How can Disable SMTP Helo in Exchange 2016 ?


  • greetings

    in my environment, I have a Exchange server 2016 that have the default receive connector which is

    client frontend (Server-name) it use port 587

    client proxy (Server-name) it use port 465

    default (Server-name) it use port 2525

    default frontend (Server-name) it use port 25

    outbound proxy frontend (Server-name) it use port 717

    the smtp helo is open and everyone can send mail to all users active directory without authentication. of even use an email which it is not in the exchange mailboxes to send mails so it can be internal spoofing vulnerability.

    so I googled it and found a solution saying to create a new rule which will be frontend then add the ips that you want to receive from them internally.

    uncheck the anonymous user from the default frontend (Server-name) it use port 25

    check it in the newly created rule.

    when I do that yes it worked but I can't receive any outside mail with this scenario and it I keep the anonymous user in the default rule along with the newly created rule it allow the smtp helo as if I didn't have any created rule

    so my question is simple how can I prevent the smtp helo from internal and still receive mails from outside as normal



    Monday, May 14, 2018 5:31 AM

All replies

  • First, understand that if you're receiving mail from the Internet, anyone on the Internet can send mail to any recipient in your organization without authenticating, so why is it so important that your internal users authenticate?

    If this is still important to you, and if you have your inbound mail passing through a message hygiene appliance, server or service, or if you have an SMTP relay for inbound mail, then follow these steps.

    Create a new receive connector bound to TCP port 25 with -PermissionGroups set to AnonymousUsers, and the -RemoteIPRanges set to the IP addresses of the SMTP relay servers handling inbound Internet mail.

    Remove AnonymousUsers from the -PermissionGroups property of the default frontend connector (TCP port 25).

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Monday, May 14, 2018 6:15 AM
  • Hi,

    this is by design. and those connectors should not be edited. You can do this block on firewall side. I guess your exchange server is not exposed directly to the internet and gets email delivered from an antispam provider? Then you can change "default frontend (Server-name) "  to only accept email from your spam provider.

    Then create a new connector for internal relay and only allow specific ips.

    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

    Monday, May 14, 2018 6:49 AM
  • greetings

    Ed Crowley this is exactly what I did but when I do that my exchange server stop receiving mails from outside (External) 



    Tuesday, May 15, 2018 7:52 AM
  • greetings

    Off2work yes I have IronPort antispam console so I can try to do that and see

    regarding the point of the firewall can you be more specific how to control this through the firewall; I mean which rule should I make block smtp or what ?



    Tuesday, May 15, 2018 9:27 AM