locked
Restrict Exchange 2007 SMTP RRS feed

  • Question

  • I have configured smtp on my exchange server and I only accept authenticated users. The problem is that once authenticated they can specify any email address of the organization on the from address. is there a way to restrict that once the user has been authenticated ?, he is only allowed to send a email with is personal email id. I want to avoid users sending mail using other email ids.

    My receive connectors allow to send emails from any authenticated user, but as far as I understand it does not check that the authenticated user is sending with its asociated email address.

    the problem of this is that users can send mails in the name of other users using smtp.

    is it posible to resolve this problem using transport rules ? how can I prevent this ?

    Thanks in advance!


    Albert

    Tuesday, March 27, 2012 8:11 AM

Answers

  • Client SMTP receive, if configured properly, does not allow impersonation.  In fact, the default client SMTP receive connector is configured out of the box to not allow this.  There is a way to test it with telnet SMTP commands.

    Telnet <HUB/ReceiveConnector> 25

    HELO or EHLO

    AUTH LOGIN

    <At this point, you will need to BASE64 encode your email address/login, paste that in, then BASE64 encode your password, and paste that in, you should get a 235 Authenticated>

    At this point you are connected and authenticated, now you can try

    MAIL FROM: <youremailaddress>

    It should respond Sender OK.

    Now try

    MAIL FROM: <Someoneelsesemailaddress>

    You should get 5.7.1 Client does not have permission to send as this sender

    If this is what you receive, the users cannot send as other users, just themselves.  If they can send as other users, I would check the receive connector and ensure that the following are checked under Authentication:

    TLS

    Basic Authentication

    Offer Basic authentication only after starting TLS

    Integrated Windows Authentication

    And under the Permission Groups:

    Exchange Users

    Have you granted any special Mailbox or AD permissions to anyone?

    • Marked as answer by Zi Feng Tuesday, April 3, 2012 6:21 AM
    Thursday, March 29, 2012 8:28 PM

All replies

  • On Tue, 27 Mar 2012 08:11:40 +0000, AlbertoGML wrote:
     
    >
    >
    >I have configured smtp on my exchange server and I only accept authenticated users. The problem is that once authenticated they can specify any email address of the organization on the from address. is there a way to restrict that once the user has been authenticated ?, he is only allowed to send a email with is personal email id. I want to avoid users sending mail using other email ids.
     
    Are you sure that those user's don't have "Send As" permission on
    other AD User objects?
     
     
    >
    >My receive connectors allow to send emails from any authenticated user, but as far as I understand it does not check that the authenticated user is sending with its asociated email address.
    >
    >the problem of this is that users can send mails in the name of other users using smtp.
    >
    >is it posible to resolve this problem using transport rules ? how can I prevent this ?
    >
    >Thanks in advance!
    >
    >Albert
    >
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Tuesday, March 27, 2012 9:30 PM
  • Hi rich,

    I am completely sure, nevertheless I thought this permission does not apply to smtp protocol under exchange...

    If you try to send an email using other credentials from outlook connecting directly to exchange it is not posible, but you can do it using smtp...

    Do you know how to restrict this under this protocol ?

    Thanks in advance!

    Wednesday, March 28, 2012 8:55 AM
  • hi,

    Sorry, i don't know what' your meaning about using smtp. Please tell me more about it.

    hope can help you

    thanks,


    CastinLu

    TechNet Community Support


    • Edited by Castinlu Thursday, March 29, 2012 3:14 AM
    Thursday, March 29, 2012 2:58 AM
  • Hi Castinlu,

    We have configured pop3 and smtp service in Exchange 2007 so external users can use that protocol to send emails and receive emails.

    As far as I know these protocols are configured using a receive connector that allows authenticated users to send emails.

    In this way you can avoid relay in our server because you force every user to authenticate in the smtp server before sending any email.

    The problem is that once the user has been authenticated he is allowed to specify any email of the organization on the from field

    So I do not know how to restrict that the authenticated user can only send using his associated email.

    At the moment any authenticated user can sen emails using other from emails and I would like to prevent this.

    I hope I have been able to explain correctly, nevertheless if you have any doubts please do not hesitate to ask me again.

    Thank you very much for your help!

    Albert

    Thursday, March 29, 2012 9:21 AM
  • Client SMTP receive, if configured properly, does not allow impersonation.  In fact, the default client SMTP receive connector is configured out of the box to not allow this.  There is a way to test it with telnet SMTP commands.

    Telnet <HUB/ReceiveConnector> 25

    HELO or EHLO

    AUTH LOGIN

    <At this point, you will need to BASE64 encode your email address/login, paste that in, then BASE64 encode your password, and paste that in, you should get a 235 Authenticated>

    At this point you are connected and authenticated, now you can try

    MAIL FROM: <youremailaddress>

    It should respond Sender OK.

    Now try

    MAIL FROM: <Someoneelsesemailaddress>

    You should get 5.7.1 Client does not have permission to send as this sender

    If this is what you receive, the users cannot send as other users, just themselves.  If they can send as other users, I would check the receive connector and ensure that the following are checked under Authentication:

    TLS

    Basic Authentication

    Offer Basic authentication only after starting TLS

    Integrated Windows Authentication

    And under the Permission Groups:

    Exchange Users

    Have you granted any special Mailbox or AD permissions to anyone?

    • Marked as answer by Zi Feng Tuesday, April 3, 2012 6:21 AM
    Thursday, March 29, 2012 8:28 PM
  • Than you Russ, I think that is our problem as I have anonymous users enabled on default receive connector.

    Nevertheless I am not sure if I can remove it as our provider uses this connector to deliver the email to us.

    I will check and let you Know.

    Thanks for your help

    Tuesday, April 3, 2012 11:45 AM
  • Than you Russ, I think that is our problem as I have anonymous users enabled on default receive connector.

    Nevertheless I am not sure if I can remove it as our provider uses this connector to deliver the email to us.

    I will check and let you Know.

    Thanks for your help

    You can create a new receive connector for that specific purpose and only allow your providers ip addresses access to that connector.  By default, there are two connectors

    Client <SERVER>

    Default <SERVER>

    The Client RC is for clients and by default is setup for authentication.

    The Default RC is setup to allow remote systems to send email through with less restriction (anonymous is enabled).  This one would be the ideal one to use for your provider as I cannot think of a case where you would want your provider to impersonate your users. It still sounds like you have some permissions out of whack since the anonymous user does not allow impersonation, it allows a sender to send as a user that does not exist, but not as another user that exists on the system.

    Tuesday, April 3, 2012 5:11 PM
  • Hi Russ,

    Thanks again for your reply.

    Do you know if any configuration setting on the receiver allows impersonation ?

    I also have Exchange Servers, Legacy Exchange Servers and Exchange users.

    Maybe the problem is that I allow any exchange user to send mail on behalf or other user...

    On remote ip address I have all addreses, could be that the problem ?

    Thanks again

    Tuesday, April 10, 2012 12:52 PM