none
Sending email authentication

    Question

  • When I use power shell to Send-MailMessage from our domain user's email address to any external email address, then I receive "5.7.1 Unable to relay" which is as expected.

    Unfortunately, when I Send-MailMessage from domain user's email address to another domain user's email address or the same domain user's email address, the message is sent without asking for username or password.

    Please help me to prevent sending any email without authentication in Exchange Server 2013.


    • Edited by Tarek Salah Monday, December 19, 2016 5:08 PM
    Monday, December 19, 2016 5:03 PM

All replies

  • Hi

    In the relay connector remove the anonymous relay and provide authenticated relay for this application from where you are sending. This will solve the issue.


    Remember to mark as helpful if you find my contribution useful or as an answer if it does answer your question.That will encourage me - and others - to take time out to help you Check out my latest blog posts on http://exchangequery.com Thanks Sathish (MVP)

    Tuesday, December 20, 2016 5:03 AM
  • When I remove anonymous from Default Frontend Exch, I do not receive emails from external domains.
    Tuesday, December 20, 2016 7:45 AM
  • you need to create an additional dedicated receive connector for external only scoped to the IP of the incoming MTA
    Tuesday, December 20, 2016 8:47 AM
  • Hi

    I recommend to create a relay connector:

    New-ReceiveConnector -Name 'Exchange Relay Connector' -RemoteIPRanges @('10.30.2.0-10.30.2.254') -Bindings @('0.0.0.0:25') -Usage 'Custom' -Server 'Exchange.contoso.com' -TransportRole 'FrontendTransport'

    Set-ReceiveConnector -RemoteIPRanges @('10.30.3.0-10.30.3.254') -Bindings @('0.0.0.0:25') -PermissionGroups 'AnonymousUsers' -Identity 'Exchange\Exchange Relay Connector'

    Get-ReceiveConnector “Exchange Relay Connector” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”

    Set-ReceiveConnector -identity “Exchange Relay Connector” -TarpitInterval 00:00:00

    Set-ReceiveConnector -identity “Exchange Relay Connector” -ConnectionTimeout 00:30:00

    Set-ReceiveConnector -identity “Exchange Relay Connector” -ConnectionInactivityTimeout 00:20:00

    Set-ReceiveConnector -identity “Exchange Relay Connector” -MaxAcknowledgementDelay 00:00:00
    Set-ReceiveConnector -identity “Exchange Relay Connector” -MaxInboundConnection 10000

    Set-ReceiveConnector -identity “Exchange Relay Connector” -MaxInboundConnectionPercentagePerSource 100

    Set-ReceiveConnector -identity “Exchange Relay Connector” -MaxInboundConnectionPerSource unlimited

    For the IP Range use the Range where the clients are.

    Regards

    Joerg

    Tuesday, December 20, 2016 10:17 AM
  • Hi,

    Default Frontend Exch receive connector needs permission to receive message from anonymous connections. So run this command first, then you can use Send-MailMessage command to send message to external.

    Get-ReceiveConnector "Default Frontend Exc" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

    Note: this permission allow Anonymous Relay on a Receive Connector. External SMTP servers also can use this receive connector to send messages. So I suggest to refer to this document to create a new receive connector for Anonymous Relay.

    https://technet.microsoft.com/en-us/library/bb232021%28v=exchg.141%29.aspx


    Best Regards,

    Lynn-Li
    TechNet Community Support


    Please remember to mark the replies as answers.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, December 21, 2016 3:01 AM
    Moderator
  • Would you please confirm me if I create this new receive connector and remove anonymous from the "Default Frontend Exch." I will get a login dialog when I spoof my internal e-mails to send e-mail to another internal e-mail?

    The only workaround I did is to create a rule to delete internal e-mails.

     
    Wednesday, December 21, 2016 2:36 PM
  • Thank you for your reply,

    I do not have any problem to Send-MailMessage to external because ISP and DNS are configured correctly with SPF records.

    That means, When I spoof my internal mailbox by Send-MailMessage to external, then I get "5.7.1 Unable to relay", which is what I want the same behavior to be when I Send-MailMessage from internal to internal mailbox from unauthorized login.

    I want error message to authenticate or a login dialog when I send from internal to internal. Is it possible?

    I did a workaround to delete this e-mails by a rule. I want to prevent this behavior itself.

    Wednesday, December 21, 2016 2:45 PM
  • FYI, This is the source of one e-mail spam I receive from internal mail@domain.com to mail@domain.com using Anonymous login!!!

    Received: from local.domain.com (192.168.0.11) by
     local.domain.com (192.168.0.11) with Microsoft SMTP Server (TLS)
     id 15.0.847.32; Wed, 21 Dec 2016 15:12:14 +0200
    Received: from [41.227.248.100] (41.227.248.100) by
     local.domain.com (41.31.141.251) with Microsoft SMTP Server id
     15.0.847.32 via Frontend Transport; Wed, 21 Dec 2016 15:12:14 +0200
    From: <mail@domain.com>
    To: <mail@domain.com>
    Subject: hello
    Date: Wed, 21 Dec 2016 12:56:21 +0000
    Message-ID: <003301d25b8c$05a456c3$a592b8b0$@domain.com>
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
     boundary="_6f2d0bcd-1960-4efb-b4ef-c7071165b373_"
    X-Mailer: Microsoft Outlook 15.0
    Thread-Index: Acmixtx75063gdy9mixtx75063gdy9==
    Content-Language: en-us
    Return-Path: mail@domain.com
    X-MS-Exchange-Organization-AuthSource: local.domain.com
    X-MS-Exchange-Organization-AuthAs: Anonymous
    X-MS-Exchange-Organization-PRD: domain.com
    X-MS-Exchange-Organization-SenderIdResult: None
    Received-SPF: None (local.domain.com: mail@domain.com does not
     designate permitted sender hosts)
    X-MS-Exchange-Organization-Network-Message-Id: 1696092b-ba8e-4db0-3407-08d429a2fb82
    X-MS-Exchange-Organization-SCL: 0
    X-MS-Exchange-Organization-PCL: 2
    X-MS-Exchange-Organization-Antispam-Report: DV:3.3.5705.600;SID:SenderIDStatus None;OrigIP:41.227.248.100
    X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0

    Wednesday, December 21, 2016 2:52 PM