none
NT AUTHORITY\Anonymous Logon --> ms-Exch-SMTP-Accept-Any-Sender false, but still accepts my domain RRS feed

  • Question

  • Hello,
    in oder to make sure that our Exchange 2016 receive connector does not accept spoofing emails from our own domains, I have removed AD-Permission for  "NT AUTHORITY\Anonymous Logon" extended right ms-Exch-SMTP-Accept-Any-Sender, Did this with the following command:
    Get-ReceiveConnector "Default Frontend EX2016" | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-Exch-SMTP-Accept-Any-Sender"} | Remove-ADPermission

    While this worked fine for our Exchange 2010 server, which does not accept sender  with one of our domains (550 5.7.1 Client does not have permissions to send as this sender), it does not apply to Exchange 2016, this one still accepts emails from sender with one of our domains. Having a look to extended rights settings, it looks same for both servers:

    Exchange 2016:

    AccessRights    ExtendedRights                                    Deny  InheritedObjectType InheritanceType User
    ------------    --------------                                    ----  ------------------- --------------- ----
    {ExtendedRight} {ms-Exch-SMTP-Accept-Any-Sender}                  False                                 All NT AUTHORITY\ANONYMOUS LOGON
    {ExtendedRight} {ms-Exch-SMTP-Accept-Authoritative-Domain-Sender} False                                 All NT AUTHORITY\ANONYMOUS LOGON
    {ExtendedRight} {ms-Exch-Accept-Headers-Routing}                  False                                 All NT AUTHORITY\ANONYMOUS LOGON
    {ExtendedRight} {ms-Exch-SMTP-Submit}                             False                                 All NT AUTHORITY\ANONYMOUS LOGON
    {ExtendedRight} {ms-Exch-Store-Create-Named-Properties}           False                                 All NT AUTHORITY\ANONYMOUS LOGON
    {ExtendedRight} {ms-Exch-Create-Public-Folder}                    False                                 All NT AUTHORITY\ANONYMOUS LOGON
    {GenericRead}                                                     False ms-Exch-Public-MDB      Descendents NT AUTHORITY\ANONYMOUS LOGON
    {GenericRead}                                                     False ms-Exch-Private-MDB     Descendents NT AUTHORITY\ANONYMOUS LOGON

    ------------------------------------------------------------------------------------------------------------------------------------------
    Exchange 2010:

    AccessRights    ExtendedRights                          Deny  InheritedObjectType InheritanceType User
    ------------    --------------                          ----  ------------------- --------------- ----
    {ExtendedRight} {ms-Exch-SMTP-Submit}                   False                                 All NT AUTHORITY\ANONYMOUS LOGON
    {ExtendedRight} {ms-Exch-SMTP-Accept-Any-Sender}        False                                 All NT AUTHORITY\ANONYMOUS LOGON
    {ExtendedRight} {ms-Exch-SMTP-Accept-Any-Recipient}     False                                 All NT AUTHORITY\ANONYMOUS LOGON
    {ExtendedRight} {ms-Exch-Accept-Headers-Routing}        False                                 All NT AUTHORITY\ANONYMOUS LOGON
    {ExtendedRight} {ms-Exch-Store-Create-Named-Properties} False                                 All NT AUTHORITY\ANONYMOUS LOGON
    {ExtendedRight} {ms-Exch-Create-Public-Folder}          False                                 All NT AUTHORITY\ANONYMOUS LOGON
    {GenericRead}                                           False ms-Exch-Public-MDB      Descendents NT AUTHORITY\ANONYMOUS LOGON
    {GenericRead}                                           False ms-Exch-Private-MDB     Descendents NT AUTHORITY\ANONYMOUS LOGON

    Any idea what is wrong with Exchange 2016? I tested this with smtp telnet commands, any better suggestions how I can reliably double-check this?

    kind regards,
    Dieter Tontsch
    mobileX AG
    Wednesday, June 15, 2016 1:16 PM

Answers

  • Hi Dieter,

    Please create a new receive connector and defined it as a Hub Transport and not a Front-End Transport, then follow your steps to remove NT AUTHORITY\Anonymous permission, then check if the issue persist.

    Best Regard,

    Jim Xu

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Jim Xu
    TechNet Community Support

    Friday, June 17, 2016 8:21 AM
    Moderator

All replies

  • Hi,

    you can double-check if your receive connector "Default Frontend EX2016" is the correct one you are using for mail relay and smtp/telnet commands.


