locked
securing email relay for other servers RRS feed

  • General discussion

  • Hi there,

    Server: EXCHANGE 2010

    I know there are a lot of postings on this thing but I can't seem to get my head around it.
    At the moment we have 2 copiers that was set up to be able to send scans to internal users without authentication.
    By default the existing Default SERVER_NAME receive connector allow this.

    Then we create a new receive connector (limited to certain IP of course) to allow those machines to send email to external email addresses as advised on numerous posts on the internet, with the following settings:
    Authentication tab: TLS and Externally Secured
    Permission Group tab: Exchange Servers

    Now, I was thinking of securing it further.

    How to modify the receive connector so we have to provide authentication (using one of the domain account) when sending email from those copiers?

     

    thank you for the advice.

     

    Regards,
    Ap


    Andrew P.
    Friday, September 9, 2011 6:18 AM

All replies

  • On Fri, 9 Sep 2011 06:18:16 +0000, p.andrew wrote:
     
    >
    >
    >Hi there,
    >
    >Server: EXCHANGE 2010
    >
    >I know there are a lot of postings on this thing but I can't seem to get my head around it. At the moment we have 2 copiers that was set up to be able to send scans to internal users without authentication. By default the existing Default SERVER_NAME receive connector allow this.
    >
    >Then we create a new receive connector (limited to certain IP of course) to allow those machines to send email to external email addresses as advised on numerous posts on the internet, with the following settings: Authentication tab: TLS and Externally Secured Permission Group tab: Exchange Servers Now, I was thinking of securing it further.
    >
    >How to modify the receive connector so we have to provide authentication (using one of the domain account) when sending email from those copiers?
     
    Remove "Anonymous users" from the "Permission groups" tab on the
    receive connector's property pge.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Saturday, September 10, 2011 12:39 AM
  • Just thinking out loud with my fingers....

    From a security perspective, doing that could be more of a security risk than not doing it.  Now you've stored a set of valid (and probably non-expiring) network credentials on a device than may not be storing them securely, and may be accessible by anyone with physical access to the machine.

    Can they do more damage from that port with no credentials than then can from any port with that set of credentials?


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
    Saturday, September 10, 2011 1:52 AM
  • @Rich
    The new Receive Connecter I've created has no Anonymous Users selected.

    @mjolinor
    I'm aware of the security credential on the device it self, but the reason why 'm considering putting extra security layer to it is people can just unplug the copier, configure their machine with its static IP, and start spamming from the inside.
    Unless you have a suggestion on how to tackle this possibility?


    Andrew P.
    Monday, September 12, 2011 12:48 AM
  • I don't have any Exchange connectors configured for that (I use Ironport appliances for internal smtp relay).  If I had to do it on the Exchange server, I think I would :

    Create one or more dedicated receive connectors just for internal relay. They get their own static DNS entries, and the MFDs are configured to use DNS whenever the option is available. 

    Set up a tranport rule that bounces anything from those connectors addressed to an external recipient. If they want to scan and email outside the company, they have to email it to an Exchange recipient, and they'll have to forward it. 

     Use a standard naming convention for the From: addresses on the MFDs, and use a transport rule to require that email from those connectors has to match that pattern.

    That won't stop somebody from plugging into tht port and using it to send spam, but it will limit them to only sending it to internal people, and force them to advertise that they're probably using an MFD port to do it.


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
    Monday, September 12, 2011 1:52 AM
  • On Mon, 12 Sep 2011 00:48:07 +0000, p.andrew wrote:
     
    >@Rich The new Receive Connecter I've created has no Anonymous Users selected.
     
    Then only authenticated sessions will be allowed. So you shouldn't be
    accepting anything from any connection that doesn't authenticate. If
    you've already done that, why ask the question about how to do it?
     
    >@mjolinor I'm aware of the security credential on the device it self, but the reason why 'm considering putting extra security layer to it is people can just unplug the copier, configure their machine with its static IP, and start spamming from the inside. Unless you have a suggestion on how to tackle this possibility?
     
    So now all they have to do is NOT change their IP address and just use
    a credential they know will work -- it doesn't have to be theirs.
     
