locked
Prevent exchange 2010 spoofing authoritative domains RRS feed

  • Question

  • Hello

    I have been trying on a new exchange 2010 installation to prevent the receive connector to accept senders from authoritative domains

    Get-ReceiveConnector "Internet" | remove-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" 

    -ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

    While this works perfectly fine in exchange 2007.. it has no effect in exchange 2010

    Any ideas

    Thanks



    Friday, April 20, 2012 2:28 PM

Answers

  • and to add more.. I think 2007 behavior is right

    reading 

    http://technet.microsoft.com/en-us/library/aa996395.aspx

    ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

    This permission allows senders that have e-mail addresses in authoritative domains to establish a session to this Receive connector.

    I understand ALLOWS senders .. TO ESTABLISH a session

    2007 does that, but 2010 allows to establish the session.. does not reject it .. it does not accept the message but allows to establish the session

    Do I understand wrong???

    • Marked as answer by emma.yoyo Friday, May 4, 2012 6:35 AM
    Friday, April 20, 2012 6:23 PM
  • Technically a "session" is established as soon as you got a reply.  All relative I guess.  I don't have a 2007 box to mess with, but it'd appear you are correct.  Not really worth worrying about though.  The message is never queued.


    Mike Crowley | MVP
    My Blog -- Planet Technologies


    • Edited by Mike Crowley Friday, April 20, 2012 6:48 PM
    • Marked as answer by rpro1900 Friday, April 20, 2012 7:24 PM
    Friday, April 20, 2012 6:46 PM

All replies

  • I would implement an SPF record, and then enable the anti-spam agents on your servers.


    Mike Crowley | MVP
    My Blog -- Planet Technologies

    Friday, April 20, 2012 2:34 PM
  • thanks for the answer Mike, I know we can implement spf and anti-spam agents. we are protected by an external antispam service and the traffic is accepted only from this gateway..

    but for my knowledge ....the question was why this works in 2007 and not in 2010.. what is different?? or what got changed ?

    I have a coexistence env with 4 HT exchange 2007 and 3 HT exchange 2010 .. on all 2007 it works but not on 2010.. 
    i also tested this in our test lab 

    that attribute ms-Exch-SMTP-Accept-Authoritative-Domain-Sender has no effect over the connector (for 2010)

    removed or not from the connector it does not matter

    Friday, April 20, 2012 3:25 PM
  • Let me look and get back to you.  This should still apply in 2010 AFAIK.


    Mike Crowley | MVP
    My Blog -- Planet Technologies

    Friday, April 20, 2012 3:43 PM
  • Seems to work for me... (sorry!)

    Before:

    220 EXCH-A.demolab.local Microsoft ESMTP MAIL Service ready at Fri, 20 Apr 2012

    11:44:56 -0400

    ehlo

    250-EXCH-A.demolab.local Hello [127.0.0.1]

    250-SIZE 10485760

    250-PIPELINING

    250-DSN

    250-ENHANCEDSTATUSCODES

    250-STARTTLS

    250-AUTH

    250-8BITMIME

    250-BINARYMIME

    250 CHUNKING

    mail from:mike@demolab.local

    250 2.1.0 Sender OK

    rcpt to:mike@demolab.local

    250 2.1.5 Recipient OK

    data

    354 Start mail input; end with <CRLF>.<CRLF>

    hi

    .

    250 2.6.0 <96de8dc3-c264-41bc-9475-e9f3daf9ffcb@EXCH-A.demolab.local> [InternalI

    d=3] Queued mail for delivery

    Run:

    Get-ReceiveConnector foo | Remove-ADPermission -user "NT AUTHORITY\Anonymous Logon" -ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

    After:

    220 EXCH-A.demolab.local Microsoft ESMTP MAIL Service ready at Fri, 20 Apr 2012

    11:49:18 -0400

    ehlo

    250-EXCH-A.demolab.local Hello [127.0.0.1]

    250-SIZE 10485760

    250-PIPELINING

    250-DSN

    250-ENHANCEDSTATUSCODES

    250-STARTTLS

    250-AUTH

    250-8BITMIME

    250-BINARYMIME

    250 CHUNKING

    mail from:mike@demolab.local

    250 2.1.0 Sender OK

    rcpt to:mike@demolab.local

    250 2.1.5 Recipient OK

    data

    354 Start mail input; end with <CRLF>.<CRLF>

    hi2

    .

    550 5.7.1 Client does not have permissions to send as this sender



    • Edited by Mike Crowley Friday, April 20, 2012 3:56 PM
    • Proposed as answer by Mike Crowley Friday, April 20, 2012 4:25 PM
    Friday, April 20, 2012 3:52 PM
  • thanks ..

    hmmm..it seems I have to look somewhere else :-(

    do you have one server? all roles on it? did you enable anonymous permissions on the foo connector..?

    what i have is an NLB in both cases.. testlab and production both of them do not work


    Friday, April 20, 2012 5:41 PM
  • yes you are right it works...but the difference is in 2007

    the error comes right after the statement mail from: (so it does not accept data)

    in 2010 the error message 550 5.7.1 comes when you try to submit the message

    2010


    2007

    • Edited by rpro1900 Friday, April 20, 2012 6:19 PM
    Friday, April 20, 2012 6:04 PM
  • and to add more.. I think 2007 behavior is right

    reading 

    http://technet.microsoft.com/en-us/library/aa996395.aspx

    ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

    This permission allows senders that have e-mail addresses in authoritative domains to establish a session to this Receive connector.

    I understand ALLOWS senders .. TO ESTABLISH a session

    2007 does that, but 2010 allows to establish the session.. does not reject it .. it does not accept the message but allows to establish the session

    Do I understand wrong???

    • Marked as answer by emma.yoyo Friday, May 4, 2012 6:35 AM
    Friday, April 20, 2012 6:23 PM
  • Technically a "session" is established as soon as you got a reply.  All relative I guess.  I don't have a 2007 box to mess with, but it'd appear you are correct.  Not really worth worrying about though.  The message is never queued.


    Mike Crowley | MVP
    My Blog -- Planet Technologies


    • Edited by Mike Crowley Friday, April 20, 2012 6:48 PM
    • Marked as answer by rpro1900 Friday, April 20, 2012 7:24 PM
    Friday, April 20, 2012 6:46 PM
  • thank you very much for assisting 

    Friday, April 20, 2012 7:27 PM
  • As of this date with SP3 and no roll ups installed - still does not work.  This command seems to only remove the Anonymous permission group from the receive connector.

    Tested from external source

    TELNET <SERVER> 25

    SEND FROM:SOMEONE@<AUTHORATATIVE DOMAIN ON EXCHANGE>

    response is OK...

    EDIT:  Examination of the spoofed email header shows that this only happens with systems that connect VIA TLS !!

    Thursday, November 14, 2013 1:17 PM
  • SPF record has been performed.  SPLIT DNS setup and internal and external SPF records created.

    Still receiving spoofed mails via TLS only


    Thursday, November 14, 2013 1:19 PM