none
Server is relaying (without permission) - why?

    Question

  • Hi

    We have a server that is able to relay Email, even it or its subnet is NOT in the 'allow to relay' lists, on any of the receive connectors

    How it is that possible?

    Thanks,

    /Peter

    Wednesday, January 17, 2018 11:05 AM

Answers

All replies

  • "Relay" means accept mail for recipients and/or domains not in your organization and forward it on to the next hop.  "Accept" or "Submit" means accept mail for your own domain.  Do you really mean "relay"?

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Thursday, January 18, 2018 1:41 AM
    Moderator
  • Hi,

    Thanks for contacting our forum.

    Please check the "relay" messages from where, we can check the message tracking log to see the "source server".

    Just verify the messages from internal or external, which connector has been used via checking the SMTP log.

    Check if it's spoofing emails from internal or external.

    Then we can add/remove the extended permission of the receive connector to control them.

    Refer to: https://technet.microsoft.com/en-us/library/mt668454(v=exchg.160).aspx

    Hope it helps.

    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Thursday, January 18, 2018 3:07 AM
    Moderator
  • Hi
    The server(unix) that is "the problem" is on another subnet of the Exchange(2013 - CU17) DAG-cluster. When we are using a smtp-client to send an email from an internal domain-emailaddress to an external address, we do not get an "unable to relay message from the Exchange server", and the external receipient is receiving the message successfully.
    We have checked all the receive connectors, and the unix-server ipaddress is not in any of them
    The tracking logs says:

    if we do:   Get-ReceiveConnector |Get-ADPermission -User "<user that sent the message>", we get no hit
    if we check permissions on all receive -connectors, the list is very long, but for the anonymous connector these rights are set:

    ( NT-AUTORITÄT\ANONYMOUS-ANMELDUNG = NT AUTHORITY\ANONYMOUS LOGON)

    The SMTP-logs (Receive and Send) are in Verbose-logging mode, and is too long to paste in here.

    We identified the receive-connector which is the 'ExchServer\default Exchserver'  (real name replaced by 'ExchServer'), which has 229 userspermissions assigned to it .

    Some "Deny=true, Inherited=true", some "Deny=false/Inherited=true" or "deny=false/inherited=false"

    How should we troubleshoot further to be able to figure out which one casuing the problem?


      

    • Edited by Peter_Moe Thursday, January 18, 2018 2:45 PM
    Thursday, January 18, 2018 1:58 PM
  • First, please understand that transport has nothing to do with the DAG or cluster.

    If your default receive connector is configured to allow relay, you can disable that.  If the normal mechanism was used to allow open relay, then this command should close that.

    Get-ReceiveConnector | Remove-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

    Here's the documentation for allowing anonymous relay.

    https://technet.microsoft.com/en-us/library/mt668454(v=exchg.160).aspx

    If my command doesn't work, here's some more help.

    http://lukastechblog.blogspot.com/2011/12/remove-receive-connector-permissions.html


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    • Marked as answer by Peter_Moe Friday, January 19, 2018 9:02 AM
    Thursday, January 18, 2018 8:26 PM
    Moderator
  • Hi Peter

    Run the following command to identify all receive connectors that have external relaying enabled for Anonymous:

    get-receiveconnector | get-adpermission | select identity,user,extendedrights,Deny | where {$_.extendedrights -like "Ms-Exch-SMTP-Accept-Any-Recipient" -AND $_.User -like "NT AUTHORITY\ANONYMOUS LOGON"}

    Hope that helps.

    Regards
    Pano


    Pano Boschung, PageUp AG

    Thursday, January 18, 2018 8:37 PM
  • Hi Pano/Ed

    Thanks for the support:-)

    We were able to solve the issue by removing the "Ms-Exch-SMTP-Accept-Any-Recipient" for "NT AUTHORITY\ANONYMOUS LOGON" on all receive-connectors, beside the anonymous relays


    • Edited by Peter_Moe Friday, January 19, 2018 9:04 AM
    Friday, January 19, 2018 7:26 AM
  • Hi Pano/Ed

    Pano, we get hit on three connectors using your script.

    1)

    I'm curious, does this "Ms-Exch-SMTP-Accept-Any-Recipient" permission, allow a server to send messages through a Exchange-server, even if the server-ip is not listed in the allow-list in the connector?

    Hi Peter

    If one of these three connectors is the default receive connector, then yes.

    Regards
    Pano


    Pano Boschung, PageUp AG

    Friday, January 19, 2018 8:53 AM
  • You're welcome.  Happy to have helped.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Friday, January 19, 2018 5:57 PM
    Moderator