none
How to stop anoymous relay sending email to outside domains in exchange 2013

    Question

  • Hi Experts,

    We are running exchange 2013 in Hybrid with office 365

    We have internal applications which required to send email without authentication like printer some apps etc....

    So we created a recieve connecter and allowed only HLB virtual IP ( Created for Relay) in the connector selecting anonymous Permission group

    Now there is a app which is sending email outside domains, which may cause issue.

    How do I block these anonymous emails sending outside but allow internally


    Manju Gowda

    Tuesday, September 20, 2016 4:30 AM

Answers

All replies

  • Create a receive connector and restrict the IP addresses that can sent to it to the systems that need to relay (RemoteIPRanges), and configure it to allow relay.  Don't mess with the default receive connector for this.  You probably can't go through a hardware load balancer because it's unlikely that it'll preserve the source IP address so point the application server directly to the computer by a CNAME or A DNS record so you can change it quickly if the server goes down.

    https://technet.microsoft.com/en-us/library/bb125139(v=exchg.150).aspx

    http://exchangeserverpro.com/exchange-2013-configure-smtp-relay-connector/

    http://www.shudnow.net/2013/06/04/how-anonymous-relay-works-in-exchange-2013/

    Disable anonymous relay on all other connectors by removing the ms-Exch-SMTP-Accept-Any-Recipient right.

    Consider working with the application to authenticate and use TCP port 587 instead if you don't want to have to configure relay.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!


    Wednesday, September 21, 2016 12:39 AM
    Moderator
  • Thanks Ed.

    We use authenticated kind of email trigger for all supported apps. But some apps and device are not supporting this, hence we use anonymous relay

    As you mentioned I already have a connector " Internal App Relay"

    But using this connector the emails are triggered to outside domain

    I want to stop this.

    I have to allow only relay inside domain

    How to achieve this?


    Regards, Manju Gowda

    Wednesday, September 21, 2016 3:54 AM
  • Remove the relay permission.  See the links I gave you.

    You probably don't need an "Internal App Relay" connector at all if you don't want anything to relay.  Your default receive connector should allow submission to internal addresses.  Therefore, you can probably delete the "Internal App Relay" connector or just remove the application server's SMTP address from RemoteIPRanges property, if that's how you have it configured.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, September 21, 2016 10:28 PM
    Moderator