Hi!

I wish to prevent any access by Telnet on port 25 from the outside of my
organization.

I am running W2K3 Server, with Exchange 2003 Server installed.

The telnet service is disabled in the Windows Server, but I can still telnet
and get the Microsoft exchange banner on port 25 from he Internet.

Any idea?

Help appreciated.

Nicolas

When you telnet exchange from internet then it is not running on exchange 
server but on the PC from which you are telnetting your exchange server. Port 
25 is used for SMTP and it needs to be opened for your exchange to work fine. 
If you dont want anybody to connect to your exchange you need to consider a 
firewall or smart host option.
-- 
Asif Ali Ansari
Exchange Administrator
KNPC 
Shuwaikh Ind. Area
P O BOX 42117
a.ansari@knpc.com
Kuwait


"Nicolas Macarez" wrote:

> Hi!
> 
> I wish to prevent any access by Telnet on port 25 from the outside of my
> organization.
> 
> I am running W2K3 Server, with Exchange 2003 Server installed.
> 
> The telnet service is disabled in the Windows Server, but I can still telnet
> and get the Microsoft exchange banner on port 25 from he Internet.
> 
> Any idea?
> 
> Help appreciated.
> 
> Nicolas
> 
> 
> 
>

Nicolas,

Telnet access to port 25 has nothing to do with the telnet service, it is 
the smtp server that's listening on this port.
They only solution is to stop the smtp service, but then you can't receive 
e-mail of course.
That's what sending mail servers do basically when they want to send e-mail 
to your server: "telnet <servername> 25".

Peter

"Nicolas Macarez"  wrote in message 
news:eRaVrJjWGHA.1564@TK2MSFTNGP03.phx.gbl...
> Hi!
>
> I wish to prevent any access by Telnet on port 25 from the outside of my
> organization.
>
> I am running W2K3 Server, with Exchange 2003 Server installed.
>
> The telnet service is disabled in the Windows Server, but I can still 
> telnet
> and get the Microsoft exchange banner on port 25 from he Internet.
>
> Any idea?
>
> Help appreciated.
>
> Nicolas
>
>
>

"Nicolas Macarez"  wrote in message 
news:eRaVrJjWGHA.1564@TK2MSFTNGP03.phx.gbl...
> Hi!
>
> I wish to prevent any access by Telnet on port 25 from the outside of my
> organization.
>
> I am running W2K3 Server, with Exchange 2003 Server installed.
>
> The telnet service is disabled in the Windows Server, but I can still 
> telnet
> and get the Microsoft exchange banner on port 25 from he Internet.
>
> Any idea?
>
> Help appreciated.
>
> Nicolas
>
>
>

If you do that, nobody will be able to connect to your server to send you 
Internet mail. What's your actual goal here? If you don't want connections 
being made directly to your Exchange server, get another SMTP server 
(postfix, sendmail, etc) and stick it in front of your server - let senders 
connect to that, and have *it* relay mail to your Exchange server.

Email coming to your company is accepted by an open port 25. If port 25 is 
not open on some email server, your company cannot get any inbound email.

If you don't want this, use your firewall to stop it.

Ray

> "Nicolas Macarez"  wrote in message 
> news:eRaVrJjWGHA.1564@TK2MSFTNGP03.phx.gbl...
>> Hi!
>>
>> I wish to prevent any access by Telnet on port 25 from the outside of my
>> organization.
>>
>> I am running W2K3 Server, with Exchange 2003 Server installed.
>>
>> The telnet service is disabled in the Windows Server, but I can still 
>> telnet
>> and get the Microsoft exchange banner on port 25 from he Internet.
>>
>> Any idea?
>>
>> Help appreciated.
>>
>> Nicolas

This is actually easy to do without an external firewall.  Open the Windows 
Firewall (control panel) and enable it.  In the exceptions tab, add port 25 
(name it smtp?).  Click the SCOPE button and set the scope to MY NETWORK 
ONLY.  Ta Da...

"Nicolas Macarez" wrote:

> Hi!
> 
> I wish to prevent any access by Telnet on port 25 from the outside of my
> organization.
> 
> I am running W2K3 Server, with Exchange 2003 Server installed.
> 
> The telnet service is disabled in the Windows Server, but I can still telnet
> and get the Microsoft exchange banner on port 25 from he Internet.
> 
> Any idea?
> 
> Help appreciated.
> 
> Nicolas
> 
> 
> 
>

That would prevent all incoming mail NOT prevent telnet (actually just an 
SMTP command prompt not telnet).

