none
Disable Exchange 2013 Internal Relay without authentication.

    Question

  • Im Running Exchange Server 2013 CU12

    Network Setup is like this!

    1.Primary DC 1

    2.Secondary DC 2

    3.Mailbox Server (internal Network)

    4.EDGE Server (ON DMZ)

    Problem is any users can relay emails to the exchange server users.

    Eg: Two emails eric@abc.com and andrew@abc.com in my domain abc.com. An anonymous user can send emails to andrew@abc.com on behalf of eric@abc.com (no authentication required). But if anonymous user try to send email to jason@condoso.com using eric@abc.com, Exchange will refuse to send it.

    May I know how could I do to restrict user authentication even for emails in the internal domain? I cannot disable the Anonymous users otherwise Exchange server will not receive any emails.

    I have check the Default (Server Name) sender connector and i have removed the anonymous user. But still they can sent email internally.

    Regards

    thanks

    Tuesday, May 2, 2017 7:58 PM

All replies

  • Hello,

    To achieve your goal, we need remove ms-exch-smtp-accept-authoritative-domain-sender permission for anonymous. Try:
    1. Determine which receive connectors in the organization are open relay connectors:
    Get-ReceiveConnector | Get-ADPermission | 
    Where {$_.User -Like '*anon*' -And $_.ExtendedRights -Like 'ms-Exch-SMTP-Accept-Any-Recipient'} | FT Identity,User,ExtendedRights
    Prevent others pretend send message:
    Get-ReceiveConnector "Anonymous relay connector" | 
    Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | 
    where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Remove-ADPermission

    Best Regards,

    Allen Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 3, 2017 10:30 AM
    Moderator
  • Hi,

    Any update with your issue?
    If you have any other concern, please be free to let me know.

    Best Regards,

    Allen Wang


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 13, 2017 2:13 PM
    Moderator