i'm using a linux firewall, with a M$ exchange server inside it. recently, i saw from the exchange server that someone from outside is relaying his/her email to another. i know this, because the "From:" address is "xyz". i don't have anyone with that username.

what's the next step i should take? should i sniff using snort at the firewall? what kind of snort rule would allow me to do that?

First off, why would you use M$ Exchange Server when you already have a Linux box as your firewall. You have Sendmail, Qmail, etc that are readily available to you. But to answer your question:

1. First thing you need to do is test to see whether or not your mail server really does relay mail. So go here http://www.unicom.com/sw/rlytest/ and grab this script and run it on your mail server from OUTSIDE your firewall. This will tell you if you really relay or not.

2. If you relay mail then here is a great site to help you solve your problem with M$ Exchange Server. http://www.microsoft.com/technet/exchange/relay.asp

Hope this helps, if you have any questions let me know.

r00t619

Your firewall will not stop relaying (no firewall can stop relaying on a SMTP server)...

It's in Exchange... There are good Knowledge Base articles on how to avoid this, but Exchange really sucks in the relay dept...

Also check out http://www.orbs.org

people use exchange to send/receive mail because there is not unix equivelent to do that exchange can do.

you can turn off relaying by going to the internet mail service, selecting your server, and click on the routing tabs, and you can set all of your routing restrictions there.