Hi all
We got occasional complaint from spamcop and similar about exchange servers of customers sending bounces to faked sender addresses.
The only way to solve this problem I have found is to completely disable NDR in Exchange: http://support.microsoft.com/default.aspx?scid=kb;en-us;294757
Isn't there any way to make exchange reject unknown users during smtp handshake like all other MTA do?
-Benoit-
On Mon, 2006-01-30 at 09:34 +0100, Benoit Panizzon wrote:
Isn't there any way to make exchange reject unknown users during smtp handshake like all other MTA do?
Well.. I had a similar host running exchange 2k. It was getting around 28000 spam messages delivered a day, due to the above handling of email and accepting all mail per default. (On an adsl line. mind you) Additionaly the bounces clogged up its mail queue...
So my solution to the problem was as follows:
- install second server infront of the machine - install postfix on it - added greylisting, rbls, spamassassin, razor checks - get this perl magic script to fetch all valid accounts from active directory on the exchange server. - configure the exchange server to accept mail only from trusted host (e.g. the postfix machine) - add a user with send as anybody user privlidges - configure the domains in the transport.db of postfix with destination to the exchange server. - configure smart-host toward the exchange server with the user added above. - forwarded the smtp port of the exchange to an ip address without mx record and let users send mail via smtp-auth.
This has been working for 3/4 of a year by now.
If you need a more detailed description, please contact me.
- Folken
Salut,
On Mon, Jan 30, 2006 at 07:47:09PM +0100, Folken wrote:
- install second server infront of the machine
- install postfix on it
- added greylisting, rbls, spamassassin, razor checks
- get this perl magic script to fetch all valid accounts from active
directory on the exchange server.
- configure the exchange server to accept mail only from trusted host
(e.g. the postfix machine)
- add a user with send as anybody user privlidges
- configure the domains in the transport.db of postfix with destination
to the exchange server.
- configure smart-host toward the exchange server with the user added
above.
- forwarded the smtp port of the exchange to an ip address without mx
record and let users send mail via smtp-auth.
If you could put a short howto together with your magic perl script to some website and publish the URL (maybe here and in the chaoswiki), this may become useful to a lot of companies lateron.
And as a tip for everyone using this type of setup: if the manager comes asking whether one of the two servers could be taken away, you won, because that could only be the Exchange server.
Tonnerre
* Benoit Panizzon panizzon@woody.ch:
Isn't there any way to make exchange reject unknown users during smtp handshake like all other MTA do?
Of course there is:
Go into ESM, Global Settings, "Nachrichtenübermittlung", "Empfängerfilterung" and check the "Empfänger filtern, die nicht im Verzeichnis vorhanden sind".
This is a more sensible approach than killing all NDRs (Exch Speak for "Bounces").
HTH,
Lukas
Am Montag, 30. Januar 2006 19.59 schrieb Lukas Beeler:
- Benoit Panizzon panizzon@woody.ch:
Isn't there any way to make exchange reject unknown users during smtp handshake like all other MTA do?
Of course there is:
Go into ESM, Global Settings, "Nachrichtenübermittlung", "Empfängerfilterung" and check the "Empfänger filtern, die nicht im Verzeichnis vorhanden sind".
This is a more sensible approach than killing all NDRs (Exch Speak for "Bounces").
Hi Lukas
Did you have success with this settings? They don't seam to have any effect on the installation of two of our customers... They still bounceflood some innocents.
-Benoit-
* Roger Leemann rcl@tiscali.ch:
Go into ESM, Global Settings, "Nachrichtenübermittlung", "Empfängerfilterung" and check the "Empfänger filtern, die nicht im Verzeichnis vorhanden sind".
Is this XCHN 2003?
Yes. It currently the only Exchange Version with "Mainstream" Support ;)
* Benoit Panizzon panizzon@woody.ch:
Did you have success with this settings? They don't seam to have any effect on the installation of two of our customers... They still bounceflood some innocents.
Of course i did. I just rechecked it, and recorded the Session:
(I wrote a > before each line i wrote, and broke the first line into two)
220 friday.int.dataline.ch Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Mon, 13 Feb 2006 13:10:16 +0100
ehlo test
250-friday.int.dataline.ch Hello [10.33.3.16] 250-TURN 250-SIZE 250-ETRN 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-8bitmime 250-BINARYMIME 250-CHUNKING 250-VRFY 250-X-EXPS GSSAPI NTLM 250-AUTH GSSAPI NTLM 250-X-LINK2STATE 250-XEXCH50 250 OK
mail from: <>
250 2.1.0 <>....Sender OK
rcpt to: fdsakfdjalfs@dataline.ch
550 5.1.1 User unknown
rcpt to: l.beeler@dataline.ch
250 2.1.5 l.beeler@dataline.ch
So, in my case, this works just fine. This is Exchange 2003 SP2 running on Windows 2003 SP1.
Exchange 2000 COULD do this AFAIK, but i don't have one lying around anymore, so i can't test it.
-
Benoit Panizzon -
Folken -
Lukas Beeler -
Roger Leemann -
Tonnerre LOMBARD