XFOR: Preventing the IMS from Relaying UCE messages

ID: Q193922

The information in this article applies to:

Microsoft Exchange Server, version 5.5

IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

SUMMARY

Administrators of Microsoft Exchange Server version 5.5 have the ability to prevent their server from acting as a relay host for Unsolicited Commercial E-mail (UCE) messages.

MORE INFORMATION

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT, you should also update your Emergency Repair Disk (ERD).

When the Internet Mail Service is installed, it is configured by default to allow rerouting for POP3 and IMAP4 clients. This rerouting is found on the Routing tab of the Internet Mail Service object. The Internet Mail Service accepts and relays mail to non-local recipients. Message relaying occurs when a client or remote SMTP server connects to the Internet Mail Service and submits messages for non-local recipients. If the Internet Mail Service does not restrict relay messaging, it can be used to relay UCE messages.

If your configuration prevents the client from relaying mail, SMTP RCPT (receipt) commands specifying a non-local recipient are refused with a "550 relaying prohibited" response.

Relay restrictions are configured within the registry using values in the following registry key:


   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service\ 
    MSExchangeIMC\Parameters.

The following examples outline the value, the data type, and the function it performs. After the changes have been made, the Internet Mail Service should be stopped and restarted.


   RelayFlags, REG_DWORD

Defines which relay control rules are in effect.


   RelayDenyList, REG_MULTI_SZ

Specifies hosts that cannot relay messages through your server.


   RelayAllowList, REG_MULTI_SZ

Specifies hosts that can relay messages through your server.


   RelayLocalIPList, REG_MULTI_SZ

Specifies the local IP addresses of the server to which an SMTP client can connect and relay mail. This is useful for multi-homed servers that have internal and external interfaces. Enabling IP- forwarding disables this feature.

NOTE: RelayDenyList, RelayAllowList, and RelayLocalIPList consist of a net address and optional mask per line. Order is not important in these lists. Each line consists of two parts, the net address and the mask, separated by a semicolon. For example:

Net[;mask]

If the mask is omitted, the default used is 255.255.255.255.

A net address matches a rule if the bitwise-AND of the IP address and the mask equals the net. That is:

(IP Address AND mask) = net

Examples:

To add net 192.168.0.0 to a list, add the following line to the list:
```
   192.168.0.0;255.255.0.0 
```

To add the host 192.168.1.17 to a list, add either the following line to the list:
```
   192.168.1.17;255.255.255.255 
```
- or -
```
   192.168.1.17 
```

What follows is the logic used to determine if the client can relay mail. If none of these apply, the client will not be allowed to relay.

If bit 1 of RelayFlags is set (decimal value 1) and the client's IP address is matched by a pattern in RelayDenyList, the client will not be allowed to relay.

If bit 2 of RelayFlags is set (decimal value 2) and the client's IP address is matched by a pattern in RelayAllowList, the client will be allowed to relay.

If bit 3 of RelayFlags is set (decimal value 4) and the client is connected to a local IP address that matches a pattern in RelayLocalIPList, the client will be allowed to relay.

If bit 4 of RelayFlags is set (decimal value 8) and the client is authenticated, the client will be allowed to relay.

If only bit 1 is set, the client will be allowed to relay.

Examples:

All clients not explicitly denied can relay.

Set bit 1 of RelayFlags (by setting its decimal value to 1), and add a rule to RelayDenyList for each host or group of hosts to be denied. To prevent all hosts on the subnet 192.168.17.0 from relaying mail, add the following line to RelayDenyList:
```
      192.168.17.0;255.255.255.0 
```

All clients not explicitly allowed are denied.

Set bit 2 of RelayFlags (by setting its decimal value to 2), and add a rule to RelayAllowLists for each host or group of hosts to be allowed. To allow all hosts on subnet 192.168.1.0 to relay mail, add the following line to RelayAllowList.
```
      192.168.1.0;255.255.255.0 
```

Allow all hosts on a subnet except for a subset.

To allow all hosts on a subnet, set bit 2 of RelayFlags (by setting its decimal value to 2), and add a rule to RelayAllowList to match the subnet. For the subnet 192.168.1.0, the following rule works.
```
      192.168.1.0;255.255.255.0
   
```
To prevent a subset of the hosts on subnet 192.168.1.0 from relaying mail, also set bit 1 in RelayFlags in addition to bit 2, (which was set above); the net result is to set its decimal value to 3. Add the IP address of each host to RelayDenyList. If the subset of hosts is grouped together, you can add a single rule to match all of them. For example, if 192.168.1.1 through 192.168.1.7 are not allowed to relay, the following rule is adequate. Listing each address explicitly in RelayDenyList also works.
```
      192.168.1.0;255.255.255.248 
```

Allow clients connecting to the selected network interfaces to relay.

This method is useful if the host has multiple network interfaces, and IP-forwarding is not enabled. Set bit 3 of RelayFlags (by setting its decimal value to 4), and add the IP addresses of the network interfaces that will relay mail to RelayLocalIPList.

Allow authenticated clients to relay.

Set bit 4 of RelayFlags (by setting its decimal value to 8) to allow clients that have authenticated (by using the AUTH command) to relay mail.

The Internet Mail Service must be stopped and restarted in Control Panel, Services for these registry settings to take effect after they are created or modified.

When a message is denied for relay through the Internet Mail Service, an event is logged to the Application Event Log if the SMTP Interface Events diagnostics logging category is set to minimum or a higher logging level using the Internet Mail Service Diagnostic Logging property page. The event will indicate the sender's IP address, sender's host name (if available), the sender's authentication account (if authentication was used), and the recipient address for the message.

Exchange Server version 5.5 Service Pack 1 (SP1) gives the administrator the ability to configure these options through the Routing tab on the properties of the Internet Mail Service (IMS) object.

Additional query words: XADM anti spam anti-spam


Keywords          : 
Version           : winnt:5.5
Platform          : winnt 
Issue type        : kbinfo

Last Reviewed: April 20, 1999