What you're seeing when you 'telnet' to port 25 is the Exchange side of an 
SMTP 'conversation'.  Instead of another SMTP server the connection has been 
initiated by a person at a command prompt.  The Exchange server HAS to be 
able to respond to requests to initiate SMTP 'conversations' in order to 
receive incoming email.  This is quite normal and is not telnet.


"." <noemails@please> wrote in message 
news:OvpUetnWGHA.3800@TK2MSFTNGP03.phx.gbl...
> Email coming to your company is accepted by an open port 25. If port 25 is 
> not open on some email server, your company cannot get any inbound email.
>
> If you don't want this, use your firewall to stop it.
>
> Ray
>
>> "Nicolas Macarez"  wrote in message 
>> news:eRaVrJjWGHA.1564@TK2MSFTNGP03.phx.gbl...
>>> Hi!
>>>
>>> I wish to prevent any access by Telnet on port 25 from the outside of my
>>> organization.
>>>
>>> I am running W2K3 Server, with Exchange 2003 Server installed.
>>>
>>> The telnet service is disabled in the Windows Server, but I can still 
>>> telnet
>>> and get the Microsoft exchange banner on port 25 from he Internet.
>>>
>>> Any idea?
>>>
>>> Help appreciated.
>>>
>>> Nicolas
>
>

Thanks for all your answers....

In fact, what I want to do is to prevent anyone from the Internet using my
Exchange Server to send (open relay?) e-mails without any need to
authenticate himself, by using telnet commands on the port 25.

I checked to be sure that my Exchange server is not an open relay :

Under the Exchange System Manager :
First Organization (Exchange)
Administrative Groups
First administrative group
Servers
<MACHINE_NAME>
Protocols
SMTP
Default SMTP Virtual Server
right-click and then Properties
Access tab
Relay button in Relay Restrictions
Only the list below is checked (and the list is empty)

Is there any real threat or do I need to set something special in the
firewall (we are expecting a CISCO 1841 box soon...)

Help appreciated
Nicolas



"Rob Godfrey"  wrote in message
news:%23FXFH$$WGHA.1204@TK2MSFTNGP04.phx.gbl...
> That would prevent all incoming mail NOT prevent telnet (actually just an
> SMTP command prompt not telnet).
>
> What you're seeing when you 'telnet' to port 25 is the Exchange side of an
> SMTP 'conversation'.  Instead of another SMTP server the connection has
been
> initiated by a person at a command prompt.  The Exchange server HAS to be
> able to respond to requests to initiate SMTP 'conversations' in order to
> receive incoming email.  This is quite normal and is not telnet.
>
>
> "." <noemails@please> wrote in message
> news:OvpUetnWGHA.3800@TK2MSFTNGP03.phx.gbl...
> > Email coming to your company is accepted by an open port 25. If port 25
is
> > not open on some email server, your company cannot get any inbound
email.
> >
> > If you don't want this, use your firewall to stop it.
> >
> > Ray
> >
> >> "Nicolas Macarez"  wrote in message
> >> news:eRaVrJjWGHA.1564@TK2MSFTNGP03.phx.gbl...
> >>> Hi!
> >>>
> >>> I wish to prevent any access by Telnet on port 25 from the outside of
my
> >>> organization.
> >>>
> >>> I am running W2K3 Server, with Exchange 2003 Server installed.
> >>>
> >>> The telnet service is disabled in the Windows Server, but I can still
> >>> telnet
> >>> and get the Microsoft exchange banner on port 25 from he Internet.
> >>>
> >>> Any idea?
> >>>
> >>> Help appreciated.
> >>>
> >>> Nicolas
> >
> >
>
>

In news:OK7qfyBXGHA.196@TK2MSFTNGP04.phx.gbl,
Nicolas Macarez  typed:
> Thanks for all your answers....
>
> In fact, what I want to do is to prevent anyone from the Internet
> using my Exchange Server to send (open relay?) e-mails without any
> need to authenticate himself, by using telnet commands on the port 25.

I think you're still missing something here; you're looking at this 
backwards. Relay isn't about a telnet connection....relay is about your 
server allowing someone to send mail *through*, not *to* your server.

E2003 is not an open relay by default, and you can easily stop even 
authenticated relay - in fact, if you performed the steps you mention below, 
you already did.

See http://www.msexchange.org/tutorials/MF005.html for a good overview of 
relaying and spam.


