Article ID: 304897 - View products that this article applies to.
This article was previously published under Q304897
Microsoft Simple Mail Transfer Protocol (SMTP) relay is a feature that lets an SMTP client use an SMTP server to forward e-mail messages to a remote domain. As described in Request for Comments (RFC) 282, sections 2.1 and 3.7, SMTP was designed with the ability to relay e-mail messages.
However, if relay is not controlled, a malicious user might use relay to send bulk unsolicited e-mail messages. An uncontrolled host is known as an "open relay" host. By sending these unsolicited e-mail messages to the intermediate host, the malicious user can disguise his or her identity. This may also cause excessive resource use on the relay host and prevent the relay host from sending valid e-mail messages. In particular, a malicious user who sends unsolicited e-mail messages may send a single message to many recipients without using their own bandwidth.
By default, the Microsoft products that are listed in the "Applies to" section are not configured for open relay.
When you use some third-party tools to test SMTP servers for relay, the SMTP server may seem to fail the test and your Microsoft SMTP product may seem to be open for relay, although it is not. This is because the SMTP server may not immediately reject the e-mail message. Instead, the SMTP server processes the e-mail message and then sends a non-delivery report (NDR). For more information about SMTP server response to relay, see the SMTP server response to relay section. For more information about how to test your SMTP server for relay, see the Testing for relay section.
Every TO or FROM address in an SMTP protocol conversation contains two parts: the local part and the domain part. If the domain part, that is, the part immediately following the at sign (@), is not specified the e-mail message is assumed to be local. Some Microsoft SMTP products append the local domain because some users configure their SMTP clients to use only a user name as the e-mail address. By adding the default local domain, the Microsoft server can add what is most likely the local domain to reduce the support cost.
This behavior occurs because some Microsoft SMTP products do not perform a directory lookup before they accept SMTP e-mail messages for delivery. Microsoft SMTP products only check the recipient's domain to see if it is a local domain or an explicitly permitted domain. If the recipient's domain is not a local domain or a permitted domain, the SMTP server responds with an error message that is similar to the following:
The only requirement to prevent relay is a verification that the domain part of the TO address is local. A check of the mail server's directory to see if the recipient is valid is an option, but it is not required. If a mail server accepts a message and then later decides that it cannot deliver the message, the server must generate an NDR. The Microsoft SMTP products comply with this requirement.
550 5.7.1 Relaying prohibited
Note Microsoft Exchange Server 2003 can perform directory lookups during the SMTP protocol conversation. This feature can enabled be enabled in System Manager. For more information about recipient filtering in Exchange Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/823866/ )How to configure connection filtering to use Realtime Block Lists (RBLs) and how to configure recipient filtering in Exchange 2003
Performing a directory lookup during the SMTP protocol conversation may be used to verify addresses. Therefore, we recommend that you turn on the TarpitTime functionality that is described in the following Knowledge Base article:
842851Important If you must perform directory lookups during the SMTP protocol conversation, you can write a Microsoft Windows 2000 SMTP protocol event sink. For additional information, visit the following MSDN Platform SDK SMTP Server Events Web site:
(http://support.microsoft.com/kb/842851/ )SMTP tar pit feature for Microsoft Windows Server 2003
SMTP server response to RelayThe recommended RFC-compliant response is similar to the following: In the products that are listed in the "Applies to" section, Microsoft chose not to perform the directory lookups during the SMTP protocol conversation for the following reasons:
How to test for relayYou can test your SMTP server to determine if it is configured to relay e-mail messages. In the following examples, relay tests 1 through 5 are not accepted by the SMTP server and are immediately rejected. Tests 6 and 7 are accepted by the STMP server, but the e-mail message is not relayed and the server eventually generates an NDR.
To run the following relay tests, first start a Telnet session and connect to port 25 on your SMTP server:
Relay test 1This is the standard test for SMTP relay. An SMTP client must not be permitted to relay in this manner unless the administrator has specifically permitted it, or unless the client first authenticates. To do this test, follow these steps:
Relay test 2This test is almost the same as relay test 1, but the sender is a local user instead of a user in a remote domain. Because FROM addresses are generally used to gain unauthorized access to a system, the server must not relay the e-mail message. To do this test, follow these steps:
Relay test 3This test is for a NULL or blank FROM envelope address. NDRs and other notifications have a NULL FROM envelope address. However, notifications must not be relayed unless the domain in the TO address is a local domain. To do this test, follow these steps:
Relay test 4This test is the same as relay test 2, but the local domain is explicitly added to the e-mail address. An SMTP server that is closed for relay must not relay this e-mail message. To do this test, follow these steps:
Relay test 5This test is also the same as relay test 2, but the IP address of the server is used instead of the domain name. Although this address format is generally accepted, the server must not accept relay to a remote domain. In various other tests that use "localhost" or the Domain Name System (DNS) name of the server in the FROM address, the server must not relay e-mail messages that use this approach. To do this test, follow these steps:
Relay test 6This test is specifically for older UNIX-based servers that route e-mail messages by appending the local domain and changing the at sign (@) to a percent symbol (%). The server then relays the mail. Because a percent symbol (%) is a valid character in the local part of the e-mail address, the SMTP server may accept the message and then send an NDR if the directory lookup fails. Microsoft SMTP products are not vulnerable to this kind of relay because the message is not forwarded and an NDR is generated. To do this test, follow these steps:
Relay test 7This test is a variation of relay test 6. Because the quotation mark character (") is a valid character in the local part of the e-mail address, the SMTP server accepts the message and then sends an NDR if the directory lookup fails. Microsoft SMTP products are not vulnerable to this kind of relay because the message is not forwarded and an NDR is generated. To do this test, follow these steps:
How to tell whether your SMTP server is closed to relay tests 6 and 7When you run relay tests 6 and 7 against an Exchange 2000 computer, the tests generate a message to a recipient that does not resolve, and NDRs are received by the mailbox that is specified in Exchange System Manager. You can configure the mailbox for unresolved recipients in the properties of the default SMTP virtual server in the Forward all mail with unresolved recipients to host box on the Messages tab in Exchange System Manager.
The NDRs are evidence that the e-mail messages are not relayed.
For more information about what to do if you are running Exchange Server 5.5 and you want to configure your server so that it is not an open relay, click the following article number to view the article in the Microsoft Knowledge Base:
196626For more information about how to prevent relay in Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/196626/ )Restricting routing in the Internet Mail Service
310356Common tests exist that you can use to test SMTP servers for relay. For example, you can use the following third-party Web sites and tools:
(http://support.microsoft.com/kb/310356/ )How to prevent mail relay in the IIS 5.0 SMTP server in Windows 2000
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.
Article ID: 304897 - Last Review: December 13, 2006 - Revision: 10.3