none
Exchange 2013 Spoof issue

    Question

  • Hello team,

    i have a request.

    I have a single exchange 2013 with front end edge 2013.

    We have a company that we use for sending mass newsletters on our customers and internally.

    After migration i cannot send internally from their application\premises and the email is rejected as spoofed.

    Is there a way to permit spoof only by their ips?

    Thank you!

    Wednesday, December 7, 2016 2:02 PM

All replies

  • Hi

    Have you setup up a mailrelay? The application has no right to send mails, if you dont have it. Change the RemoteIP Range to that one that fits to your Environment.

    New-ReceiveConnector -Name 'Relay Connector' -RemoteIPRanges @('10.30.2.0-10.30.2.254') -Bindings @('0.0.0.0:25') -Usage 'Custom' -Server 'ExchangeServer.contoso.com' -TransportRole 'FrontendTransport'

    Set-ReceiveConnector -RemoteIPRanges @('10.30.3.0-10.30.3.254') -Bindings @('0.0.0.0:25') -PermissionGroups 'AnonymousUsers' -Identity 'ExchangeServer\Relay Connector'

    Get-ReceiveConnector “Relay Connector” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”

    Set-ReceiveConnector -identity “ExchangeServer Relay Connector” -TarpitInterval 00:00:00

    Set-ReceiveConnector -identity “ExchangeServer Relay Connector” -ConnectionTimeout 00:30:00

    Set-ReceiveConnector -identity “ExchangeServer Relay Connector” -ConnectionInactivityTimeout 00:20:00

    Set-ReceiveConnector -identity “ExchangeServer Relay Connector” -MaxAcknowledgementDelay 00:00:00
    Set-ReceiveConnector -identity “ExchangeServer Relay Connector” -MaxInboundConnection 10000

    Set-ReceiveConnector -identity “ExchangeServer Relay Connector” -MaxInboundConnectionPercentagePerSource 100

    Set-ReceiveConnector -identity “ExchangeServer Relay Connector” -MaxInboundConnectionPerSource unlimited

    Wednesday, December 7, 2016 2:09 PM
  • Yes i have a relay connector.

    The emails are stucked in the edge due to spoofing protection...I believe any configuration must be done on the edge side.

    Wednesday, December 7, 2016 2:17 PM
  • Just to clarify. The application is internally. If you send the newsletter, the Exchange Server is accepting it and forwarding it to the edge server. On the Edge Server the outgoing mails get stocked? If so, create a connector that is sending the mails direktly out, (not over the smart host) use DNS. What is the result?
    Wednesday, December 7, 2016 2:24 PM
  • No the application is external.From external ips we try to receive!
    Wednesday, December 7, 2016 2:26 PM
  • You should be able to whitelist the sending IP addresses, it's under the connection filtering. here is a step by step

    https://knowbe4.zendesk.com/hc/en-us/articles/218134997-Whitelisting-by-IP-Address-in-Exchange-2013-2016-or-Office-365

    Wednesday, December 7, 2016 2:32 PM
  • although i have whitelist it and restart transport service nothing happens!
    Wednesday, December 7, 2016 2:33 PM
  • As a added note I have a simular situation, you may have already added their server ip address to your SPF record if you haven't people who recieve these emails may block because the ip isn't included in SPF record as being a ligatamate sender of your emails.
    Wednesday, December 7, 2016 2:34 PM
  • So the Company is sending with your Domain address? You should set up SPF Records in the public dns. Can you post the exact error message from the NDR?
    Wednesday, December 7, 2016 2:36 PM
  • Hello Darren,

    yes i have setup the spf and include the external ips

    Wednesday, December 7, 2016 2:37 PM
  • I will ask for the ndr because i cannot reproduce it now.The only i can find in my edge is dsn records.
    Wednesday, December 7, 2016 2:41 PM
  • On the edge server you did that cmdlet:

    Add-IPAllowListEntry –IPAddress 194.123.12.12 (IP Address from the sending host) This must also be the address that you see in your NDR

    Wednesday, December 7, 2016 2:44 PM
  • yes i did that exact on the edge.

