Limit access to Internet Facing Exchange Server when using Cloud Email Gateway RRS feed

  • Question

  • Just checking, that apart from allowing specified IP Pools which is used to route mail to the Internet Facing Exchange Server from the Cloud Service what other ways can you protect the Exchange Server, otherwise someone would still be able to directly connect to the server (telnet etc) without being routed through mx to the Cloud Service.

    Thanks and Regards,

    Monday, June 4, 2018 12:00 PM


  • Hi Yanick,

    Nice to meet you.

    To prevent anonymous user to submit message, please run below command to remove ms-Exch-SMTP-Accept-Any-Recipient permission from “NT AUTHORITY\ANONYMOUS LOGON”.

    First, determine which receive connectors in the organization are open relay connectors:
    Get-ReceiveConnector | Get-ADPermission | Where {$_.User -Like '*anon*' -And $_.ExtendedRights -Like 'ms-Exch-SMTP-Accept-Any-Recipient'} | FT Identity, User, ExtendedRights
    Then, run below command to remove permission:
    Get-ReceiveConnector "YourReceiveConnectorName" | Remove-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

    Best Regards,
    Allen Wang

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Tuesday, June 5, 2018 6:41 AM