locked
SMTP Authentication Exchange 2010 RRS feed

  • Question

  • Hello guys! This is my first post here and I've been searching for two days now and can't seem to get a definitive answer.

    The problem:

    I installed Microsoft Exchange Server 2010 on a Windows Server 2008 R2 Enterprise. I chose HUB Transport instead of Edge.

    Everything works perfectly, except that I definitely need SMTP authentication, to avoid becoming a semi-open relay.
    But the problem is this:
    If I enable Anonymous Users in the Default receive connector I can receive mail from all over the world, but SMTP authentication is disable.
    If I disable Anonymous Users in the Default receive connector, e-mails from all over the world, naturally, get rejected but well, SMTP authentication is valid.

    So my question is: Is there some way I can enable SMTP authentication and still be able to receive e-mail from internet servers? Or better said, can this task be achieved without an Edge transport server?
    Thanks!
    Tuesday, December 14, 2010 3:13 PM

Answers

  • Hi

    If you have a HUB that receives the mails from external then I would create a receive connector and give it a good name, match it with ip address and have it anonymous, because if you require authentication you can't receive any mails at all.

    Then you should have a spam solution installed on this machine, like Forefront for Exchange
    For double and better spam solutions, buy a 3rd part mailwashing service and let them wash the mails first and then send them to your server.
    In that way you can setup the receive connector to just accept connections from the 3rd part mailwashing service

     


    Jonas Andersson MCTS: Microsoft Exchange Server 2007/2010 | MCITP: EMA 2007/2010 | MCSE/MCSA Blog: http://www.testlabs.se/blog
    • Proposed as answer by Allen Song Monday, December 20, 2010 9:20 AM
    • Marked as answer by Allen Song Wednesday, December 29, 2010 2:10 AM
    Tuesday, December 14, 2010 4:11 PM
  • Hi,

    To receive the Internet email, the Anonymous Users is necessary. And the Exchange Server itself is not an open relay even though the Anonymous Users is checked since the ms-Exch-SMTP-Accept-Any-Recipient permission is not there on the Anonymous Users.

    Of course, the Exchange server will receive a great amount of spam emails which send to nonexistence user, then lots of the NDR will be generated. To reduce the spam email, you can use the Edge server or third party security software.

    Thanks

    Allen


    Allen Song
    • Marked as answer by Allen Song Wednesday, December 29, 2010 2:10 AM
    Monday, December 20, 2010 9:21 AM

All replies

  • Why do you think you NEED authentication? Exchange 2010 is not, by default, an open relay. If you disable anonymous submission you, as you have seen, lose the ability to receive. What you need is a good anti spam package that drops all the nonsense that comes in. Unless you have POP3/IMAP clients you don’t need to have people submit/relay in the first place and unless you do something that feature isn’t even enabled.
     
    "Andreas Ruxanda" wrote in message news:e6e96abe-57cd-4c23-8fed-1deb94806988...
    Hello guys! This is my first post here and I've been searching for two days now and can't seem to get a definitive answer.

    The problem:

    I installed Microsoft Exchange Server 2010 on a Windows Server 2008 R2 Enterprise. I chose HUB Transport instead of Edge.

    Everything works perfectly, except that I definitely need SMTP authentication, to avoid becoming a semi-open relay.
    But the problem is this:
    If I enable Anonymous Users in the Default receive connector I can receive mail from all over the world, but SMTP authentication is disable.
    If I disable Anonymous Users in the Default receive connector, e-mails from all over the world, naturally, get rejected but well, SMTP authentication is valid.

    So my question is: Is there some way I can enable SMTP authentication and still be able to receive e-mail from internet servers? Or better said, can this task be achieved without an Edge transport server?
    Thanks!

    Mark Arnold, Exchange MVP.
    • Proposed as answer by Allen Song Monday, December 20, 2010 9:21 AM
    Tuesday, December 14, 2010 3:46 PM
  • Hi

    If you have a HUB that receives the mails from external then I would create a receive connector and give it a good name, match it with ip address and have it anonymous, because if you require authentication you can't receive any mails at all.

