Allow Authenticated Relay

[Today’s post comes to us courtesy of Justin Crosby]

Today we are going to discuss the "Allow all computer which successfully authenticate to relay, regardless of the list above" option in Exchange.  Enabling this setting will allow authenticated relay off of your server.  This is necessary if you have POP3/IMAP/SMTP clients on the Internet that need to relay mail off your server.  If you do not have this need then this box should be unchecked.  We have seen a rise in cases where this setting leads to the server being abused by spammers.

This can occur when one of your users has a weak password, or if the Guest account is enabled.  If Guest is enabled anyone can authenticate as Guest and then relay off your server.  Spammers can also use a dictionary attack on a weak password and then once successful send their spam from your server. 

My suggestion is to uncheck this box.  Unchecking this box will have no ill effect on the following client types:

  • Outlook using MAPI
  • Outlook Web Access
  • Outlook using RPC over HTTP
  • ActiveSync

The only clients that may be affected are those using POP3/IMAP clients like Outlook Express or Eudora.  IPhones may also be affected but Apple recently announced that they will be releasing an update to the IPhone OS to support ActiveSync.

To access this setting from Exchange System Management, you will need to expand Servers > ServerName > Protocols > SMTP and then open the properties of your SMTP Virtual Server.  From there you will select the Access tab and click the Relay button, this will give you the screen below.


From here we recommend that you uncheck "Allow all computer which successfully authenticate to relay, regardless of the list above" unless you have a very compelling business need to allow authenticated relay.