So over the years, we have heard a thing or two about Exchange relays and as Exchange administrators may have have even setup relay connectors for our systems/applications to use as to pass along email. Before we go any further though we should first answer the question, what is a relay? Relaying allows a PC or server to send mail through SMTP to an internal and/or external destination. In the context of this article, this relaying would be done through your Exchange servers.
Then you might ask, what are some examples of when I would allow a system to relay mail through my Exchange server? An example of when to do this through your Exchange system might be system owner pager-based alerting or you may also have a 3rd party software vendor that requires the ability to send mail from their software program to users/administrators. So then you might ask, why should I even be thinking about whether or not I care about relays? The largest issue with relays is that the “allowed” system can freely send email through Exchange. This typically is not a concern among co-workers, but if a system were to become compromised you may be allowing a spammer or hacker to send mail on behalf of your organization.
So what happens if compromised system sends external spam? Your organization is at risk for having your domain name blacklisted. If your domain becomes blacklisted your organization will not be able to get mail to other businesses if their mail gateway detects your domain had become blacklisted. If you are having trouble getting email to an important customer you may to check your mail gateway for information related to why. Spamhaus is also a great resource for researching whether your organization has been blacklisted, for learning more about blacklisting in general. http://www.spamhaus.org/
So if I allow Exchange to relay email on behalf of some of my internal systems, what are other considerations for ensuring your systems do not become compromised and send spam messages that could result in blacklisting of your environment?
- Make sure you have an excellent mail gateway product. Your mail gateway will typically be located in your DMZ and will handle all of your external mail whether incoming or outgoing. An appliance like Barracuda or a software-based platform like MailMarshal by Trustwave have detection systems that can block messages that appears to be spam. These systems can provide logic to stop attempts to relay large quantities of email messages. They can also provide a mechanism to enforce restrictions that will limit the quantity of messages an individual user or system can send.
- Shut down or block port 25 where possible. This can be done through firewall port-level blocking or even through your local antivirus software depending on the vendor. If you use your local antivirus software as a mechanism to block port 25, this shifts the responsibility to the antivirus administrator instead of your networking engineers. Before implementing any type of organization-wide port blocking it is highly recommended that you research your environment and learn where you might have use cases that require this type of mail flow. Remember your users are your customers, so research your environment and communicate your work before just point blank shutting this down.
- Third party paging products that integrate with Exchange or run in an isolated fashion. If you are primarily using relays for paging your administrators from their systems then it might be a good next step to start looking at 3rd party paging products that can do this for you. Some of these products integrate with Exchange and some of them do not. If you are looking at the products that would integrate with Exchange you will also get other protocol options for sending pages such as SNPP and yes in some cases even TAP.
After considering all of your options for securing internal and external email it is likely that you will implement some combination of the above options to meet all the needs of your organization. This will likely include setting up relay connectors on your Exchange servers. I will be publishing more information on how to setup internal and external relay connectors and will including some tip and tricks for some of the less common situations your organizations may face on this topic.