Showing posts with label port 25. Show all posts
Showing posts with label port 25. Show all posts

Sunday, September 11, 2011

421 4.3.2 Service not available, closing transmission channel on SBS 2008 - not receiving external email

Yesterday, I had an extremely frustrating issue where my SBS box was not receiving external email. Port 25 was open. I could telnet to the server from *inside* the LAN and get the proper banner, but when I was outside the LAN, I could get:


421 4.3.2 Service not available, closing transmission channel


In the end, my conclusion is that while troubleshooting another issue, I ran the fix my network wizard which deleted my receive connector for external email. There should be 3 receive connectors by default - one for sharepoint, one for internal users to use for sending mail and internal mail, and one for receiving external email from the outside.

This is a proper looking set of receive connectors:

This is what the internal connector should look like for internal usage:


This is what a proper external/internet receive connector should look like:




Posted by at No comments:
Labels: , , , ,

Monday, February 8, 2010

altering the default lockout policy on Server 2003 (SBS or Standard)

For servers that are publicly facing, it's possible that hackers will attempt to hack you. Recently, I had a hacker try to guess logins and passwords over and over and over again (thousands of times) over port 25. I was able to thwart that by disabling port 25 for a bit (15 minutes) and the hacker lost interest. But theoretically, had I not seen the hacker attempting, he could have tried hacking forever, just guessing and guessing.

There's no lockout policy for invalid usernames. If the hacker is guessing on jsmith and you don't have a jsmith user, he can keep guessing forever. The lockout policy will not apply. But if the hacker is trying legitimate user names, the hacker should be locked out after a limited number of attempts. I have seen the default as no limit and as 50 attempts on SBS machines.

The number of attempts should be 6 or fewer and the lockout times should be 15 minutes or longer.

You can get to the appropriate place via:

Group Policy Management -> expand to default domain policy, right click on default domain policy and click edit. Then edit these fields:

Posted by at No comments:
Labels: , , , , , , , , ,
Subscribe to: Posts (Atom)