1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SMTP Virtual Server Security

Discussion in 'Exchange Exams' started by Phoenix, Dec 13, 2010.

  1. Phoenix
    Honorary Member

    Phoenix 53656e696f7220 4d6f64

    5,726
    175
    221
    I may get a few ‘Duh Ryan’ responses here, but thought I would share :)

    Ran into a problem today with an Exchange 2003 – 2010 migration, mail was flowing into 2010 fine, but not out
    All the connectors were in place as expected, which killed half of the suggestions on the interwebs

    Turns out it was a security related issue
    The mail was backing up in a RG queue and the error message reported (with a get-queue | fl command) against it was

    451 4.4.0 Primary target IP address responded with: "421 4.4.2 Connection dropped due to SocketError." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.

    Turns out the client had locked down their SMTP virtual server on the 2003 environment pretty well, limiting it to almost every internal IP but the one they had given to Exchange 2010 ;)

    Adding that in the SMTP Virtual Server properties on the Exchange 2003 system solved the problem, guess I’ll remember to check there first next time! :)


    I dont often see really well locked down SMTP virtual servers, but it is a bank, so i guess i should of suspected!
     
    Certifications: MCSE, MCITP, VCP
    WIP: > 0
  2. onoski

    onoski Terabyte Poster

    3,120
    51
    154

    Well in normal circumstances that's how it should be configured. I think maybe your previous experiences were just from someone who configured them inappropriately.

    Thanks for sharing though:)
     
    Certifications: MCSE: 2003, MCSA: 2003 Messaging, MCP, HNC BIT, ITIL Fdn V3, SDI Fdn, VCP 4 & VCP 5
    WIP: MCTS:70-236, PowerShell
  3. Phoenix
    Honorary Member

    Phoenix 53656e696f7220 4d6f64

    5,726
    175
    221
    Most people running exchange 2003 don't really have security top of their agenda.. or they wouldn't be running exchange 2003 still ;)

    but yeah, i have a lot of experiences with lazy exchange admins

    this wasn't the relay restrictions, those are very common
    this was an actual 'which servers are even allowed to talk to me on port 25' restriction, an access list basically, those are far less often utilized in my experience
    Happy i solved it though, keeps the project on track :)
     
    Certifications: MCSE, MCITP, VCP
    WIP: > 0
  4. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Yeesh - really? That's one of the first things I do anywhere - tie down access to the SMTP VS and implement relay restrictions. I guess I'm just a paranoid old fart!
     
    Certifications: A few
    WIP: None - f*** 'em
  5. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    Aye, we tie them down to the Smart Host on the Exchange Server 2003/2007/2010 and also lock it down on firewalls to only permit relaying to these IP;s.

    Then just for good measure we only deny any pop3, imap and smtp traffic from the LAN.
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  6. Phoenix
    Honorary Member

    Phoenix 53656e696f7220 4d6f64

    5,726
    175
    221
    I'm just telling it how i see it :P
    it seems to be very rarely done outside of relaying, but we need more paranoid old farts like you! especially with 03 boxes! haha

    Sure most firewalls are blocking all that inbound anyway, like Craigie says, probably why most people dont worry about internal stuff so much *shrug*
     
    Certifications: MCSE, MCITP, VCP
    WIP: > 0
  7. Phoenix
    Honorary Member

    Phoenix 53656e696f7220 4d6f64

    5,726
    175
    221
    Oh and trust me Zeb
    you would have kittens if you saw some of the **** i walk into ;)
     
    Certifications: MCSE, MCITP, VCP
    WIP: > 0

Share This Page

Loading...