>
> I checked to be sure that my Exchange server is not an open relay :
>
> Under the Exchange System Manager :
> First Organization (Exchange)
> Administrative Groups
> First administrative group
> Servers
> <MACHINE_NAME>
> Protocols
> SMTP
> Default SMTP Virtual Server
> right-click and then Properties
> Access tab
> Relay button in Relay Restrictions
> Only the list below is checked (and the list is empty)
>
> Is there any real threat or do I need to set something special in the
> firewall (we are expecting a CISCO 1841 box soon...)
>
> Help appreciated
> Nicolas
>
>
>
> "Rob Godfrey"  wrote in message
> news:%23FXFH$$WGHA.1204@TK2MSFTNGP04.phx.gbl...
>> That would prevent all incoming mail NOT prevent telnet (actually
>> just an SMTP command prompt not telnet).
>>
>> What you're seeing when you 'telnet' to port 25 is the Exchange side
>> of an SMTP 'conversation'.  Instead of another SMTP server the
>> connection has been initiated by a person at a command prompt.  The
>> Exchange server HAS to be able to respond to requests to initiate
>> SMTP 'conversations' in order to receive incoming email.  This is
>> quite normal and is not telnet.
>>
>>
>> "." <noemails@please> wrote in message
>> news:OvpUetnWGHA.3800@TK2MSFTNGP03.phx.gbl...
>>> Email coming to your company is accepted by an open port 25. If
>>> port 25 is not open on some email server, your company cannot get
>>> any inbound email.
>>>
>>> If you don't want this, use your firewall to stop it.
>>>
>>> Ray
>>>
>>>> "Nicolas Macarez"  wrote in message
>>>> news:eRaVrJjWGHA.1564@TK2MSFTNGP03.phx.gbl...
>>>>> Hi!
>>>>>
>>>>> I wish to prevent any access by Telnet on port 25 from the
>>>>> outside of my organization.
>>>>>
>>>>> I am running W2K3 Server, with Exchange 2003 Server installed.
>>>>>
>>>>> The telnet service is disabled in the Windows Server, but I can
>>>>> still telnet
>>>>> and get the Microsoft exchange banner on port 25 from he Internet.
>>>>>
>>>>> Any idea?
>>>>>
>>>>> Help appreciated.
>>>>>
>>>>> Nicolas

"Nicolas Macarez"  wrote:

>
>Thanks for all your answers....
>
>In fact, what I want to do is to prevent anyone from the Internet using my
>Exchange Server to send (open relay?) e-mails without any need to
>authenticate himself, by using telnet commands on the port 25.

Why would anyone use telnet to do this? It's so much easier to use
Outlook Express, Eudora, Pegasus, or any other of the many e-mail
clients.

If someone was serious about using/abusing your server you can rest
assured they wouldn't be using telnet to do it!

					[ snip ]

>Relay button in Relay Restrictions
>Only the list below is checked (and the list is empty)

What about "authenticated connections"? If you allow them and someone
discovers a weak password you'll have no protection. :)

On the other hand, if you don't allow authenticated connections you'll
have problems if you have more than one Exchange server!

>Is there any real threat or do I need to set something special in the
>firewall (we are expecting a CISCO 1841 box soon...)

Open relays aren't that difficult to secure. You should worry more
about compromised machines being used as zombies and HTTP proxies.

-- 
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott@getronics.com
Or to these, either: mailto:h.pott@pinkroccade.com mailto:melvin.mcphucknuckle@getronics.com mailto:melvin.mcphucknuckle@pinkroccade.com

In news:u7fqjCEXGHA.4924@TK2MSFTNGP05.phx.gbl,
Lanwench [MVP - Exchange] 
 typed:
> In news:OK7qfyBXGHA.196@TK2MSFTNGP04.phx.gbl,
> Nicolas Macarez  typed:
>> Thanks for all your answers....
>>
>> In fact, what I want to do is to prevent anyone from the Internet
>> using my Exchange Server to send (open relay?) e-mails without any
>> need to authenticate himself, by using telnet commands on the port
>> 25.
>
> I think you're still missing something here; you're looking at this
> backwards. Relay isn't about a telnet connection....relay is about
> your server allowing someone to send mail *through*, not *to* your
> server.
> E2003 is not an open relay by default, and you can easily stop even
> authenticated relay - in fact, if you performed the steps you mention
> below, you already did.

