Next, lets look at the informational alerts that showed up in the ExBPA scan.
The precess of Tar Pitting is where unauthenticated SMTP connections are artificially slowed if the sending SMTP server addresses an invalid recipient is in an attempt to reduce the effectiveness of dictionary email address harvesting attacks as described in this Microsoft KB article. It's not really relevant in this deployment as I won't be opening inbound SMTP to the Internet whilst only Exchange 2003 is deployed, however, it's an easy fix to reduce the number of informational alerts. This is enabled by adding a DWORD value with number of seconds to delay at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC\Parameters.
this technet article don't even exist on the server. I could probably fix the alert by enabling the updates for the service, but I'd be concerned that doing so would be more likely to introduce other issues so I'll have to live with this alert.
Basic Auth is enabled on the SMTP VS on the Front-End server by design. It's not going to be open to the Internet so there is no security concern. I should be able to disable Basic Auth on the back end SMTP VS though.
Finally I re-ran the ExBPA scan to ensure everything I'd intended to fix was now fixed, and the only remaining items were expected.