Problem solve Get help with specific problems with your technologies, process and projects.

Protect Exchange

A comprehensive background of e-mail protocols, security measures, and advice on dealing with open relaying and blacklisting issues.

This tip was submitted to the tip exchange by member Tim Fenner. Please let others know how useful it is by rating it below.

Fully protecting your Exchange server cannot be explained in a simple tip, but I will provide you with some advanced knowledge on some of the issues you will face and where you can go to get help.


By default, an install of Exchange 2000 on a Windows 2000 server has the following ports open to its interfaces:

Port Protocol Typical Use
25 SMTP Used for sending and receiving of e-mail
80 HTTP Used for Outlook Web Access to host Web-enabled mailboxes
110 POP3 Used by clients to retrieve and store messages locally
119 NNTP Used by clients and servers for managing the notes posted on newsgroups
135 EPMAP Used by Microsoft for RPC locator service
139 NetBIOS-SSN Used by NETBIOS Session Service


Used by clients to retrieve and store messages locally, yet leave a copy on server

These are available to allow clients to use specific types of server access to the Exchange/Windows server. They can and should be disabled/filtered/blocked if they are not in use to avoid exposure to many known exploits.

You can further secure your Exchange environment if you filter or block all nonessential TCP/IP ports on the outside router, firewall and server. Use this site to get an idea what ports are used for what.


To further reduce your exposure to these risks and others, I recommend placing your externally accessible Exchange server, which will be receiving SMTP messages for internal redirection in a demilitarized zone (DMZ), whether it is a front-end server in a multi-server environment or just a single server used for your entire organization.

You should also dual home the server (install two NICs, with one configured for the internal network and the other to the external/public network) and disable the NetBIOS, Server, and Workstation bindings on that external/public network interface card.

Use this Exchange security operations guide to perform the above changes.


Finally, disable services such as Alerter, Computer Browser, FTP publishing service, Messenger, TCP/IP NetBIOS Helper, Scheduler and any other unnecessary services if they are not needed in your environment. Check out this tip on Windows default services and their uses.

Stop e-mail relaying/Avoid being blacklisted

Exchange 2000 has a very flexible set of anti-relaying features built in. You configure them at the SMTP virtual server level, so that you can set different relaying properties on different servers.

One common use for this is in setting up two virtual server: one with relaying disabled on port 25 for standard traffic, and another with authentication-based relaying turned on for a non-standard port number. Your remote clients can configure their mail clients to use the non-standard port; this approach neatly avoids the problem of spammers who scan for open relays. You can go to this Web site to find out more.

Dig Deeper on Exchange Server setup and troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.