Tuesday, June 26, 2007

Relays - good or bad?

I see many questions about relaying. It seems much of the confusion stems from an incomplete or incorrect understanding of what it means. Hopefully this will clear things up a bit.

What is relaying?

For any given message, you have a sending system (originator) and a recipient system. Most of the time, the sending system communicates directly with the recipient system. So, if you were sending a message to me, your Exchange server would communicate directly with mine.

There are times and circumstances where direct communication is not possible or desired. These circumstances may require that an intermediate system field the message and pass it along. This is what a relay is. It is a neither the sending system nor the recipient system.

Many ISPs work this way where you have to send all your outbound mail to them to be sent out to other Internet domains. The ISP accepts messages only from its known customers (via IP address) and rejects messages from others. Another common example of a valid relay is a Spam Filter appliance.

Open relays

A big problem that we Messaging Admins face is that there are "open relays" out in the world. An Open Relay is when a system accepts messages from everyone and will forward them to anyone. Spammers love these system because they can hide behind open relays to mask the true originating system. The default configuration of Exchange 5.5 unfortunately was set up to be an open relay. Many mail systems were unknowningly left that way, creating a paradise for spammers. Relaying with Exchange 2000 by default was closed to all but authenticated users, and Exchange 2003 continues that same default configuration.

Relay settings in Exchange 2003

These are set in the properties of the Default SMTP Virtual Server, on the Access tab.
If you select "all except the list below" in the relay settings with a blank list, you are actually saying "forward messages from everywhere". In other words, you will have configured an open relay and raised the frustration level of legitimate Messaging Admins everywhere.

When you select "only the list below" with a non-blank list, you are saying "don't forward the message unless it comes from a system on the list.

A final important configuration note

If you clear the checkbox for "Allow all computers which successfully authenticate to relay regardless of the list above", then Exchange servers within your organization will not be able to send messages to one another.

No comments: