail.ourdomain.com, closing connection",

RE: Exchange Server 2007 relaying

(OP)
Sorry, I did enable the exchange auditing logs to view the authenticating users, I don't see any correlation between the SMTP logs and the exchange auditing though, any ideas with what could be happening?

No2broady

RE: Exchange Server 2007 relaying

(OP)
Okay, I think I may have cracked how they are authenticated. I started going through the receive connector and found the following line.

2014-03-06T11:05:36.657Z,localserver\Default localserver,08D10594E0D3C632,21,192.168.10.8:25,72.22.74.51:55145,*,localdomain\user,authenticated

The thing that is concerning me is we have a standard user account named "user" it's a dormant account we use for some small handheld items in a shop, this account doesn't have an exchange account set up, can this still be used to authenticate?

Thanks again for any help you provide.

No2broady

RE: Exchange Server 2007 relaying

Yes, that account could be used to authenticate. No mailbox is required.

Dave Shackelford
ThirdTier.net

RE: Exchange Server 2007 relaying

(OP)
Wonderful, your post yesterday made me go over the receive connector logs again, thanks for all your help.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close