none
Exchange 2013 open relay

    Question

  • Hello 

    I have an issue in my Exchange 2013 , anyone can use my Exchange 2013 as smtp relay and send emails without authentication !!!!

    How can i solve this issue ?


    MCP MCSA MCSE MCT MCTS CCNA

    Sunday, May 21, 2017 9:00 PM

All replies

  • Hi,

    Have you got auth enabled? When you say anyone do you mean from external also?

    Monday, May 22, 2017 12:37 AM
  • Be sure you understand "relay".  If an SMTP sender can send mail to recipients in your Exchange organization, that's called "submission".  That's normally enabled because it's how the Internet can send mail to your users.  If an SMTP sender can use your Exchange server to send mail without authenticating to recipients outside your Exchange organization, it's called "relay".

    http://tinyurl.com/lf5wkx2


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Monday, May 22, 2017 4:06 AM
    Moderator
  • Be sure you understand "relay".  If an SMTP sender can send mail to recipients in your Exchange organization, that's called "submission".  That's normally enabled because it's how the Internet can send mail to your users.  If an SMTP sender can use your Exchange server to send mail without authenticating to recipients outside your Exchange organization, it's called "relay".

    http://tinyurl.com/lf5wkx2


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Hi

    The issue . from any machine in my network i can open CMD and send emails throw my exchange without authentication , how can i prevent this behavior ?


    MCP MCSA MCSE MCT MCTS CCNA

    Monday, May 22, 2017 4:53 AM
  • Hello,

    To prevent it, you try below steps:
    1. Determine which receive connectors in the organization are open relay connectors:
    Get-ReceiveConnector | Get-ADPermission | 
    Where {$_.User -Like '*anon*' -And $_.ExtendedRights -Like 'ms-Exch-SMTP-Accept-Any-Recipient'} | 
    FT Identity, User, ExtendedRights

    2. Prevent others pretend send message:
    Get-ReceiveConnector <Connector Identity> | Get-ADPermission -User "NT AUTHORITY\Anonymous Logon" | 
    where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Remove-ADPermission

    Best Regards,

    Allen Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 22, 2017 3:09 PM
    Moderator
  • Did you read my post?  If you block what you are reporting, you will not be able to receive e-mail.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Tuesday, May 23, 2017 4:00 PM
    Moderator