    If you're that worried about a problem like that then you have problem
    that's never really going to be solved unless you have a few very
    public firings. You do have an e-mail policy that HR and management's
    behind, right? Make sure they enforce it.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Monday, September 12, 2011 2:18 AM
  • On Mon, 12 Sep 2011 01:52:09 +0000, mjolinor wrote:
     
    >
    >
    >I don't have any Exchange connectors configured for that (I use Ironport appliances for internal smtp relay). If I had to do it on the Exchange server, I think I would :
    >
    >Create one or more dedicated receive connectors just for internal relay. They get their own static DNS entries, and the MFDs are configured to use DNS whenever the option is available.
    >
    >Set up a tranport rule that bounces anything from those connectors addressed to an external recipient.
     
    No need for a transport rule. Just don't allow anonymous senders to
    relay to anything except addresses in your own domain on that receove
    connector.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Monday, September 12, 2011 2:21 AM
  • on your reply:
    Then only authenticated sessions will be allowed. So you shouldn't be
    accepting anything from any connection that doesn't authenticate. If
    you've already done that, why ask the question about how to do it?
    I tried to set up the copier to use authentication (put in the domain username+password, useTLS, etc) but it never really work.
    it can only send email when it has no authentication defined.


    Andrew P.
    Monday, September 12, 2011 2:30 AM
  • On Mon, 12 Sep 2011 02:30:10 +0000, p.andrew wrote:
     
    >on your reply: Then only authenticated sessions will be allowed. So you shouldn't be accepting anything from any connection that doesn't authenticate. If you've already done that, why ask the question about how to do it? I tried to set up the copier to use authentication (put in the domain username+password, useTLS, etc) but it never really work. it can only send email when it has no authentication defined.
     
    It would have been helpful if you'd said that before.
     
    So right now you're left with setting up another receive connector,
    restricting it to allow connections only from specific IP addresses
    (or ranges of addresses).
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Monday, September 12, 2011 3:26 AM
  • On Mon, 12 Sep 2011 01:52:09 +0000, mjolinor wrote:
     
     
    No need for a transport rule. Just don't allow anonymous senders to
    relay to anything except addresses in your own domain on that receove
    connector.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP

    Understood. 

    I also have to do anonymous relay for other systems, so I probably wouldn't use that.  I would keep them on their own connector, and probably have another set of transport rules for them to handle things like disclaimers. 

    As I said earlier, I use an Ironport MTA for internal mail relay (it is a much better mail router than an Exchange Hub Transport server, IMHO).  I'm just describing how I'd approach doing it on Exchange in my environment.  I'm not using any Exchange connectors in that configuration, so there may be unintended consequences I haven't thought of.


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
    Monday, September 12, 2011 3:35 AM
  • I thought I've mentioned this on my original post ... my bad.

    Anyway, I've set up the new receive connectors with the following settings:
    Authentication tab: TLS and Externally Secured
    Permission Group tab: Exchange Servers
    Limited to the device IP address.

    the Default server_name Receive Connector remain unchanged.

    using only the default will only allow me to send email to internal recipient.
    enabling the new receive connector allow me to send email to external recipient.
    this still need the device to provide NO authentication.


    Andrew P.
    Monday, September 12, 2011 4:00 AM
  • On Mon, 12 Sep 2011 03:35:16 +0000, mjolinor wrote:
     
    >On Mon, 12 Sep 2011 01:52:09 +0000, mjolinor wrote: No need for a transport rule. Just don't allow anonymous senders to relay to anything except addresses in your own domain on that receove connector. --- Rich Matheisen MCSE+I, Exchange MVP
    >--- Rich Matheisen MCSE+I, Exchange MVP
    >
    >Understood.
    >
    >I also have to do anonymous relay for other systems, so I probably wouldn't use that.
     
    I use two additional receive connectors. Both are restricted by IP
    address, but only one allows anonymous connections to send to domains
    other than those in the set of accepted domains.
     
    >I would keep them on their own connector, and probably have another set of transport rules for them to handle things like disclaimers.
     
    >As I said earlier, I use an Ironport MTA for internal mail relay (it is a much better mail router than an Exchange Hub Transport server, IMHO).
     
    No argument. I left behind a pair of IronMail machines when we were
    acquired by another company. I miss them. Boy, do I miss them.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Monday, September 12, 2011 9:47 PM