none
How to stop External E-Mail Addresses RRS feed

  • Question

  • Hi,

    telnet exchange2013 25

    helo

    mail from: myuser@gmail.com

    sender OK

    rcpt to: myuser@myinternaldomain.com

    recipient ok

    rcpt to: otheruser@gmail.com

    recipient OK

    Is it possible to stop this? Any internal user can just telnet to exchange server on port 25 and use any email address internal or external and send email.

    Wednesday, January 22, 2020 8:04 AM

All replies

  • Hi,

    If you have an anonymous receive connector with the IP address range of end user client machines added in the remote IP ranges, then they would be able to send the emails.

    You should restrict the connector with only specific/required IPs.

    Thanks

    Wednesday, January 22, 2020 8:11 AM
  • This is a bad design and it looks like your default receive connector is open to everyone within LAN

    Please thoroughly check the connector property and remove unnecessary permissions


    Vinny | Freelancer (upwork) Azure Solutions Architect Associate| Office 365 Enterprise Administrator| Microsoft 365 Certified: Messaging Administrator Associate| ITILV3 | PMP

    Thursday, January 23, 2020 8:25 AM
  • Hi create_share,

    Agree with the above. You may need to configure your receive connector only to specific IPs. You can configure it through scope>Remote network settings. For details, you can have a read at this link.

    Regards,

    Beverly Gao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Thursday, January 23, 2020 9:28 AM
  • Hi,

    telnet exchange2013 25

    helo

    mail from: myuser@gmail.com

    sender OK

    rcpt to: myuser@myinternaldomain.com

    recipient ok

    rcpt to: otheruser@gmail.com

    recipient OK

    Is it possible to stop this? Any internal user can just telnet to exchange server on port 25 and use any email address internal or external and send email.

    You have set an incorrect permission to allow anonymous relay then. Its ok to allow anonymous, just not anonymous relay. ( and open to everyone in the LAN is not necessarily a bad thing either, just dont allow anonymous relay unless that is your intent) Do you have apps that need to relay to external recipients? If so, then create specific receive connectors and scope to the sending server IPs and allow anonymous relay only on those scoped connectors

    Otherwise:

    Do the reverse of this and check and remove any permissions that allow anonymous relay on that connector

    https://docs.microsoft.com/en-us/exchange/mail-flow/connectors/allow-anonymous-relay?view=exchserver-2019





    Saturday, January 25, 2020 6:17 PM
  • Hi, I'm here to confirm with you if your issue has been resolved. If the problem is successfully solved, you can share your solution and mark them or the helpful reply as answer, this will make answer searching in the forum easier and be beneficial to other community members as well.

    Regards,

    Beverly Gao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Monday, January 27, 2020 9:28 AM