    The problem i believe is the rejected domains in edge.I have my smtp in there added because i had many spams "origin"from my internal users!

    Wednesday, December 7, 2016 2:56 PM
  • What do you mean with spam from internal users? This mails are not routed over the edge server. If an external is sending an email to your organisation with your Domain, the mails will be rejected by the Gateway anyways. There is no need to configure that manually. Only the Company that is sending your newsletter should do that, because you whitelisted them.

    http://mhalqadi.com/wp/2013/11/04/prevent-annoying-spam-from-your-own-domain/

    Wednesday, December 7, 2016 3:33 PM
  • We received some spam spoofed emails.After corrections on the edge transport problem was solved.That is what i mean internal accounts.It seems it was internal accounts but they were actual spam.

    Wednesday, December 7, 2016 3:54 PM
  • Hi,

    Glad to hear that the issue has been resolved.


    Best Regards,
    David Wang
    TechNet Community Support


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    Thursday, December 8, 2016 8:41 AM
    Moderator
  • No actually problem was not solved.The spoofed emails were solved not the actual problem with newsletters!
    Thursday, December 8, 2016 10:20 AM
  • Hi,

    I am a little confused about your description.

    Now you can received the emails from their application and the email is not rejected as spoofed.

    What is your current issue?


    Best Regards,
    David Wang
    TechNet Community Support


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, December 13, 2016 8:21 AM
    Moderator
  • Hello again,let me explain it again.

    We use an external application in order to send mass newsletters to many users.Lets say we are using in our exchange an accepted domain domain.gr.

    We would like to be able to use the same domain domain.gr from our external application.

    I cannot do it because i receive a sender blocked error from the external system.

    No emails received from the external system.I have blocked the spoof through edge with the supported configuration.I would like to allow a certain sender and certain ip's to be able to spoof.

    Is there any suggestion about that?

    Thank you

    Tuesday, December 13, 2016 1:23 PM
  • Hi Panos

    I think your question was answered in this thread. Set the SPF record in your DNS. Here you use the name of the sending server. For example, the Name is smtp.newsleter.com. You need to have in your PUBLIC DNS an entry like text = "v=spf1 a:smtp.newsletter.com ~all"

    If the Sender has more than one sending servers you need to add both:

    text = "v=spf1 a:smtp1.newsletter.com a:smtp2.newsletter.com ~all"

    Then you also add the ip addresses from the sending servers on the edge whitelist:

    Add-IPAllowListEntry –IPAddress 194.123.12.12 (IP Address from the sending host -> smtp1.newsletter.com ) This must also be the address that you see in your NDR

    Tuesday, December 13, 2016 2:13 PM
  • Hello again,

    i have done both the spf records and the edge allow ip!

    Tuesday, December 13, 2016 3:07 PM
  • Can you post the NDR?
    Tuesday, December 13, 2016 3:09 PM
  • Good evening,

     

    we've created a receive connector set to accept the IP addresses we want to permit relay from, and set the permissions as advised.

     

    To help with troubleshooting, we also removed our mail domain from BlockedDomainsAndSubdomains with Set-SenderFilterConfig -BlockedDomainsAndSubdomains @{Remove="emaildomainname"} and then, disabled sender filtering altogether with Set-SenderFilterConfig -Enabled $false

     

    The above actions changed the NDR output from "Sender Blocked" to "550 5.7.1 Anonymous client does not have permissions to send as this sender".

     

    We also have to add that, this NDR appears only when we try to send relay where the sender addresses are valid internal authoritative ones.

    When we try to relay from any other email address than the accepted domain has -even fake ones- the relay mail flow works perfectly.

     

    Please advice.
    Thursday, December 15, 2016 6:00 PM
  • The error message "550 5.7.1 Anonymous client does not have permissions to send as this sender", seems you need to check receive connector.
    follow the link to configure your connector
    http://exchangeserverpro.com/exchange-2013-configure-smtp-relay-connector/
    Tuesday, December 20, 2016 7:39 AM
  • Hello again,

    we have already completed the steps but nothing yet.

    Still same error

    Thursday, December 22, 2016 10:44 AM