    Radek

    Wednesday, June 15, 2016 1:28 PM
  • It's the correct one, it's the only one with this eheol/helo fqdn.

    Have also removed ms-Exch-SMTP-Accept-Authoritative-Domain-Sender for anonymous logon, still accepts senders from its autoritative domains.

    Dieter

    Wednesday, June 15, 2016 6:14 PM
  • Hi Dieter,

    Welcome to our forum.

    By this issue, we suggest remove this ms-Exch-SMTP-Accept-Any-Sender permission on “Default <ServerName>” to check if the issue persist.

    Best Regard,

    Jim Xu

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Jim Xu
    TechNet Community Support

    Thursday, June 16, 2016 8:13 AM
    Moderator
  • Hi,

    I did the suggested remove permission, on both Default <Servername> and Default Frontend <Servername>, but no success. I have added it back since, from what I understand this permission is required for an internet-email connector, otherwise how should external senders deliver emails to us?

    BTW: ms-Exch-SMTP-Accept-Any-Sender permission wasn't assigned on Default <Servername> receive connector,and this is listening on port 2525 anyway.

    My permissions to Frontend Default <Servername> recieve connector are:

     

    ExtendedRights                           Deny
    --------------                         ----
    {ms-Exch-SMTP-Accept-Any-Sender}        False
    {ms-Exch-SMTP-Submit}                   False
    {ms-Exch-Accept-Headers-Routing}       False
    {ms-Exch-Store-Create-Named-Properties} False
    {ms-Exch-Create-Public-Folder}           False

    This works quite ok, external relay is not allowed, emails form outisde are accepted, just it also still accepts sending emails from autoritative domain senders.

    kind regards,

    Dieter Tontsch

    mobileX AG

    Thursday, June 16, 2016 8:59 AM
  • Hi Dieter,

    Please create a new receive connector and defined it as a Hub Transport and not a Front-End Transport, then follow your steps to remove NT AUTHORITY\Anonymous permission, then check if the issue persist.

    Best Regard,

    Jim Xu

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Jim Xu
    TechNet Community Support

    Friday, June 17, 2016 8:21 AM
    Moderator
  • Hello, yes this did the trick. Looks like all this ms-Exch-SMTP-Accept-Authoritative-Domain-Sender stuff only works if the connector in charge is a hub transport connector.

    What is a Frontend Transport receive connector actually good for?

    Dieter

    Friday, June 17, 2016 9:23 AM
  • Hi Dieter,

    The primary function of Receive connectors in the Transport service is to accept authenticated and encrypted SMTP connections from other transport services on the local Mailbox server or remote Mailbox servers in your organization.

    Best Regard,

    Jim Xu

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Jim Xu
    TechNet Community Support

    Friday, June 17, 2016 9:35 AM
    Moderator
  • Hello Dieter,

    I've the same issue, but i did not quite get here, what i have to do. 

    - I have removed 'ms-Exch-SMTP-Accept-Authoritative-Domain-Sender' from Default Frontend

    -our MB server is seperatem, have 2 default connectors... Default Server & Client Proxy Server

    - Do i have to create additional HubTransport receive connector, if so, what whould be permission group???? 
      

    I'll appreciate your reply... THANKYOU ALL...

    Saturday, January 28, 2017 7:08 AM
  • Hi, yes, you might need to setup a new connector, at least this is what I did. And the point is, it has to be a Hub Transport type of connector, as Jim Xu pointed out. Honestly I cannot remember exactely my steps and why I did not use the Default connector, but for me it works now the following way:

    - I have kept Default Connector, but I have modified tcp port to 2525 (this more linke to make sure I didn't damage something, so keeping this DEFAULT but not using it)=

    - I have setup a new connector, in my case I called it "SMTP World", as a hub transport. and because you cannot have two connectors with exactelly same port and scoping, I have modified tcp port of default connector to 2525 prior to setting this one up.

    - And than I have removed anonymous permission on this connector with

    Get-ReceiveConnector "SMTP Wolrd6" | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-Exch-SMTP-Accept-Any-Sender"} | Remove-ADPermission

    - this way it works for me, at security only TLS is checked.

    Hope this helps.

    Dieter

    Tuesday, January 31, 2017 9:08 AM