How to prevent unsolicited commercial e-mail in Exchange 2003 (821746)
The information in this article applies to:
- Microsoft Exchange Server 2003 Enterprise Edition
- Microsoft Exchange Server 2003 Standard Edition
INTRODUCTIONThis article contains information about how to help prevent
unsolicited commercial e-mail messages and how to help reduce the risk that
your Exchange Server 2003 computer could be used to relay unsolicited
commercial e-mail messages.
Unsolicited commercial e-mail messages,
or junk e-mail messages, are an annoyance to office and home e-mail message
users. To delete these messages wastes time, but if your Exchange Server
computers are inadvertently being used as relays for mass-mailings, the effects
can be far more troublesome.
Note that some of the recommended
settings that are discussed in this article only apply if your Internet service
provider (ISP) provides store and forward services or a smart host for your
domain. This is probably the situation if you have a dial-up connection to the
Internet or if your ISP provides firewall, routing, or network address
translation services for your organization.MORE INFORMATIONTo help prevent the relay of unsolicited commercial e-mail messagesWhen you plan and implement the steps to prevent the transmission
of unsolicited commercial e-mail messages, there are a number of factors that
you must consider. To prevent relaying
Relaying occurs when there is an inbound connection to your Simple Mail
Transfer Protocol (SMTP) server that is used to send e-mail messages to
external domains. With unsolicited commercial e-mail messages, a single e-mail
message that is sent to your SMTP server with multiple recipients in domains
that are external to your organization is an example of relaying. When the SMTP
server is configured to use anonymous authentication, the messaging system that
is used to propagate the unsolicited commercial e-mail messages accepts the
inbound message as typical. After the message is accepted, the SMTP server
recognizes that the message recipients belong to external domains, and then the
SMTP server delivers the messages. The unauthorized users who send unsolicited
commercial e-mail messages only have to send one inbound message to your SMTP
server for it to be delivered to thousands of recipients. This may result in
decreased performance and congested queues. Additionally, this may annoy the
recipients when the messages arrive. To prevent relaying, do not
grant relay permissions to other hosts. However, there are situations when
relaying is required. You may have Post Office Protocol 3 (POP3) and Internet
Message Access Protocol 4 (IMAP4) clients who rely on SMTP for message
delivery. These clients may have legitimate reasons for sending e-mail messages
to external domains. To work around this issue, create a second SMTP virtual
server that is dedicated to receiving e-mail messages from POP3 and from IMAP4
clients. You can configure this additional SMTP virtual server to use
authentication that is combined with Secure Sockets Layer (SSL) based
encryption, and then configure it to permit relaying for authenticated
clients. Note By default, the Default SMTP Virtual Server in Exchange 2003 is
configured to prevent relaying of e-mail messages through the virtual
server. To prevent computers from relaying messages through the SMTP
virtual server:
- Click Start, point to
Programs, point to Microsoft Exchange, and
then click System Manager.
- Expand Servers, expand
ServerName, and then expand
Protocols.
- Expand SMTP, right-click Default
SMTP Virtual Server, and then click Properties.
- Click the Access tab, and then click
Relay.
- In the Relay Restrictions dialog box,
click Only the list below (if it is not already selected), and
then make sure that the Computers list is empty.
If
you are not using any POP3 and IMAP4 clients with this virtual server, click to
clear the Allow all computers which successfully authenticate to relay,
regardless of the list above check box, and then click
OK. - Click OK.
To configure connection filteringGlobal connection filtering always supersedes the settings on an individual SMTP virtual server. For example, if you set your SMTP virtual server to only accept connections from a particular IP address, and you then deny that same IP address on your global connection filter, the Exchange computer will not accept e-mail messages from that address. To enable global connection filtering, follow these steps: - Click Start, point to
Programs, point to Microsoft Exchange, and
then click System Manager.
- Expand Global Settings, right-click
Message Delivery, and then click Properties.
- Click the Connection Filtering tab, and
then click Add.
- In the Display Name box, type the name for
the connection filter.
- In the DNS Suffix of Provider box, type
the DNS suffix that your ISP appends to the IP address.
- If you want to specify a custom error message, type the
message that you want in the Custom Error Message to Return
box.
- To specify a return status code, click Custom Error
Message to Return, and then specify the status code that you want to
use.
- Click OK.
To enable connection filtering:
- Click Start, point to
Programs, point to Microsoft Exchange, and
then click System Manager.
- Expand Servers, expand
ServerName, and then expand
Protocols.
- Expand SMTP, right-click Default
SMTP Virtual Server, and then click Properties.
- Click the General tab, and then click
Advanced.
