This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Disable internal anonymous relay

Question
1

Sign in to vote

Hi all,

When install Exchange 2013/2016 there are 5 default receive connectors. The one named Default Front end <Servername> is the one used to accept external messages. It has anonymous enabled and open for all IP ranges. This is also required so it can accept emails from the internet.

Downside is that this connector is also open for internal anonymous relay from all internal clients.

What is the approach used to stop internal clients from relaying through this connector?

Thanks!

Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

Thursday, October 19, 2017 7:18 PM

All replies

0

Sign in to vote

Hello

Default not enabled relay only if enabled like:

Get-ReceiveConnector "Anonymous Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

if you want, move all internal smtp connection to new receive connector /crete new recive connector and set security and add internal ip range/

sorry my english

Thursday, October 19, 2017 8:06 PM
0

Sign in to vote

Hi,

Thanks for contacting our forum. Agree with Sneff_Gabor.

By default, the following permissions are given to the Anonymous Logon group:

Ms-Exch-SMTP-Submit

Ms-Exch-SMTP-Accept-Any-Sender

Ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

Ms-Exch-Accept-Headers-Routing

We can run the following command to check which connector has the relay permission:

Get-ReceiveConnector | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-Exch-SMTP-Accept-Any-Recipient"}

If it has the permission, we can remove as below:

Remove-ADPermission "connector name" -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights ms-Exch-SMTP-Accept-Any-Recipient

Hope it helps.
Regards,

Jason Chao

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Friday, October 20, 2017 7:32 AM
1

Sign in to vote
Hi al and thanks for reply.

With ExtendedRights ms-Exch-SMTP-Accept-Any-Recipient, this means that user will not be able to relay to external addresses, which is fine.

The main issue is that default connector is open for relay for all domains in accepted domains. In short this means that everyone internally can relay to Exchange server and send to any of domains in accepted domains list. This is the part we wish to block. As far as I know, NT AUTHORITY\ANONYMOUS LOGON should NOT be removed from default connector.

Eitherway, we manage to fix this by adding ip of customers Smart host to the Default connector (since all incoming and outgoing emails will be going through a smart host).

Now internal users is not able to relay to exchange server as long as they are not added to relay connector we created for application relay.
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work
- Proposed as answer by Jason.Chao Monday, October 23, 2017 9:58 AM
- Unproposed as answer by Jason.Chao Friday, November 10, 2017 9:24 AM
- Proposed as answer by Jason.Chao Friday, November 10, 2017 9:24 AM
Friday, October 20, 2017 10:17 AM
0

Sign in to vote
Thanks for your reply and thanks for your sharing of the fixing way, please help to mark as answer and it could be helpful for others!

Regards,

Jason Chao

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Edited by Jason.Chao Friday, November 10, 2017 9:24 AM
- Proposed as answer by Jason.Chao Friday, November 10, 2017 9:24 AM
Monday, October 23, 2017 9:58 AM
0

Sign in to vote

Hi Off2work, this is how I fixed it as well some time ago. However, it did cause some scom alerts/unhealthy states in Exchange + mailflow issue between Exchange servers. Did you not experience this?

I had to add the link-local address of the Exchange server and the IP address of the other Exchange servers to the connector as well to fix this.

Wednesday, May 2, 2018 9:24 AM
0

Sign in to vote
Hi Off2work,

Downside is that this connector is also open for internal anonymous relay from all internal clients.
Ans. NO

To understand better please go through below articles.
Receive connectors
https://technet.microsoft.com/en-us/library/aa996395(v=exchg.160).aspx

Scenarios for custom Receive connectors in Exchange 2016
https://technet.microsoft.com/en-us/library/jj657465(v=exchg.160).aspx

What is the approach used to stop internal clients from relaying through this connector?
Ans. You can create a dedicated Relay receive connector to relay mails from exchange server

=> Created a new Relay Connector for Application Relay à

      General --> Verbose

      Network --> IP address ---> Add IP of Application server's

      Permission Groups --> Exchange Server & Anonymous users

      Authentication --> Transport Layer security (TLS) & Externally Secured

Get-ReceiveConnector "Anonymous Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

=> Also go through the Article : --

Allow anonymous relay on Exchange servers
https://technet.microsoft.com/en-us/library/mt668454(v=exchg.160).aspx

o  This will fix the problem.

Thanks,

EXCHANGE2010, MCSE, MCTS, MCSA MESSAGING, CCNA & GNIIT
- Proposed as answer by PKT_ (Pranab Tapali) Thursday, May 10, 2018 2:55 AM
- Edited by PKT_ (Pranab Tapali) Thursday, May 10, 2018 2:59 AM
- Unproposed as answer by PKT_ (Pranab Tapali) Thursday, May 10, 2018 4:48 AM
- Proposed as answer by PKT_ (Pranab Tapali) Thursday, May 10, 2018 4:48 AM
Thursday, May 10, 2018 2:55 AM