Summary on preventing spam transfer between two virtual SMTP servers
Source: Internet
Author: User
Summary of two virtual SMTP servers preventing spam transfer-Linux Enterprise Application-Linux server application information. The following is a detailed description. First of all, two virtual SMTP servers are essential to completely prevent spammers from using your Exchange server for transit and other illegal use of your SMTP service.
This seems to be a basic conclusion, but it is my words of tears. I used to rely on a virtual server and an SMTP connector for SMTP restrictions, and I was always confident that it was very effective. As a result, I was warned by the ISP a few days ago that my server became a spam Transit server!
Now let's talk about my previous settings for your reference. If your settings are the same as mine, please be careful! That's not safe!
My previous settings: On the default Virtual SMTP server, enable three authentication modes (Anonymous, basic, and integration), allow all authenticated computers to Relay, and then create an SMTP Connector, in Delivery Restrictions, select By default, messages from everyone are rejected, and then add all valid users to the subsequent permission list.
I thought that with this SMTP ctor, only valid users can send emails, and all other users' information will be intercepted. It turns out that spammers still successfully use my server to transfer emails. That is to say, the Relay of the virtual SMTP server can break through the Delivery Restriction in the SMTP Connector ctor.
As a result, I summarized the following methods based on some posts and Microsoft's KB, which proved to be effective in practice:
Step 1: install two NICs on your Exchange server;
Step 2: Set the NIC. An ENI is an internal NIC that receives SMTP requests from external users. Each network adapter is bound with a fixed IP address (both are internal virtual IP addresses, not an external IP address or an internal IP address. Because my internal network is behind ISA server, it can only be two internal virtual IP addresses)
Step 3: Set the Exchange service to differentiate internal and external NICs. Because I use ISA server to publish Exchange servers, including POP3, SMTP, IMAP4, and NNTP, I bind all services except SMTP to the IP address of the external NIC.
Step 4: create two virtual SMTP servers, one bound to the external nic ip address, SMTP1 for short; the other bound to the internal nic ip address, SMTP2 for short. SMTP1 (Virtual SMTP server bound to external NIC), enable three authentication methods (Anonymous, basic, and integration ), but do not enable Relay (that is, select "Only the list below" in Relay, but do not add any list. The following "All computers... "Do not select), and do not enable external DNS server; SMTP2 (bound to the virtual SMTP server of the internal NIC), only enable the basic and integrated authentication methods, and then enable Relay, enable the external DNS server (select the external DNS server in Delivery --> Advanced --> Configure ).
Step 5: Create an SMTP Connector, connect to SMTP2 (that is, the virtual SMTP server bound to the internal NIC), and then perform necessary settings (generally, add an Address space, that is, add an SMTP space *. We recommend that you set Delivery Restrictions according to the previous introduction, select By default, messages from everyone are rejected, and then set all valid users, add to the allowed list. This is also used to increase security .)
Now you can release your Exchange server in ISA server. Note that during the release, the Intranet IP address should be the IP address of the external NIC on the Exchange Server, instead of the IP address of the internal NIC. Otherwise, the hard work above will be wasted.
Let's take a rough look at the mail process:
Emails from the Internet are monitored by SMTP1 (because it is bound to the IP address of the external NIC ). If it is sent to an intranet user, It queries the AD and then delivers the mail; if it is not sent to an intranet user, it tries to use the Exchange SMTP service for forwarding, so sorry, the Relay service is not enabled on SMTP1 and cannot be forwarded. Besides, it does not enable external DNS servers and cannot resolve domain names on the Internet.
Emails from Intranet users are monitored by SMTP2 (because it is bound to the IP address of the internal NIC ). If it is sent to the Intranet user, the AD is still directly queried, and then the mail is delivered; if it is sent to the Internet, SMTP2 enables the Internet DNS server, therefore, you can smoothly resolve the domain name to the Internet, and then Relay the email to the Internet by connecting to the SMTP Connector of SMTP2.
So how do you use valid users?
If the user uses it in the internal network, he can use POP3 mail programs such as outlook express or Foxmail to send and receive mails (note that the POP3 server should be set to the IP address of the external NIC, the SMTP server must be set to the IP address of the internal NIC, corresponding to the settings of the Exchange Server );
If the user is using it in the outer network, he can only use POP3 mail programs such as outlook express or Foxmail to receive emails, but cannot use them to send emails. The reason is very simple. The virtual SMTP server SMTP1 that listens to the Internet SMTP request does not support Relay. However, we can invite the famous OWA at this time. You can use the browser to send emails through OWA.
In addition, if you publish an Exchange Server directly on the Internet instead of using the ISA Server, the principle is the same, but the specific settings are slightly different, please try and adjust it yourself.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.