Re: E-Mail relay or break in?

[graeme () LBORO AC UK (Graeme)]

On 09-Feb-2000 JJ Gray wrote:
> AFAIK Exchange cannot be configured to prevent open relay

Oh yes it can...

Graeme

*** START OF EXCERPT FROM MICROSOFT.COM ***

XFOR: Preventing the IMS from Relaying UCE messages

Last reviewed: December 10, 1998

Article ID: Q193922

The information in this article applies to:

Microsoft Exchange Server, version 5.5

IMPORTANT: This article contains information about editing the
registry. Before you edit the registry, make sure you understand how to
restore it if a problem occurs. For information about how to do
this, view the "Restoring the Registry" Help topic in Regedit.exe or the
"Restoring a Registry Key" Help topic in Regedt32.exe.

SUMMARY

Administrators of Microsoft Exchange Server version 5.5 have the ability
to prevent their server from acting as a relay host for Unsolicited
Commercial E-mail (UCE) messages.

MORE INFORMATION

WARNING: Using Registry Editor incorrectly can cause serious
problems that may require you to reinstall your operating system.
Microsoft cannot guarantee that problems resulting from the
incorrect use of Registry Editor can be solved. Use Registry Editor at
your own risk.

For information about how to edit the registry, view the "Changing
Keys And Values" Help topic in Registry Editor (Regedit.exe) or the
"Add and Delete Information in the Registry" and "Edit Registry
Data" Help topics in Regedt32.exe. Note that you should back up the
registry before you edit it. If you are running Windows NT, you should
also update your Emergency Repair Disk (ERD).

When the Internet Mail Service is installed, it is configured by
default to allow rerouting for POP3 and IMAP4 clients. This rerouting
is found on the Routing tab of the Internet Mail Service object. The
Internet Mail Service accepts and relays mail to non-local recipients.
Message relaying occurs when a client or remote SMTP server connects to
the Internet Mail Service and submits messages for non-local recipients.
If the Internet Mail Service does not restrict relay messaging, it
can be used to relay UCE messages.

If your configuration prevents the client from relaying mail, SMTP
RCPT (receipt) commands specifying a non-local recipient are refused
with a "550 relaying prohibited" response.

Relay restrictions are configured within the registry using values
in the following registry key:

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service\
           MSExchangeIMC\Parameters.

The following examples outline the value, the data type, and the
function it performs. After the changes have been made, the Internet
Mail Service should be stopped and restarted.

        RelayFlags, REG_DWORD
Defines which relay control rules are in effect.

        RelayDenyList, REG_MULTI_SZ
Specifies hosts that cannot relay messages through your server.

        RelayAllowList, REG_MULTI_SZ
Specifies hosts that can relay messages through your server.

        RelayLocalIPList, REG_MULTI_SZ
Specifies the local IP addresses of the server to which an SMTP client
can connect and relay mail. This is useful for multi-homed servers that
have internal and external interfaces. Enabling IP-forwarding disables
this feature.

NOTE: RelayDenyList, RelayAllowList, and RelayLocalIPList consist
of a net address and optional mask per line. Order is not important in
these lists. Each line consists of two parts, the net address and
the mask, separated by a semicolon. For example:

        Net[;mask]

If the mask is omitted, the default used is 255.255.255.255.

A net address matches a rule if the bitwise-AND of the IP address
and the mask equals the net. That is:

        (IP Address AND mask) = net

     Examples:

To add net 192.168.0.0 to a list, add the following line to the list:

          192.168.0.0;255.255.0.0

To add the host 192.168.1.17 to a list, add either the following line to
the list:

          192.168.1.17;255.255.255.255

          - or -

          192.168.1.17

What follows is the logic used to determine if the client can relay
mail. If none of these apply, the client will not be allowed to relay.

If bit 1 of RelayFlags is set (decimal value 1) and the client's IP
address is matched by a pattern in RelayDenyList, the client will not be
allowed to relay.
If bit 2 of RelayFlags is set (decimal value 2) and the client's IP
address is matched by a pattern in RelayAllowList, the client will be
allowed to relay.
If bit 3 of RelayFlags is set (decimal value 4) and the client is
connected to a local IP address that matches a pattern in
RelayLocalIPList, the client will be allowed to relay.
If bit 4 of RelayFlags is set (decimal value 8) and the client is
authenticated, the client will be allowed to relay.
If only bit 1 is set, the client will be allowed to relay.

Examples:

All clients not explicitly denied can relay.

Set bit 1 of RelayFlags (by setting its decimal value to 1), and add a
rule to RelayDenyList for each host or group of hosts to be denied. To
prevent all hosts on the subnet 192.168.17.0 from relaying mail, add
the following line to RelayDenyList:

                192.168.17.0;255.255.255.0

All clients not explicitly allowed are denied.

Set bit 2 of RelayFlags (by setting its decimal value to 2), and add a
rule to RelayAllowLists for each host or group of hosts to be allowed.
To allow all hosts on subnet 192.168.1.0 to relay mail, add the
following line to RelayAllowList.

                192.168.1.0;255.255.255.0

Allow all hosts on a subnet except for a subset.

To allow all hosts on a subnet, set bit 2 of RelayFlags (by setting its
decimal value to 2), and add a rule to RelayAllowList to match the
subnet. For the subnet 192.168.1.0, the following rule works.

                192.168.1.0;255.255.255.0

To prevent a subset of the hosts on subnet 192.168.1.0 from relaying
mail, also set bit 1 in RelayFlags in addition to bit 2, (which was set
above); the net result is to set its decimal value to 3. Add the IP
address of each host to RelayDenyList. If the subset of hosts is grouped
together, you can add a single rule to match all of them. For example,
if 192.168.1.1 through 192.168.1.7 are not allowed to relay, the
following rule is adequate. Listing each address explicitly in
RelayDenyList also works.

                192.168.1.0;255.255.255.248

Allow clients connecting to the selected network interfaces to relay.

This method is useful if the host has multiple network interfaces, and
IP-forwarding is not enabled. Set bit 3 of RelayFlags (by setting its
decimal value to 4), and add the IP addresses of the network interfaces
that will relay mail to RelayLocalIPList.

Allow authenticated clients to relay.

Set bit 4 of RelayFlags (by setting its decimal value to 8) to allow
clients that have authenticated (by using the AUTH command) to relay
mail.

The Internet Mail Service must be stopped and restarted in Control
Panel, Services for these registry settings to take effect after they
are created or modified.

When a message is denied for relay through the Internet Mail Service, an
event is logged to the Application Event Log if the SMTP Interface
Events diagnostics logging category is set to minimum or a higher
logging level using the Internet Mail Service Diagnostic Logging
property page.
The event will indicate the sender's IP address, sender's host name (if
available), the sender's authentication account (if authentication was
used), and the recipient address for the message.

Exchange Server version 5.5 Service Pack 1 (SP1) gives the administrator
the ability to configure these options through the Routing tab on the
properties of the Internet Mail Service (IMS) object.

*** END OF EXCERPT FROM MICROSOFT.COM ***

--
Graeme Fowler
Network Officer, Infrastructure & Networks Group
Loughborough University Computing Services
+44 1509 228426