locked
Exchange 2016 - Default Receive Connectors Open Relay - Security ?? RRS feed

  • Question

  • Hello experts - 

    Let me explain : Exchange 2016 server create 5 default receive connectors after installation. One named "Default Frontend <servername>" is ticked for Anonymous relay and accepts traffic on port 25. This is said to be used for receiving external emails and thats why anonymous is required


    This looks like a security risk because because of this anyone inside company or on company network only can use the server as an open smtp relay. Imagine a situation where a hacker comes inside office and finds a network cable then connects his personal hacking machine with company network. Simply opens up telnet client and starts sending helo mails or even has an open tool to exploit and spam using the open relay server.

    Whats the fix for such anonymous connections ?

    I tested this on a network connected "NOT" authenticated machine wherein I was able to telnet the server on port 25 and and this was the result of HELO :

    1. Internal to Internal Mails using smtp server open relay -  worked (security risk)

    2. External to Internal Mails using smtp server open relay - Worked (security risk)

    3. External to External  Mails using smtp server open relay -  Says "Unable to relay recipient in non-accepted domain"

    4. Internal to External  Mails using smtp server open relay -  Says "Unable to relay recipient in non-accepted domain"

    Can someone help me with this please because if this is the case then any application inside company can send mails using smtp exchange server without any authentication.

    PS : I have already tested with checking all authentication options like Windows, Basic etc.

    Looking forward for your responses

    Thanks


    GD

    Thursday, April 30, 2020 6:17 AM

Answers

  • Hello experts - 

    Let me explain : Exchange 2016 server create 5 default receive connectors after installation. One named "Default Frontend <servername>" is ticked for Anonymous relay and accepts traffic on port 25. This is said to be used for receiving external emails and thats why anonymous is required


    This looks like a security risk because because of this anyone inside company or on company network only can use the server as an open smtp relay. Imagine a situation where a hacker comes inside office and finds a network cable then connects his personal hacking machine with company network. Simply opens up telnet client and starts sending helo mails or even has an open tool to exploit and spam using the open relay server.

    Whats the fix for such anonymous connections ?

    I tested this on a network connected "NOT" authenticated machine wherein I was able to telnet the server on port 25 and and this was the result of HELO :

    1. Internal to Internal Mails using smtp server open relay -  worked (security risk)

    2. External to Internal Mails using smtp server open relay - Worked (security risk)

    3. External to External  Mails using smtp server open relay -  Says "Unable to relay recipient in non-accepted domain"

    4. Internal to External  Mails using smtp server open relay -  Says "Unable to relay recipient in non-accepted domain"

    Can someone help me with this please because if this is the case then any application inside company can send mails using smtp exchange server without any authentication.

    PS : I have already tested with checking all authentication options like Windows, Basic etc.

    Looking forward for your responses

    Thanks


    GD

    Anonymous access is not the same thing as anonymous relay. 

    Your tests proved it is not an anonymous relay by default so your server cant be used for that in the scenario you described. 

    You have to allow anonymous access otherwise you wont be able to receive messages from the internet.

    If you want to lock that down even further, then use a SMTP gateway and create a new receive connector that allows anonymous access permissions and set the allowed remote IPs to that SMTP gateway. 

    Then remove the allowed anonymous access permission on the default receive connector. 

    Thursday, April 30, 2020 1:37 PM

All replies

  • Hello experts - 

    Let me explain : Exchange 2016 server create 5 default receive connectors after installation. One named "Default Frontend <servername>" is ticked for Anonymous relay and accepts traffic on port 25. This is said to be used for receiving external emails and thats why anonymous is required


    This looks like a security risk because because of this anyone inside company or on company network only can use the server as an open smtp relay. Imagine a situation where a hacker comes inside office and finds a network cable then connects his personal hacking machine with company network. Simply opens up telnet client and starts sending helo mails or even has an open tool to exploit and spam using the open relay server.

    Whats the fix for such anonymous connections ?

    I tested this on a network connected "NOT" authenticated machine wherein I was able to telnet the server on port 25 and and this was the result of HELO :

    1. Internal to Internal Mails using smtp server open relay -  worked (security risk)

    2. External to Internal Mails using smtp server open relay - Worked (security risk)

    3. External to External  Mails using smtp server open relay -  Says "Unable to relay recipient in non-accepted domain"

    4. Internal to External  Mails using smtp server open relay -  Says "Unable to relay recipient in non-accepted domain"

    Can someone help me with this please because if this is the case then any application inside company can send mails using smtp exchange server without any authentication.

    PS : I have already tested with checking all authentication options like Windows, Basic etc.

    Looking forward for your responses

    Thanks


    GD

    Anonymous access is not the same thing as anonymous relay. 

    Your tests proved it is not an anonymous relay by default so your server cant be used for that in the scenario you described. 

    You have to allow anonymous access otherwise you wont be able to receive messages from the internet.

    If you want to lock that down even further, then use a SMTP gateway and create a new receive connector that allows anonymous access permissions and set the allowed remote IPs to that SMTP gateway. 

    Then remove the allowed anonymous access permission on the default receive connector. 

    Thursday, April 30, 2020 1:37 PM
  • Hi,

    Agree with Andy, here is also a related thread discussed about this issue: Exchange allows anonymous internal relay by default, is that best practice?

    As long as you have a custom connector for the mail gateway (or your gateway authenticates), you should be fine.  If you don't have a connector for the gateway, or if it is relaying through the default connector anonymously, you will break your mail flow.

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Regards, 

    Joyce Shen


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Friday, May 1, 2020 7:26 AM
  • Hi,

    Do suggestions above help? If you have any questions or needed further help on this issue, please feel free to post back. If the issue has been resolved, please mark the helpful replies as answers, this will make answer searching in the forum easier and be beneficial to other community members as well.

    Regards,

    Joyce Shen


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Thursday, May 7, 2020 1:21 AM