Oops, you didn't mention the checkbox for "allow all users who successfully 
authenticate...", which is what I mean.
>
> See http://www.msexchange.org/tutorials/MF005.html for a good
> overview of relaying and spam.
>
>
>>
>> I checked to be sure that my Exchange server is not an open relay :
>>
>> Under the Exchange System Manager :
>> First Organization (Exchange)
>> Administrative Groups
>> First administrative group
>> Servers
>> <MACHINE_NAME>
>> Protocols
>> SMTP
>> Default SMTP Virtual Server
>> right-click and then Properties
>> Access tab
>> Relay button in Relay Restrictions
>> Only the list below is checked (and the list is empty)
>>
>> Is there any real threat or do I need to set something special in the
>> firewall (we are expecting a CISCO 1841 box soon...)
>>
>> Help appreciated
>> Nicolas
>>
>>
>>
>> "Rob Godfrey"  wrote in message
>> news:%23FXFH$$WGHA.1204@TK2MSFTNGP04.phx.gbl...
>>> That would prevent all incoming mail NOT prevent telnet (actually
>>> just an SMTP command prompt not telnet).
>>>
>>> What you're seeing when you 'telnet' to port 25 is the Exchange side
>>> of an SMTP 'conversation'.  Instead of another SMTP server the
>>> connection has been initiated by a person at a command prompt.  The
>>> Exchange server HAS to be able to respond to requests to initiate
>>> SMTP 'conversations' in order to receive incoming email.  This is
>>> quite normal and is not telnet.
>>>
>>>
>>> "." <noemails@please> wrote in message
>>> news:OvpUetnWGHA.3800@TK2MSFTNGP03.phx.gbl...
>>>> Email coming to your company is accepted by an open port 25. If
>>>> port 25 is not open on some email server, your company cannot get
>>>> any inbound email.
>>>>
>>>> If you don't want this, use your firewall to stop it.
>>>>
>>>> Ray
>>>>
>>>>> "Nicolas Macarez"  wrote in message
>>>>> news:eRaVrJjWGHA.1564@TK2MSFTNGP03.phx.gbl...
>>>>>> Hi!
>>>>>>
>>>>>> I wish to prevent any access by Telnet on port 25 from the
>>>>>> outside of my organization.
>>>>>>
>>>>>> I am running W2K3 Server, with Exchange 2003 Server installed.
>>>>>>
>>>>>> The telnet service is disabled in the Windows Server, but I can
>>>>>> still telnet
>>>>>> and get the Microsoft exchange banner on port 25 from he
>>>>>> Internet. Any idea?
>>>>>>
>>>>>> Help appreciated.
>>>>>>
>>>>>> Nicolas

We have dual SMTP gateways in front of our exchange server (which is on a 
private network) and they are set to only accept mail destined for our 
domain (no relays).

Also, our internal firewall is set to block ALL SMTP traffic 'except' from 
the one designated server (exchange) which can relay mail to either of our 2 
SMTP gateways.

-- 
Thanks,
TheBurgerMan
at
gmail.com
--
"Nicolas Macarez"  wrote in message 
news:OK7qfyBXGHA.196@TK2MSFTNGP04.phx.gbl...
>
> Thanks for all your answers....
>
> In fact, what I want to do is to prevent anyone from the Internet using my
> Exchange Server to send (open relay?) e-mails without any need to
> authenticate himself, by using telnet commands on the port 25.
>
> I checked to be sure that my Exchange server is not an open relay :
>
> Under the Exchange System Manager :
> First Organization (Exchange)
> Administrative Groups
> First administrative group
> Servers
> <MACHINE_NAME>
> Protocols
> SMTP
> Default SMTP Virtual Server
> right-click and then Properties
> Access tab
> Relay button in Relay Restrictions
> Only the list below is checked (and the list is empty)
>
> Is there any real threat or do I need to set something special in the
> firewall (we are expecting a CISCO 1841 box soon...)
>
> Help appreciated
> Nicolas
>
>
>
> "Rob Godfrey"  wrote in message
> news:%23FXFH$$WGHA.1204@TK2MSFTNGP04.phx.gbl...
>> That would prevent all incoming mail NOT prevent telnet (actually just an
>> SMTP command prompt not telnet).
>>
>> What you're seeing when you 'telnet' to port 25 is the Exchange side of 
>> an
>> SMTP 'conversation'.  Instead of another SMTP server the connection has
> been
>> initiated by a person at a command prompt.  The Exchange server HAS to be
>> able to respond to requests to initiate SMTP 'conversations' in order to
>> receive incoming email.  This is quite normal and is not telnet.
>>
>>
>> "." <noemails@please> wrote in message
>> news:OvpUetnWGHA.3800@TK2MSFTNGP03.phx.gbl...
>> > Email coming to your company is accepted by an open port 25. If port 25
> is
>> > not open on some email server, your company cannot get any inbound
> email.
>> >
>> > If you don't want this, use your firewall to stop it.
>> >
>> > Ray
>> >
>> >> "Nicolas Macarez"  wrote in message
>> >> news:eRaVrJjWGHA.1564@TK2MSFTNGP03.phx.gbl...
>> >>> Hi!
>> >>>
>> >>> I wish to prevent any access by Telnet on port 25 from the outside of
> my
>> >>> organization.
>> >>>
>> >>> I am running W2K3 Server, with Exchange 2003 Server installed.
>> >>>
>> >>> The telnet service is disabled in the Windows Server, but I can still
>> >>> telnet
>> >>> and get the Microsoft exchange banner on port 25 from he Internet.
>> >>>
>> >>> Any idea?
>> >>>
>> >>> Help appreciated.
>> >>>
>> >>> Nicolas
>> >
>> >
>>
>>
>
>

