Topic Last Modified: 2007-03-14

The Microsoft® Exchange Server Analyzer Tool tries to relay a message through a Simple Mail Transfer Protocol (SMTP) server by performing the following tasks:

The Exchange Server Analyzer also queries the Win32_OperatingSystem Microsoft Windows® Management Instrumentation (WMI) class to determine the value of the OSProductSuite key. The value of this key corresponds to a specific version of a Windows Server operating system.

If the Exchange Server Analyzer can successfully complete all steps on an Exchange Server computer that is part of a Microsoft Small Business Server 2000 or Microsoft Windows Small Business Server 2003 installation, an error is displayed.

The error indicates that this server is configured as an open relay.

It is not a recommended best practice to allow open relay.

Open relay occurs when an e-mail server permits e-mail messages to be relayed through the system without exercising any restrictions or any control over the relayed e-mail.

Note:
If for some reason your Exchange organization uses an SMTP domain named Fabrikam.com, you may encounter this error. In this event, you may be able to safely ignore this error. The Fabrikam.com domain is owned by Microsoft Corporation and is used for training, documentation, and similar purposes.

Relay is not inherently bad, because SMTP was designed for this purpose (for more information, see the RFC 2821 document, sections 2.1 and 3.7 (http://ietf.org)). However, if relay is not controlled (an uncontrolled host is known as an open relay host), a malicious user might potentially use relay to send bulk, unsolicited commercial e-mail messages (spam or UCE). By bouncing these unsolicited e-mail messages off an intermediate host, the malicious user tries to obfuscate their identity. This also ties up resources on the relay host and may keep the relay host from sending valid e-mail messages. In particular, most users who send such unsolicited e-mail messages can send a single message to an extraordinary number of recipients without using their own bandwidth to do this.

Make sure that you do not allow anonymous relaying on your Internet-facing SMTP virtual servers. In its default configuration, Exchange allows only authenticated users to relay mail. Only authenticated users can use Exchange to send mail to an external domain. If you modify the default relay settings to allow unauthenticated users to relay, or if you allow open relaying to a domain through a connector, unauthorized users or malicious worms can use your Exchange server to send spam. Your server may be block-listed and be prevented from sending mail to legitimate remote servers. To prevent unauthorized users from using your Exchange server to relay mail, at a minimum, use the default relay restrictions.

If you have legitimate reasons for relaying, follow the guidelines for making sure that security is preserved in your implementation. This is mainly done by leaving the deny all defaults and adding only the IP addresses from which you will accept relayed mail, and disabling access for authenticated users.

Review how built-in accounts (local Administrator) and other users are used on your gateway servers. It is unlikely that you are using the built-in accounts for any kind of relaying. If you are relaying, the relaying is probably by a known set of users or computers. Restricting relay rights to explicit users and computers or to an IP address is recommended.

Configuring explicit permission to relay will additionally help fortify your server. Malicious users may use a brute-force attack to try to obtain the passwords for built-in accounts or for user accounts found on the Internet so that they can use your server as a spam proxy. Therefore, the default setting that allows any authenticated computer to relay is not recommended for computers that are accessible from the Internet. Disabling this setting is recommended.

The following procedures explain how to disable anonymous relaying based on whether the SMTP virtual server is Internet-facing. As mentioned earlier in this article, enabling any form of anonymous relay should be done only in cases where the security risk is understood and acceptable to your organization. The references at the end of this article provide more information about how to use relaying.

If an SMTP virtual server is not accessible from the Internet, it is recommended that you reset the relay configurations to the default values. This will result in SMTP virtual servers that allow only internal relaying from authenticated computers.

For SMTP virtual servers that are accessible from the Internet, it is recommended that you additionally secure the default relay configurations, so that only users and computers with explicit permission are allowed to relay.

If you have verified that Exchange is configured to block relaying and you are still receiving this error in the Exchange Server Analyzer, you should verify that any proxy server or process, such as firewall, antivirus, or anti-spam software is not allowing anonymous relaying.

To reset anonymous relay configurations to the default settings on internal SMTP virtual servers

  1. Open Exchange System Manager.

  2. In the console tree, expand Servers, expand the server that you want, expand Protocols, and then expand SMTP.

  3. Right-click the SMTP virtual server on which you want to apply relay restrictions, and then click Properties.

  4. In <SMTP Virtual Server> Properties, click the Access tab, and then click Relay.

  5. In Relay Restrictions, under Select which computer may relay through this virtual server, select Only the list below, select the Allow all computers which successfully authenticate to relay, regardless of the list below check box, and then click OK.

To configure explicit relay permission on Internet-facing SMTP Virtual Servers in Exchange Server 2003

  1. Open Exchange System Manager.

  2. In the console tree, expand Servers, expand the server that you want, expand Protocols, and then expand SMTP.

  3. Right-click the SMTP virtual server on which you want to apply relay restrictions, and then click Properties.

  4. In <SMTP Virtual Server> Properties, click the Access tab, and then click Relay.

  5. In Relay Restrictions, clear the Allow all computers which successfully authenticate to relay, regardless of the list below check box, and then click Users to specify a subset of users that you want to grant relay permissions on this SMTP virtual server.

  6. In Permissions for Submit and Relay, to remove a user or group, select the group or user, and then click Remove.

  7. To add a group or user, click Add, and then select the users or group for which you want to specify permissions. Select from one of the following options:

    • On Microsoft Windows Server™ 2003, in Select Users, Computers or Groups, under Enter the object name to select, type the name of the user or the group. If you want to search for the user or group, click Advanced, search for the user or group name, and then click Check Names to validate your entry.

      Tip:
      Click the examples link to view the acceptable formats for your entries.
    • On Windows 2000 Server, in Select Users, Computers or Groups, select the group or user that you want to grant submit permissions, and then click Add.

  8. Click OK to return to the Permissions for Submit and Relay dialog box.

  9. Under Group or user names list, select the group you just added.

  10. Under Permissions for <selected group>, next to Submit Permission, if necessary, select the check box under Allow to allow the selected user or group to submit mail through this SMTP virtual server.

  11. Next to Relay Permissions, select the check box under Allow to permit the selected object to relay through this SMTP virtual server, or select the check box under Deny to prevent the selected object from relaying through this virtual server.

    Note:
    You must allow Submit Permissions if you want to allow Relay Permissions.
  12. Click OK.

To configure relay permissions on Internet-facing SMTP Virtual Servers in Exchange 2000 Server

  1. Open Exchange System Manager.

  2. In the console tree, expand Servers, expand the server you want to configure, expand Protocols, and then expand SMTP.

  3. Right-click the SMTP virtual server on which you want to apply relay restrictions, and then click Properties.

  4. In <SMTP Virtual Server> Properties, click the Access tab, and then click Relay.

  5. In Relay Restrictions, under Select which computer may relay through this virtual server, select Only the list below.

  6. Click Add to add a single computer, group of computers or an SMTP domain name, and then click OK. Repeat this step for each additional entry you want to add.

  7. Select Allow all computers which successfully authenticate to relay, regardless of the list above check box, and then click OK twice.

For more information about message relaying and security see the following guides from the Exchange Server 2003 Technical Library:

For more information about testing and securing open relay behavior in your Exchange and Microsoft Windows environment, see the Microsoft Knowledge Base article 304897, "SMTP relay behavior in Windows 2000, Windows XP, and Exchange Server" (http://go.microsoft.com/fwlink/?LinkId=3052&kbid=304897).