Summary of two virtual SMTP servers preventing spam relays

smtp| Server in the forum to see a lot of Master's speech, combined with their experience in practice, and finally have some comparative molding experience:

The first thing to say is that two virtual SMTP servers are essential to prevent spammers from using your Exchange server for transit and other illegal uses of your SMTP service.

This seems to be a very basic conclusion, but it is my "blood and tears" of the word. Because I used to rely on a virtual server and an SMTP connector for SMTP restrictions, and has always been confident and effective, the results of the previous days by the ISP warned: My server to become a spam relay server!

Now specifically on my previous settings, for everyone to control. If your settings are the same as mine, please be careful! That's not safe at all!

My previous settings: On Defaultserver, three authentication modes (anonymous, basic, and integrated) are enabled, allowing all authenticated computers to be relay; then build a smtpconnector, in Deliveryrestrictions, Select Rejected, and then add all legitimate users to the subsequent allow list.

I thought that with this smtpconnector, only legitimate users would be able to send the message, and all other users ' information would be withheld. It turns out that spammers are still successfully using my server to relay mail. In other words, the relay of the virtual SMTP server can break through this smtprestriction limit.

So, I refer to some posts and Microsoft KB, summed up the following methods, in practice proved to be effective:

The first step is to install two network cards on your Exchange server;

The second step is to set up the network card. A network adapter is a receiving internal user SMTP request, called an internal NIC, which receives an external user SMTP request, called an external NIC. Each network card, binding a fixed IP (two network cards are internal virtual IP can be, do not have to be an external IP, an internal IP. Because my internal network is behind the isaserver, it can only be two internal virtual IP.

The third step is to set up Exchange services to differentiate between internal and external network adapters. Because I use Isaserver to publish Exchange servers, including POP3, SMTP, IMAP4, NNTP, and so on, I bind services other than SMTP to the IP of external NICs.

The fourth step is to establish two virtual SMTP servers, a IP address bound to an external NIC, referred to as SMTP1, and an IP address that is bound to an internal NIC, referred to as SMTP2. SMTP1 (a virtual SMTP server bound to an external NIC) enables three authentication methods (anonymous, basic, and integrated), but does not enable relay (that is, select "Onlybelow" in relay but not any list. The following "Allcomputers ..." is also not selected, and the external DNS server is not enabled, SMTP2 (a virtual SMTP server bound to the internal NIC), enabling only basic and integrated authentication methods, and then enabling relay, and enable an external DNS server (by selecting an external DNS server in deliveryconfigure).

Step fifth, establish a smtpconnector, connect to the SMTP2 (that is, the virtual SMTP server that is bound to the internal NIC), and then make the necessary settings (typically add a addressspace, which means adding an SMTP space *, and recommend that you follow the previous instructions , set deliveryrestrictions, select Rejected, and then add all legitimate users to the subsequent allow list. This is also to increase security. ）

OK, now you can go to Isaserver and publish your Exchange server. Note that when the release, intranet IP to select the Exchange Server on the external NIC IP address, and do not point to that internal NIC IP up, otherwise the above hard work, is tantamount to waste.

Let's take a rough look at the mail process:

Messages from the extranet are monitored by SMTP1 (because it is bound to the IP of the external NIC). If it is to the intranet users, then it queries the ad, and then send the mail, if not to the intranet users, but attempt to use Exchange SMTP service, forwarding, then sorry, SMTP1 does not enable the relay service, cannot forward. Furthermore, it does not have an external DNS server enabled, and cannot resolve the domain name of the extranet at all.

Messages from intranet users are monitored by SMTP2 (because it is bound to the IP of the internal NIC). If it is to the intranet users, then still directly query the ad, and then send mail, if it is sent to the extranet, then SMTP2 enabled the extranet DNS server, so you can successfully resolve to the extranet domain name, and then through the connection to the SMTP2 Smtpconnector, Relay the message to the extranet.

So, how do you use your legitimate users?

If a user is used on an internal network, he or she can use the Express or foxmail POP3 mail program to send and receive messages (note that the IP,SMTP server to which the POP3 server is set to the external NIC is set to the IP of the internal NIC. Corresponding to the Exchange Server settings);
If the user is used in an extranet, then he can only use express or foxmail, such as POP3 mail programs, to receive mail, but they can not send mail. The reason is simple, the virtual SMTP server that listens for the extranet SMTP request SMTP1, does not support relay. However, it is time to call out the famous OWA. Users can use the browser to send messages through OWA.

In addition, if you are not publishing an Exchange server through Isaserver, but are publishing the Exchange server directly on the Internet, the principle is the same, but the specific settings are slightly different, please feel and adjust.

Above is my little superficial understanding, if can be helpful to everybody, be glad.