- In the Address list, click the IP address
where you want to apply connection filtering, and then click
Edit.
- Click to select the Apply Connection
Filter check box, click OK, and then click
OK.
To configure sender filteringWhen you enable sender filtering on the SMTP virtual server,
e-mail messages that are received from anyone on the sender filter are not
accepted. Sender filtering is set globally, but you enable it on a per-IP
address basis on the SMTP virtual server. To create a sender filter:
- Click Start, point to
Programs, point to Microsoft Exchange, and
then click System Manager.
- Expand Global Settings, right-click
Message Delivery, and then click Properties.
- Click the Sender Filtering tab, and then
click Add.
- Type the name of the sender whose messages you want to
filter in SMTP address format, and then click OK.
- Specify any additional filter options that you want to
configure, and then click OK.
To enable sender filtering on the SMTP virtual server:
- Click Start, point to
Programs, point to Microsoft Exchange, and
then click System Manager.
- Expand Servers, expand
ServerName, and then expand
Protocols.
- Expand SMTP, right-click Default
SMTP Virtual Server, and then click Properties.
- Click the General tab, and then click
Advanced.
- In the Address list, click the IP address
where you want to apply the sender filter, and then click
Edit.
- Click to select the Apply Sender Filter
check box, click OK, and then click
OK.
To configure IP address restrictionsWhen you configure IP address restrictions, you can specify the IP
addresses, the IP ranges, or the Domain Name System (DNS) domains that your
SMTP server accepts inbound sessions from. This is useful if your ISP accepts
messages on your behalf and then forwards the messages to you, because it
prevents other hosts from connecting to your SMTP connector. Note For IP address restrictions to function, the mail exchanger (MX)
record on your domain's Internet DNS zone must point to the e-mail messaging
server of your ISP, not to your Exchange 2003 computer. If you receive your
external SMTP e-mail messages from the e-mail messaging server of your ISP, you
can configure IP address restrictions. IP address restrictions indicate that
your SMTP virtual server only accepts connections from the e-mail messaging
server of your ISP. To configure IP address restrictions:
- Click Start, point to
Programs, point to Microsoft Exchange, and
then click System Manager.
- Expand Servers, expand
ServerName, and then expand
Protocols.
- Expand SMTP, right-click Default
SMTP Virtual Server, and then click Properties.
- Click the Access tab, and then click
Connection.
- In the Connection dialog box, click
Only the list below.
This indicates that only the IP
addresses and the domains that are in the list are permitted to connect to the
SMTP virtual server. - Click Add, and then do one of the
following to add a single computer, group of computers, or a domain, as
appropriate to your situation:
- To add a single computer, click Single
Computer, type the IP address of the e-mail messaging server of your
ISP in the IP address box, and then click
OK.
Alternatively, click DNS Lookup,
type a host name, and then click OK. - To add a group of computers, click Group of
computers, type the subnet address and the subnet mask of the group in
the corresponding boxes, and then click OK.
Microsoft recommends this option if your ISP has a tendency to change
the IP address of its e-mail messaging server without warning. - To add a domain, click Domain, type
the domain name that you want in the Name box, and then click
OK.
Note that this option requires a DNS reverse
lookup on each incoming connection. This requirement may adversely affect the
performance of the Exchange server. For more information, see the
Troubleshoot section later in this
article.
To configure authenticationWhen you configure user-based authentication, external hosts or
clients must use a user name and a password to log on to the SMTP virtual
server. Similar to IP address restrictions, you can configure authentication if
your ISP acts as a message relay for your organization, and the ISP can provide
authenticated connections to your SMTP virtual server. Your ISP must also
support Transport Layer Security. Transport Layer Security encrypts the
authentication and the message transfer session. Note Your ISP may not support the Integrated Windows Authentication
option (formerly named NTLM or Windows NT Challenge/Response authentication).
To configure authentication:
- Click Start, point to
Programs, point to Microsoft Exchange, and
then click System Manager.
- Expand Servers, expand
ServerName, and then expand
Protocols.
- Expand SMTP, right-click Default
SMTP Virtual Server, and then click Properties.
- Click the Access tab, and then click
Authentication.
- In the Authentication dialog box, click to
clear the Anonymous access and the Integrated Windows
Authentication check boxes.
Make sure that the Basic
authentication (password is sent in clear text) check box is
selected. - If your ISP supports Transport Layer Security, click to
select the Requires TLS encryption check box.
- Click OK.
- Add a user account and password to Active Directory, and
then notify your ISP of these credentials. This account provides authentication
for the inbound connection.
To set message limitsSetting message limits involves changing the default number of
recipients per message. This procedure reduces the effect of unsolicited
commercial e-mail messages by preventing the delivery of a single message to
many individuals. Additionally, you can reduce the maximum message size and the
maximum session size. Note If you reduce the number of recipients per message, this
procedure can affect delivery to your internal recipients if you have large
distribution lists that receive e-mail messages by means of SMTP. However, this
is not an issue for MAPI recipients. To set message limits:
- Click Start, point to
Programs, point to Microsoft Exchange, and
then click System Manager.
- Expand Servers, expand
ServerName, and then expand
Protocols.
- Expand SMTP, right-click Default
SMTP Virtual Server, and then click Properties.
- Click the Messages tab.
- To configure message limits:
- Click to select the Limit message size to
(KB) check box, and then specify a value that is smaller than the
current value.
For example, type 2048.
- Click to select the Limit session size to
(KB) check box, and then type 4096.
- Leave the default value for Limit number of
messages per connection to set to 20.
You
do not have to change this value. - Change the value of Limit number of recipients
per message to to a value between 100 and 1000.
The default
setting is 64,000.
Note The value that you specify depends on the messaging requirements
of your organization and on the size of your organization's external
distribution lists. Any messages that are larger than this number of recipients
are returned to the sender with a non-delivery report (NDR).
- Click OK.
To configure the SMTP connector
You may have already created an SMTP connector on your Exchange
2003 computer to make outbound connections and to accept inbound connections to
and from other SMTP servers on the Internet. This SMTP connector must be
associated with at least one SMTP virtual server to operate. You must verify
that the SMTP connector is correctly configured to reduce the risk of relaying
unsolicited commercial e-mail messages.
- Click Start, point to
Programs, point to Microsoft Exchange, and
then click System Manager.
- Expand Servers, expand
Routing Group, and then expand
Connectors.
- Right-click the SMTP connector that you use for inbound and
for outbound e-mail messages to the Internet, and then click
Properties.
- If your ISP provides store and forward facilities for your
incoming e-mail messages, it is likely that your ISP also provides a smart host
for your outgoing e-mail messages. If this is the situation, click
Forward all mail through this connector to the following smart
hosts, and then type the IP address or the fully qualified domain name
(FQDN) of the e-mail messaging server of your ISP.
- Click the Address Space tab, and then
click to clear the Allow messages to be relayed to these
domains check box if it is selected.
Note The SMTP connector that delivers e-mail messages to the Internet
typically uses an asterisk (*) (that indicates all domains) as its address
space. If you click to select the Allow messages to be relayed to these
domains check box, relaying to all external domains is enabled. If you
use a smart host for outbound e-mail messages, contact your ISP for more
information about how to configure security for e-mail message delivery.
- Click the Advanced tab, and then click
Outbound Security. If your ISP supports authentication and
encryption, click Basic authentication (password is sent in clear
text), click Modify, add the user account and the
password to use for access to the smart host of your ISP, and then click
OK.
- Click to select the TLS encryption check
box, click OK, and then click OK.
To confirm that the SMTP virtual server settings that you configured work correctlyTo confirm that the SMTP virtual server settings that you
configured work correctly:
- To confirm that the IP restrictions work correctly, use a
POP3 and an IMAP4 client to try to connect to the server from an excluded IP
address. If the IP restrictions are configured correctly, you receive a message
that notifies you that a connection to the server is declined.
- To confirm that the relay restrictions work correctly,
connect to the server by using a POP3 and an IMAP4 client from a non-excluded
IP address, and then send an e-mail message to an external domain. If the relay
restrictions are configured correctly, you receive a message that notifies you
that the delivery to the external domain is refused because of relay
restrictions.
- To verify Transport Level Security authentication and
encryption, confirm that you can receive e-mail messages from the e-mail
messaging server of the ISP that provides store and forward services for your
domain. Run Network Monitor on your Exchange Server computer and capture
packets coming from the IP address of the ISP's e-mail messaging server on port
25 (0019h). These packets contain encrypted data. You cannot view the user name
or the password credentials.
- To confirm reverse DNS lookup, send a message to your
domain from an address that does not match the domain that sent it. If reverse
DNS lookup works correctly, this message appears in the Badmail folder.
TroubleshootAny restrictions that are based on DNS lookup can adversely affect
the performance of the Exchange 2003-based computer. Because the server
performs a reverse DNS lookup on each inbound connection, a DNS reverse lookup
zone must be available and the sending host must be registered with that zone. REFERENCESFor more information about Exchange Server 2003, visit the
following Microsoft Web site: back to the
top
Modification Type: | Minor | Last Reviewed: | 11/7/2005 |
---|
Keywords: | kbHOWTOmaster KB821746 kbAudITPRO |
---|
|