That's a good precaution that a lot of people miss. It prevents an infected 
PC on your internal network from sending confidential documents out via the 
virus's own SMTP engine. If you have personal firewalls on your company 
PC's, consider setting them so they cannot send via SMTP as well. That will 
protect them when they're not behind the corporate firewall. It won't stop 
the infection, but it will limit them from being able to spread the virus.

Ray

> Also, our internal firewall is set to block ALL SMTP traffic 'except' from 
> the one designated server (exchange) which can relay mail to either of our 
> 2 SMTP gateways.

Yep.  We actually had an incident in 2002 where one of our employees 
received an infected email with a brand new virus (that was not in our virus 
scanners yet) and this firewall precaution prevented his PC from sending 
emails.  I counted 200+ attempts at email as well as major port scanning 
(also blocked).  This system was loaded with W2K and we did not have 
personal firewalls on peoples machine yet.



It's not so much that people are malicious or stupid, anyone can get caught 
by surprise.  As a network admin, we have to prepare for all of these 
situations!


-- 
Thanks,
TheBurgerMan
at
gmail.com

 --

"." <noemails@please> wrote in message 
news:%23a4khBjXGHA.4920@TK2MSFTNGP02.phx.gbl...
> That's a good precaution that a lot of people miss. It prevents an 
> infected PC on your internal network from sending confidential documents 
> out via the virus's own SMTP engine. If you have personal firewalls on 
> your company PC's, consider setting them so they cannot send via SMTP as 
> well. That will protect them when they're not behind the corporate 
> firewall. It won't stop the infection, but it will limit them from being 
> able to spread the virus.
>
> Ray
>
>> Also, our internal firewall is set to block ALL SMTP traffic 'except' 
>> from the one designated server (exchange) which can relay mail to either 
>> of our 2 SMTP gateways.
>
>

The only whiners you'll get are the IT staff because they now have to tell 
you when their little application that incorporates an SMTP feature gets 
turned on or it won't work. We make all of them relay through an Exchange 
server so we can get some logging if nothing else.

Ray

"TheBurgerMan"  wrote in message 
news:eTF1uGjXGHA.4120@TK2MSFTNGP03.phx.gbl...
> Yep.  We actually had an incident in 2002 where one of our employees 
> received an infected email with a brand new virus (that was not in our 
> virus scanners yet) and this firewall precaution prevented his PC from 
> sending emails.  I counted 200+ attempts at email as well as major port 
> scanning (also blocked).  This system was loaded with W2K and we did not 
> have personal firewalls on peoples machine yet.
>
>
>
> It's not so much that people are malicious or stupid, anyone can get 
> caught by surprise.  As a network admin, we have to prepare for all of 
> these situations!
>
>
> -- 
> Thanks,
> TheBurgerMan
> at
> gmail.com
>
> --
>
> "." <noemails@please> wrote in message 
> news:%23a4khBjXGHA.4920@TK2MSFTNGP02.phx.gbl...
>> That's a good precaution that a lot of people miss. It prevents an 
>> infected PC on your internal network from sending confidential documents 
>> out via the virus's own SMTP engine. If you have personal firewalls on 
>> your company PC's, consider setting them so they cannot send via SMTP as 
>> well. That will protect them when they're not behind the corporate 
>> firewall. It won't stop the infection, but it will limit them from being 
>> able to spread the virus.
>>
>> Ray
>>
>>> Also, our internal firewall is set to block ALL SMTP traffic 'except' 
>>> from the one designated server (exchange) which can relay mail to either 
>>> of our 2 SMTP gateways.
>>
>>
>
>