TomMynar Posted May 15, 2009 Share Posted May 15, 2009 When running the Connect to Network tool in SBS 2003, it creates 2 entries in the RELAY section of the SMTP Virtual Server. 127.0.0.1 and the local machine's IP address. If I leave these in, someone is getting into the server and using it to relay messages-as if they were permitted. If I remove these entries, SBS can no longer send out its' statistical reports (all other mail is sent out fine ). What is it that is allowing these hackers to get THROUGH the Fortinet firewall and abUSE my server :angry: ? Or do I still have something (client) internal on the LAN that is doing this ? Yes, I have TrendMicro on all the clients and servers. My servers/clients are up to Microsoft patch levels. Anyone got an idea ? Tom Link to comment Share on other sites More sharing options...
turetzsr Posted May 15, 2009 Share Posted May 15, 2009 <snip> Anyone got an idea ? Hi, Tom, ...Sorry, I'm not a server admin but I may have found a place for you to start (although it does not seem to be a specific solution for you): SpamCop Forum thread "[Resolved] Windows 2003 + Exchange 2003sp2 + ISA 2004." Link to comment Share on other sites More sharing options...
Telarin Posted May 15, 2009 Share Posted May 15, 2009 Sounds like you may have an account with a weak password that someone is using to send mail. The 127.0.0.1 and local IP of the server in the allowed relays section are necessary for the server to properly relay mail from exhange to outside SMTP servers, however, they would not allow an external SMTP server to relay through it unless it was somehow authenticating. Link to comment Share on other sites More sharing options...
TomMynar Posted May 15, 2009 Author Share Posted May 15, 2009 Sounds like you may have an account with a weak password that someone is using to send mail. The 127.0.0.1 and local IP of the server in the allowed relays section are necessary for the server to properly relay mail from exhange to outside SMTP servers, however, they would not allow an external SMTP server to relay through it unless it was somehow authenticating. Well, that *may* be true that we have weak passwords. But wouldn't the external SMTP server have to be permitted in the list of "only allow the following IP" ? Since I only have 127.0.0.1 and <laniphere>, that external box *should* be coming in with the IP address of the router/firewall G/W number (NAT enabled), correct ? The Exchange server is having NO difficulty accepting and transmitting email, without those IPs in the list. POP protocol was enabled, I've disabled it (not needed anyways). But since I can't predict when this external source is attacking (I suspect all the time), I do *not* know I've stopped the problem. Thanks ...Sorry, I'm not a server admin but I may have found a place for you to start (although it does not seem to be a specific solution for you): SpamCop Forum thread "[Resolved] Windows 2003 + Exchange 2003sp2 + ISA 2004." Sorry, that didn't help any. I've already gone through all of the things he has gone through on the firewall and the server. Thanks for searching. Tom Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.