none
TLS auth issue: 'CompanyA@exmple.com “via” SendGrid.me' email is dropped by Exchange

    Question

  • Looking for clarification about what Exchange 2007 considers to be "anonymous authentication" for TLS at the Receive Connector. At the company I'm SysAdmin for, about 3 months ago we were getting "spoofed" emails almost daily. These "spoofed" emails would typically have our CEO or the domain admin as the "sender." To mitigate against this, I set our default Exchange "internet" receive connector to DISallow anonymous authentication with a Exchange Management Shell (Powershell) command, and created a separate RC to allow for anonymous-authentication with a set of whitelisted IP's (offsite copiers w/ scan-to-email, Constant Contact, etc). This worked and the spoofing completely stopped.

    But here's the issue, now no one that tries to send anything "on behalf of" or "via" someone else can get an email through to us. I was under the impression that disabling anon-auth was only for our organization, but it seems to be affecting all outside parties as well. Gmail will allow these through, but I obviously cannot keep asking my users to have work email sent to their personal Gmail accounts Thank you.

    Wednesday, July 6, 2016 7:53 PM

Answers

  • Hi,

    Base on your description, do you means that the mail flow failed between application or devices with Exchange server? If you want all other application or device send message through Exchange, we need a receive connector which accept message from application and enable anonymous authentication. Therefore, you can add application's IP address to "Remote Network settings". More details about it, for your reference:
    https://blogs.technet.microsoft.com/exchange/2006/12/28/allowing-application-servers-to-relay-off-exchange-server-2007/

    For spoof message from internal, please open one of the spoofed email in outlook and check the headers. There are two types of sender address RFC821 and RFC822. RFC821 is the actual sender and RFC822 is the display name of the sender. Spoofed email means RFC822 address is spoofed. Open the email headers and look for Return-Path:, this field has the actual sender.

    Then you can add this domain or e-mail address to blacklist to restrict antispam.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    Thursday, July 7, 2016 9:50 AM
    Moderator

All replies

  • If you don't allow anonymous mail from the Internet, you won't get any mail because all Internet mail is anonymous.  Other servers don't authenticate to your server because you haven't given each and every one of them an account and password to talk to your server.  That would simply be unworkable.

    There really is no good replacement for an antispam server, appliance or cloud service between the Internet and your Exchange server.  If you have a decent one of those, you can configure it to reject mail purporting to be from one of your recipients.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, July 6, 2016 8:18 PM
    Moderator
  • Thank you for your reply, Ed. I am allowing a granular permissions set for TLS via Exchange Mgmt Shell (Powershell), NOT via the checkboxes in the Exchange Mgmt Console (GUI). As such, I have no issues with normal inbound email, only email sent "via" or "on behalf of." Please see this link for explanation: http://exchangepedia.com/2008/09/how-to-prevent-annoying-spam-from-your-own-domain.html

    Also, we do indeed have a UTM/anti-spam device (Untangle), and while it blocks tons of spam it does not have the ability to prevent spoofing. 

    Wednesday, July 6, 2016 8:26 PM
  • Hi,

    Base on your description, do you means that the mail flow failed between application or devices with Exchange server? If you want all other application or device send message through Exchange, we need a receive connector which accept message from application and enable anonymous authentication. Therefore, you can add application's IP address to "Remote Network settings". More details about it, for your reference:
    https://blogs.technet.microsoft.com/exchange/2006/12/28/allowing-application-servers-to-relay-off-exchange-server-2007/

    For spoof message from internal, please open one of the spoofed email in outlook and check the headers. There are two types of sender address RFC821 and RFC822. RFC821 is the actual sender and RFC822 is the display name of the sender. Spoofed email means RFC822 address is spoofed. Open the email headers and look for Return-Path:, this field has the actual sender.

    Then you can add this domain or e-mail address to blacklist to restrict antispam.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    Thursday, July 7, 2016 9:50 AM
    Moderator