locked
Relaying problem RRS feed

  • Question

  • Had a problem the other day with relaying on my new Exchange 2010 build.  We have some "secondary" domains for which we need to receive email.  We thus have accounts and distribution groups configured with addresses like support@primarydomain.com & support@secondarydomain.com.  The issue I had was that email for the secondary domain was being rejected by the server as an attempt to relay, which is kind of understandable.  As an interim measure (I needed it working quickly), I used the info in this article to allow open relaying on the server:

    http://technet.microsoft.com/en-us/library/bb232021.aspx

    This is hardly ideal although I can get away with it at present as the server isn't directly internet-facing.  I do now have a couple of questions which I hope someone can answer:

    Q1: How can I do this "properly" - i.e. tell the server to accept email for the secondary domain(s)?

    Q2: How do I "undo" the shell command in the above article to once again disable open relaying?

    Thanks for any help :)

     


    Toby
    Sunday, May 30, 2010 11:46 AM

Answers

  • This is very dangerous and should be stopped directly.

    the only correct solution is to configure an accepted domain and create secondarydomain.com as an authoritative domain.

    http://technet.microsoft.com/en-us/library/bb124423.aspx

    2) which powershell command you did

     


    Regards, Mahmoud Magdy Watch Arabic Level 300 Videos about Exchange 2010 here: http://vimeo.com/user3271816 Read pretty advanced Exchange stuff I and other MVPs post here: http://www.enowconsulting.com/ese/blog.asp Or follow my blog: http://busbar.blogspot.com or our corp blog: http://ingazat.wordpress.com and if you Liked my post please mark it as helpful and accept it as an asnwer
    Sunday, May 30, 2010 12:31 PM
  • Well yes you are right but an infect machine can cause damage.

    however here is the cmdlet you can use to revert things:

    Get-ReceiveConnector "Anonymous Relay" | remove-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"


    Regards, Mahmoud Magdy Watch Arabic Level 300 Videos about Exchange 2010 here: http://vimeo.com/user3271816 Read pretty advanced Exchange stuff I and other MVPs post here: http://www.enowconsulting.com/ese/blog.asp Or follow my blog: http://busbar.blogspot.com or our corp blog: http://ingazat.wordpress.com and if you Liked my post please mark it as helpful and accept it as an asnwer
    • Marked as answer by Allen Song Wednesday, June 2, 2010 2:01 AM
    Sunday, May 30, 2010 12:50 PM

All replies

  • This is very dangerous and should be stopped directly.

    the only correct solution is to configure an accepted domain and create secondarydomain.com as an authoritative domain.

    http://technet.microsoft.com/en-us/library/bb124423.aspx

    2) which powershell command you did

     


    Regards, Mahmoud Magdy Watch Arabic Level 300 Videos about Exchange 2010 here: http://vimeo.com/user3271816 Read pretty advanced Exchange stuff I and other MVPs post here: http://www.enowconsulting.com/ese/blog.asp Or follow my blog: http://busbar.blogspot.com or our corp blog: http://ingazat.wordpress.com and if you Liked my post please mark it as helpful and accept it as an asnwer
    Sunday, May 30, 2010 12:31 PM
  • Thanks for the reply.

    I appreciate the dangers of open relays and that's why I want to configure it properly and remove this but, as I said, it's not actually a security issue at present as the SMTP server isn't internet-facing so nothing would ever get that far in the first place :)

    Thanks for the link, I'll have a read.

    As for the shell command, I used this one from the linked article to enable open relaying:

    Get-ReceiveConnector "Anonymous Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

    (Although I obviously substituted the name of my receive connector)

    Just wondering what the command was to "undo" this.


    Toby
    Sunday, May 30, 2010 12:43 PM
  • Well yes you are right but an infect machine can cause damage.

    however here is the cmdlet you can use to revert things:

    Get-ReceiveConnector "Anonymous Relay" | remove-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"


    Regards, Mahmoud Magdy Watch Arabic Level 300 Videos about Exchange 2010 here: http://vimeo.com/user3271816 Read pretty advanced Exchange stuff I and other MVPs post here: http://www.enowconsulting.com/ese/blog.asp Or follow my blog: http://busbar.blogspot.com or our corp blog: http://ingazat.wordpress.com and if you Liked my post please mark it as helpful and accept it as an asnwer
    • Marked as answer by Allen Song Wednesday, June 2, 2010 2:01 AM
    Sunday, May 30, 2010 12:50 PM
  • Toby-

    Just remove the ACE using the command string posted in the thread and you'll be good as far as the receive connector goes. Just to be clear on these "secondary" domains - do other email systems also receive mail for them or will they be dedicated to Exchange?


    Active Directory, 4th Edition - www.briandesmond.com/ad4/
    Sunday, May 30, 2010 5:36 PM
  • The domains are solely there as "aliases" for our primary domain for marketing reasons.  All email for them is directed solely at this Exchange server.
    Toby
    Monday, May 31, 2010 4:10 PM
  • Hi,

    Please create the secondary domain as a Authoritative domain to work around this issue.

    Thanks

    Allen

    Tuesday, June 1, 2010 7:28 AM
  • Thanks all, I've now "undone" the previous setting and thus closed the open relay and added the secondary domains (we have a few) as authoritative additional domains and all is working well :)
    Toby
    Tuesday, June 1, 2010 8:09 AM