locked
Prevent open internal relay on Exchange 2016 RRS feed

  • Question

  • Hi,

    Exchange 2016 seems to be an open anonymous relay for internal mail traffic by default. 

    This is probably normal as the server needs to be able to accept e-mail from internet (all IPs) and deliver it internally. 

    However, in case you have a mail gateway: is it not best to only allow the IP's of your mail gateway to send to Exchange? 

    Otherwise, anyone on the internal network can start using the Exchange server as an open relay for internal e-mail. 

    What is the best way to limit this? Change the range of IP on the Default Frontend Connector or is it better to create a new one and disable the Default Frontend Connector?

    Monday, October 30, 2017 9:04 AM

Answers

  • Hi Jozef Woo,

    Thanks for contacting our forum.

    We can restrict the hosts that can submit mail to any connector by use of the RemoteIPRanges parameter. Refer to: https://technet.microsoft.com/en-us/library/bb125140(v=exchg.160).aspx

    If we have more than one server consider creating a separate connector with Anonymous in the permissions groups and set the RemoteIPRanges property there.  Remove Anonymous from the Default receive connector.

    Be very careful doing this on the default receive connector if you have multiple Exchange servers because you may break SMTP communication between them. 

    Hope it helps.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Jozef Woo Tuesday, May 1, 2018 6:42 PM
    Tuesday, October 31, 2017 7:18 AM

All replies

  • Hi Jozef Woo,

    Thanks for contacting our forum.

    We can restrict the hosts that can submit mail to any connector by use of the RemoteIPRanges parameter. Refer to: https://technet.microsoft.com/en-us/library/bb125140(v=exchg.160).aspx

    If we have more than one server consider creating a separate connector with Anonymous in the permissions groups and set the RemoteIPRanges property there.  Remove Anonymous from the Default receive connector.

    Be very careful doing this on the default receive connector if you have multiple Exchange servers because you may break SMTP communication between them. 

    Hope it helps.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Jozef Woo Tuesday, May 1, 2018 6:42 PM
    Tuesday, October 31, 2017 7:18 AM
  • Hi Jason, thanks for pointing out the gotcha there about the inter-Exchange-server-communication :-)

    I almost forgot about that. 

    I will try this next week and provide feedback!

    Tuesday, October 31, 2017 9:05 AM
  • Thanks, please keep updating!

    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 2, 2017 2:37 AM
  • Hi Jason, you say "be careful". What do I have to be careful about? Do Exchange servers use anonymous authentication between them? Will they not communicate with Exchange server authentication?
    Tuesday, May 1, 2018 6:43 PM