Problem solve Get help with specific problems with your technologies, process and projects.

Stop relaying and enable outgoing SMTP authentication

Expert Richard Luckett offers his advice on enabling outgoing SMTP authentication on an Exchange 2003 server.

We have an Exchange 2003 server with SP1. I read your expert response Relay prevention on the Exchange server.

I would like to know:

  1. How can we stop relaying on an Exchange 2003 server? Only Active Directory users should be able to send and receive mail -- i.e., POP3 clients. I need step-by-step settings, if possible.


  2. How can we enable outgoing SMTP authentication on the Exchange 2003 server? Whenever a domain user is sending an e-mail, he should be prompted for a password.


In answer to your first question, there is nothing that you need to do on an Exchange Server 2003 to stop spammers from relaying. Exchange Server 2003 is a closed relay. The response you referenced was pointing out that in order to support POP and IMAP clients, relaying must be allowed. Then anyone that can authenticate against the domain/forest can send mail using SMTP. Relaying has taken on a very negative connotation because of SPAM but people forget that relaying is what SMTP was built to do.

Now, regarding your second question, you bring up a very good point. All users must authenticate when sending e-mail. And retrieving e-mail for that matter. Again, there is good news for you here. Integrated Windows Authentication (NTLM V2 or KERB) is utilized by default in Exchange. So your POP/IMAP users may not be prompted for a username and password, as Exchange can derive the user's credentials from the user's security context. So, just because they are not prompted doesn't mean they are not being authenticated.

If the user's mail client doesn't support NTLM or KERB, then it is most likely going to try to use Basic authentication (clear text). This is also supported by default on the SMTP virtual server for Exchange Server 2003. In this case, the user will be prompted unless the client is manually configured to store the username and password for future use. In which case, again, you will not be prompted for a username and password.



I am using Exchange 2003 on a Small Business Server (SBS). My company's Web site is SunBeam Generator. Some domain e-mail gets returned, like the following one:

Your message did not reach some or all of the intended recipients.

      Subject:     PO Monarc 052
      Sent:          4/18/2006 10:55 AM 

The following recipient(s) could not be reached:

      '[email protected]' on 4/18/2006 3:12 PM
            You do not have permission to send to this recipient. For assistance, contact your
                  system administrator.
            <sunbeampower.com #5.7.1 smtp;530 5.7.1 http://dsbl.org/listing?
                  [email protected]>

What do I have to do and how do I authenticate SMTP?
—Arun S.


The reason your server did not send to the specific address in your example is that the recipient's domain is blocked by DSBL.ORG. Your e-mail server or gateway filter is probably configured to check this list prior to sending e-mail. The NDR states this:
"http://dsbl.org/listing? [email protected]'

There are other reasons why this error could be generated but, in this case, I think it is most likely a blocked domain. For more information on this error, you should read Dave Sengupta's discussion thread related to firewalls causing the error.

In addition to the suggestions in that discussion thread, spam filters not allowing the country code DNS domain ".in" (and other country codes) could cause this error. If you find that all or most of the recipients that are being bounced back have e-mail addresses with two-digit country code domains, then that is a very likely culprit.

I have also seen remote systems generate these non-delivery reports (NDRs) when they don't like certain attachments coming through, so pay close attention to the system generating the NDR.
—Richard Luckett, Spam and Security Expert


Do you have comments on this Ask the Expert Q&A? Let us know.

Related information from SearchExchange.com:


  • Tip: Cross-Forest SMTP Authentication
  • Tip:Many ISPs now blocking port 25
  • Resource Center: SMTP tips and resources

Dig Deeper on Legacy Exchange Server versions