none
Can authenticated user send email from any address domain?

    Question

  • Hi,

    I'm not sure about it but I think it is possible for authenticated user to send an email from any address.

    I've seen one of Exchange 2013 server sending emails from @yahoo.com although yahoo.com is not on the the server's list of accepted domains. I've looked into a bunch of Exchange logs and found that it had been sent by Client Proxy (port 465) transport with one of legitimate user account.

    Is my suspicion correct? Is it by design or wrong configuration?

    Can a user send email with any address/domain (on the envelope) as a sender after he/she is correctly authenticated by Exchange?

    If it's true how I can limit Exchange users to send emails only from Exchange accepted domains?

    Regards,

    Michal

    Wednesday, October 11, 2017 10:20 AM

All replies

  • Hi,

    you should perform an open relay test;

    http://www.mailradar.com/openrelay/

    Wednesday, October 11, 2017 1:29 PM
  • Hi,

    For your questions:

    1. Can a user send email with any address/domain (on the envelope) as a sender after he/she is correctly authenticated by Exchange?

    We can’t send emails with any address. Based on my knowledge, we can use address rewriting to rewrite an email address or a domain. But it requires an Edge server role.
    For details, refer to the article: Address rewriting on Edge Transport servers.

    2. If it's true how I can limit Exchange users to send emails only from Exchange accepted domains?

    Administrators could assign the send as and send on behalf permissions to users, then they can send as and send on half other users/groups, however they can only delegate the internal users or groups. 

    Actually, additional actions are not required, users can’t send emails from non-authenticated domains. 


    Best Regards,

    Manu Meng
    TechNet Community Support


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 12, 2017 7:52 AM
    Moderator
  • If your exchange is open for relay, authenticated and unauthenticated users are able to send as using any domain. In Exchange 2013 you need to enabled recipientValidation by following these steps:

    1. To check if your server is using the AddressBook for validation run the following command

    Get-AcceptedDomain | Format-List Name,AddressBookEnabled

    It should provide you with a list of all accepted domains and if the AddressBook is enable or not. If by any chance Exchange is not Authoritative and the AddressBook is disabled then enable it with:

    Set-AcceptedDomain <name of accepted domain> -AddressBookEnabled $true

    Or, to enable for all domains (caution, make sure you are not relaying any domains before running this)
    Get-AcceptedDomain | Set-AcceptedDomain -AddressBookEnabled $true

    Now you should have Recipient Filter on your Mailbox Server and AddressBook enabled on your domain. However, if you test this now, it probably still will not work. That is because Validation is still disabled.

    2. To check the status of validation run the following
    Get-RecipientFilterConfig | FL Enabled,RecipientValidationEnabled 

    It should return that Recipient Filter is enable, but validation is not
    Enabled: True
    RecipientValidationEnabled : False

    3. To enable validation run the following Set-RecipientFilterConfig -RecipientValidationEnabled $true
     
    4. Restart the Exchange Transport service

    When using relay, it will only be possible to use domains in your accepted domain list.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

    Thursday, October 12, 2017 9:19 AM
  • If you try to use hubtransport to send emails and by using telnet you may be able to send emails using anonymous users as sender.

    but if the sender is a part of the accepted domain, then you will not be able to send as it is not anonymous but an exchange user so this will not work. you can use outlook/owa to send emails on behalf if you have appropriate access of the other mailbox


    Thanks & Regards Ramandeep Singh

    Wednesday, October 25, 2017 5:30 AM