    Then you should have a spam solution installed on this machine, like Forefront for Exchange
    For double and better spam solutions, buy a 3rd part mailwashing service and let them wash the mails first and then send them to your server.
    In that way you can setup the receive connector to just accept connections from the 3rd part mailwashing service

     


    Jonas Andersson MCTS: Microsoft Exchange Server 2007/2010 | MCITP: EMA 2007/2010 | MCSE/MCSA Blog: http://www.testlabs.se/blog
    • Proposed as answer by Allen Song Monday, December 20, 2010 9:20 AM
    • Marked as answer by Allen Song Wednesday, December 29, 2010 2:10 AM
    Tuesday, December 14, 2010 4:11 PM
  • Hi,

    To receive the Internet email, the Anonymous Users is necessary. And the Exchange Server itself is not an open relay even though the Anonymous Users is checked since the ms-Exch-SMTP-Accept-Any-Recipient permission is not there on the Anonymous Users.

    Of course, the Exchange server will receive a great amount of spam emails which send to nonexistence user, then lots of the NDR will be generated. To reduce the spam email, you can use the Edge server or third party security software.

    Thanks

    Allen


    Allen Song
    • Marked as answer by Allen Song Wednesday, December 29, 2010 2:10 AM
    Monday, December 20, 2010 9:21 AM
  • hi

    i have problem,please help me

    i cant set up my external and enternal email to my exhange2010

    how can i do this??

     

    Saturday, February 26, 2011 8:47 AM
  • Hi,

    Good Day. In exchange server 2010, by default it has 2 receive connector. One is name by Client Mail and another is Default Mail.

    1. Client Mail

    2. Default Mail

    What you have to do?

    Go to the Client Mail Properties and then

    Go to Permissions Group tab

    Unchecked- Anonymous users

    keep the remaining unchanged. After that go to the  Authentication Tab

    Check/Tik Mark - Transport Layer Security (TLS)

    Don't Check/Tik Mark - Enable Domain Security (Mutual Auth TLS)

    Check/Tik Mark - Basic Authentication 

    Don't Check/Tik Mark - Offer Basic Authentication only after starting TLS

    Check/Tik Mark - Exchange Server Authentication

    Check/Tik Mark - Integrated Windows Authentication

    After that go to the Network TAB and 

    add your network here (Ip address ranges)

    Click ok and close the properties window. Now do the same steps for Default Mail Receive Connector. You will notice that after configuring this two receive connector, you are not receiving any email from all over the world but your email users are authenticated.

    But you want to receive email from all over the world , right? For receiving email from all over the world you have create a new Receive connector. To create a new receive connector and configure properties, do the following:

    In your Exchange Server 2010:

    Server Configuration> Hub transport Server>

    Click - on the New Receive Connector

    Give a good name for the connector and then

    Select the intended use for this receive connector

    Click in the down arrow and Select "Internet" after that click Next button and Keep the local network settings unchanged for now.

    Specify FQDN for the connector

    contoso.com (Your domain)

    and the Click-Next

    Click - New

    Now you have a new and third Receive connector. Now we have to configure its properties.

    Click - Properties of the new receive connector

    Click- On the Permissions Group TAB

    Select/Check - Anonymous users

    Now go to the - Authentication TAB

    Select/Check - Transport Layer Security (TLS)

    Don't Select/Check - Enable Domain Security (Mutual Auth TLS)

    Select/Check- Basic Authentication

    Don't Select/Check - Offer Basic Authentication Only After Starting TLS

    and then keep the remaining unchanged.

    Now go to the Network TAB

    Receive mail from remote servers that have this ip addresses:

    Add all of the public ip address ranges here: 

    0.0.0.0-127.255.255.255

    128.0.0.0-191.255.255.255

    192.0.0.0-223.255.255.255

    Click - Ok

    N:B: You can customize ip address ranges according to your requirements.

    Now your New/Third receive connector created and configured. And you would be able to receive email from all over the world while ur email users are still Authenticated Users.

    Thanks

    Mohammed Shah Newaj


    Wednesday, April 30, 2014 6:25 AM