Ask the Expert

What are the major security issues involved with SMTP relay?

Regarding SMTP relay: I have received many requests for allowing additional machines to perform SMTP relay using the data center's MS Exchange SMTP server. I am concerned about security, as some of these requested machines are not within our data center. What are some of the major security issues and what can I do about them?

    Requires Free Membership to View

Allowing a machine to relay SMTP messages means that your SMTP Server will accept messages from that machine that are not intended for the SMTP Server's domain(s) and that your SMTP Server will forward the message to the SMTP Server responsible for accepting incoming messages for the recipient's domain.

In a perfect world, you should have authority and control over all systems that are relaying messages through your SMTP Server. Without this direct control, your only means of controlling them is by configuring an SMTP connector or by configuring the default SMTP virtual server with restrictive settings for inbound and outbound messages.

Remember, relaying means that an SMTP client can use an SMTP server to forward e-mail messages to a remote (in other words, non-local) domain. Relaying itself is not inherently bad, because SMTP was designed for this purpose (see, e.g., sections 2.1 and 3.7 of Remote Function Call (RFC) 2821).

However, if relaying is not controlled, a malicious user might use it to send bulk spam or UCE (unsolicited commercial e-mail). This ties up resources on the relay host, which could prevent it from sending e-mail messages. In other words, the security risk is a denial of service against your SMTP server.

I would look into using SMTP authentication, restricting which hosts can relay and tightening your SMTP virtual server/connector restrictions. Alternatively, you might just have the folks who need SMTP services set up their own IIS SMTP server. It's quick, easy and free.

This was first published in January 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: