Re: MS-SMTP help I'm being RBL'd

SOLVED

I'm suprised at the lack of reponse to this, usually I get more from this forum. Let me ask something more specific then.

On the authentication page, are the following options:

[x] anonymous access
[x] basic authentication
.. [ ] requires TLS authentication
.. default domain: [ ]
[x] windows security package

I've read the docs, and I don't get it - both anonymous and basic are checked in my config. Shouldn't anonymous access and authentication be mutually exclusive?

fmartin@applicatorssales.com

No, they're not exclusive -
this is just an access setting which is coupled with relay settings.

It means anybody is allowed to connect to the virtual smtp server, and he is also allowed to handshake for authentication.

later on in the relay settings this means, that relaying is enabled for all computers/users that are successfully authenticated - so the mail server will accept mail from other servers but not relay it (anon) and will accept and relay mail from domain users abroad.

a few more things:
putting up a microsoft - based mail-filtering solution in from of a unix mail server is just not right.
I'm used to the scheme of putting a unix box in front of the windows server because of the various spam and relaying issues.

You might want to ask for hints in microsoft.public.exchange - I think this is the only place where internet-facing microsoft servers would be discussed without breaking to tears.

(otoh, I also run one as a testing ground)

also, most rbls DO email your postmaster account upon addition to their lists, but not add postmaster@domain.com but postmaster@ip.
actually this is a fair thing, as this account is stated neccessary in the RFCs.
actually exchange doesn't come with that account, and there's a great hassle adding it, according to what I read.

furthermore - no RBL will remove You just for asking them, this would render them very much useless for anyone using them.

the only logical conclusion would be changing Your mail setup, i.e. using some milter stuff in sendmail to forward the emails to the spam filter.

i.e.
WWW
|
sendmail ===== spamfilter
|
delivery

look, putting exchange in the middle of the internet is still arguable for a home user like I am, but it's far worse for a company.
You're just experiencing that, take the consequences.

yesterday I stood at the edge. Today I'm one step ahead.

apropos - the current access settings allowing 'BASIC' auth should never be used, the mean passwords will cross the network unencrypted.
Use a SSL certificate (commercial, or i.e. from cacert.org) with TLS authentication or disable basic and NTLM authentication if there is no remote access to this server.

yesterday I stood at the edge. Today I'm one step ahead.

Hi, have a short look at the attachment, I'm sorry it's in german, but the dialog looks the same in english ;)
those are the settings for no-relaying-for-anyone.

yesterday I stood at the edge. Today I'm one step ahead.

Florian,

Can you clear up something for me? Basically I want to accept mail from the internet side, but only relay mail for one machine, a protected mail server inside my network.

On the Relay Restrictions page, I put in the IP address for the protected server, and checked "only the list below". I'm assuming that's correct for what I just described.

Under that is the check box for "allow all computers which successfully authenticate to relay" ... am I correct in thinking that should be unchecked?

fmartin@applicatorssales.com

yes, it should be unchecked - but it won't help You solve the problem.

the problem is that MsSMTP accepts the 'wanne-be-spam' message and later drops/bounces it, which makes the RBL test think it really has relayed the message. (How should it think otherwise, when being told '...queued for deliviery')

I have a really hard time to think this appliance will be of any value for You.

yesterday I stood at the edge. Today I'm one step ahead.

By the way Florian, regarding your comment about the Microsoft/Unix thing, I would agree but here I have no choice. The anti-spam gateway (SpamLion) actually works quite well - but works in conjunction with MS-SMTP, so I had no choice. I think sendmail is a much more secure and reliable service as well.

fmartin@applicatorssales.com

If You need to use it, consider using it in parallel to sendmail as I laid out above.

I haven't created such a setup myself, so I can't tell You how it's done, but I know it is possible - You should get the most out of both systems.

yesterday I stood at the edge. Today I'm one step ahead.

Well, good news. The changes were made per your recommendations above:

Authentication Page: only "anon" is checked
On the relay page: unchecked "allow all computers"

And - now it does not appear to relay any longer.

I'm sure I will eventually be tested again and removed from the RBLs.

fmartin@applicatorssales.com

Looks like I spoke too soon. The test case I describe above, using this addressing scheme:

rcpt to: account%hotmail.com@mydomain.com

...that one still says it is queued for delivery - even tho it isn't.

I'm sure there are lots of MS-SMTP servers facing the internet, can it be that they are -all- blocked by the RBLs?

Anyone have experience with newer versions of MS-SMTP, than 5.0? Are they any better as regards this open relay thing?

fmartin@applicatorssales.com