locked
Disable internal anonymous relay RRS feed

  • Question

  • Hi all,

    When install Exchange 2013/2016 there are 5 default receive connectors. The one named Default Front end <Servername> is the one used to accept external messages. It has anonymous enabled and open for all IP ranges. This is also required so it can accept emails from the internet.

    Downside is that this connector is also open for internal anonymous relay from all internal clients.

    What is the approach used to stop internal clients from relaying through this connector?

    Thanks!


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

    Thursday, October 19, 2017 7:18 PM

All replies

  • Hello

    Default not enabled relay only if enabled like:

    Get-ReceiveConnector "Anonymous Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

    if you want, move all internal smtp connection to new receive connector /crete new recive connector and set security and add internal ip range/


    sorry my english

    Thursday, October 19, 2017 8:06 PM
  • Hi,

    Thanks for contacting our forum. Agree with Sneff_Gabor.

    By default, the following permissions are given to the Anonymous Logon group:

    Ms-Exch-SMTP-Submit

    Ms-Exch-SMTP-Accept-Any-Sender

    Ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

    Ms-Exch-Accept-Headers-Routing

    We can run the following command to check which connector has the relay permission:

    Get-ReceiveConnector | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-Exch-SMTP-Accept-Any-Recipient"}

    If it has the permission, we can remove as below:

    Remove-ADPermission "connector name" -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights ms-Exch-SMTP-Accept-Any-Recipient

    Hope it helps.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 20, 2017 7:32 AM
  • Hi al and thanks for reply.

    With ExtendedRights ms-Exch-SMTP-Accept-Any-Recipient, this means that user will not be able to relay to external addresses, which is fine. 

    The main issue is that default connector is open for relay for all domains in accepted domains. In short this means that everyone internally can relay to Exchange server and send to any of domains in accepted domains list. This is the part we wish to block. As far as I know, NT AUTHORITY\ANONYMOUS LOGON should NOT be removed from default connector.

    Eitherway, we manage to fix this by adding ip of customers Smart host to the Default connector (since all incoming and outgoing emails will be going through a smart host).

    Now internal users is not able to relay to exchange server as long as they are not added to relay connector we created for application relay.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

    • Proposed as answer by Jason.Chao Monday, October 23, 2017 9:58 AM
    • Unproposed as answer by Jason.Chao Friday, November 10, 2017 9:24 AM
    • Proposed as answer by Jason.Chao Friday, November 10, 2017 9:24 AM
    Friday, October 20, 2017 10:17 AM
  • Thanks for your reply and thanks for your sharing of the fixing way, please help to mark as answer and it could be helpful for others!

    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by Jason.Chao Friday, November 10, 2017 9:24 AM
    • Proposed as answer by Jason.Chao Friday, November 10, 2017 9:24 AM
    Monday, October 23, 2017 9:58 AM
  • Hi Off2work, this is how I fixed it as well some time ago. However, it did cause some scom alerts/unhealthy states in Exchange + mailflow issue between Exchange servers. Did you not experience this? 

    I had to add the link-local address of the Exchange server and the IP address of the other Exchange servers to the connector as well to fix this.

    Wednesday, May 2, 2018 9:24 AM
  • Hi Off2work, 

    Downside is that this connector is also open for internal anonymous relay from all internal clients.
    Ans. NO

    To understand better please go through below articles.
    Receive connectors
    https://technet.microsoft.com/en-us/library/aa996395(v=exchg.160).aspx

    Scenarios for custom Receive connectors in Exchange 2016
    https://technet.microsoft.com/en-us/library/jj657465(v=exchg.160).aspx

    What is the approach used to stop internal clients from relaying through this connector?
    Ans. You can create a dedicated Relay receive connector to relay mails from exchange server

    => Created a new Relay Connector for  Application Relay à

          General --> Verbose

          Network --> IP address --->  Add IP of Application server's

          Permission Groups --> Exchange Server & Anonymous users

          Authentication --> Transport Layer security (TLS) & Externally Secured

     Get-ReceiveConnector "Anonymous Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

    => Also go through the Article : --

    Allow anonymous relay on Exchange servers
    https://technet.microsoft.com/en-us/library/mt668454(v=exchg.160).aspx

    o  This will fix the problem.

    Thanks,


    EXCHANGE2010, MCSE, MCTS, MCSA MESSAGING, CCNA & GNIIT


    Thursday, May 10, 2018 2:55 AM