XFOR: Preventing the Internet Mail Service From Relaying Unsolicited Commercial E-Mail Messages (Q193922)

• Microsoft Exchange Server, version 5.5

SUMMARY

Administrators of Microsoft Exchange Server version 5.5 can prevent their server from acting as a relay host for unsolicited commercial e-mail (UCE) messages. Using Exchange Server version 5.5 Service Pack 1 (SP1), the administrator can configure these options on the Routing tab in the properties of the Internet Mail Service object.

Microsoft recommends that you upgrade to either Exchange Server 5.5 SP1 or the latest Exchange Server 5.5 service pack to obtain this functionality. If you are unable to upgrade to Exchange Server 5.5 SP1 or later, this article describes the registry keys that you need to add to your Exchange Server computer to gain this functionality.

NOTE : This functionality is included with Exchange Server 5.5 Service Pack 2 (SP2). This functionality is located in the Microsoft Exchange Server Administrator program, under the Routing Restrictions option, on the Routing tab under the properties of the Internet Mail Service object. Although this article describes in detail the method to configure these options, it is best to configure these options through the Administrator program.

MORE INFORMATION

WARNING : Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT or Windows 2000, you should also update your Emergency Repair Disk (ERD).

When you install the Internet Mail Service, it is configured by default to enable rerouting for Post Office Protocol version 3 (POP3) and Internet Message Access Protocol, Version 4rev1 (IMAP4) clients. This rerouting is found on the Routing tab of the Internet Mail Service object. The Internet Mail Service accepts and relays mail to non-local recipients. Message relay occurs when a client or remote SMTP server connects to the Internet Mail Service and submits messages for non-local recipients. If the Internet Mail Service does not restrict message relay, it may be used to relay UCE messages.

If your server configuration prevents the client from relaying mail, SMTP RCPT (receipt) commands that specify a non-local recipient are refused, and the following message is displayed:

550 relaying prohibited.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service\MSExchangeIMC\Parameters

• RelayFlags, REG_DWORD
  
  

  Defines which relay control rules are in effect.

• RelayDenyList, REG_MULTI_SZ
  
  

  Specifies hosts that cannot relay messages through your server.

• RelayAllowList, REG_MULTI_SZ
  
  

  Specifies hosts that can relay messages through your server.

• RelayLocalIPList, REG_MULTI_SZ
  
  

  Specifies the local IP addresses of the server that an SMTP client can connect to and relay mail. This is useful for multi-homed servers that have internal and external interfaces. Enabling IP forwarding disables this feature.

Net[;mask]

(IP Address AND mask) = net

• To add net 192.168.0.0 to a list, add the following line to the list:
  
  

  192.168.0.0;255.255.0.0

• To add the host 192.168.1.17 to a list, add one of the following lines to the list:
  
  

  192.168.1.17;255.255.255.255
  
  - or -
  
  192.168.1.17

• If bit 1 of RelayFlags is set (decimal value 1) and the IP address of the client matches a pattern in RelayDenyList, the client is not allowed to relay mail.
  
  
• If bit 2 of RelayFlags is set (decimal value 2) and the IP address of the client matches a pattern in RelayAllowList, the client is allowed to relay mail.
  
  
• If bit 3 of RelayFlags is set (decimal value 4) and the client is connected to a local IP address that matches a pattern in RelayLocalIPList, the client is allowed to relay mail.
  
  
• If bit 4 of RelayFlags is set (decimal value 8) and the client is authenticated, the client is allowed to relay mail.
  
  
• If only bit 1 is set, the client is allowed to relay mail.
  
  

• All clients not explicitly denied can relay mail.
  
  Set bit 1 of RelayFlags (set its decimal value to 1), and add a rule to RelayDenyList for each host or group of hosts that you want to deny. To prevent all hosts on the subnet 192.168.17.0 from relaying mail, add the following line to RelayDenyList:

  192.168.17.0;255.255.255.0

• All clients not explicitly allowed are denied.
  
  Set bit 2 of RelayFlags (set its decimal value to 2), and add a rule to RelayAllowLists for each host or group of hosts that you want to allow. To allow all hosts on subnet 192.168.1.0 to relay mail, add the following line to RelayAllowList.

  192.168.1.0;255.255.255.0

• Allow all hosts on a subnet except for a subset.
  
  To allow all hosts on a subnet, set bit 2 of RelayFlags (set its decimal value to 2), and add a rule to RelayAllowList to match the subnet. For the subnet 192.168.1.0, the following rule works:

  192.168.1.0;255.255.255.0

  To prevent a subset of the hosts on subnet 192.168.1.0 from relaying mail, also set bit 1 in RelayFlags in addition to bit 2, (which was set above); the net result is to set its decimal value to 3. Add the IP address of each host to RelayDenyList. If the subset of hosts is grouped together, you can add a single rule to match all of them. For example, if 192.168.1.1 through 192.168.1.7 are not allowed to relay, the following rule is adequate. Listing each address explicitly in RelayDenyList also works.

  192.168.1.0;255.255.255.248

• Allow clients that connect to the selected network interfaces to relay.
  
  This method is useful if the host has multiple network interfaces, and IP forwarding is not enabled. Set bit 3 of RelayFlags (set its decimal value to 4), and add the IP addresses of the network interfaces that relay mail to RelayLocalIPList.
  
  
• Allow authenticated clients to relay.
  
  Set bit 4 of RelayFlags (set its decimal value to 8) to allow clients that have authenticated (by using the Auth command) to relay mail.