• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 215
  • Last Modified:

How to require authentication in internal email on Exchange 2003

We have a standalone Exchange 2003 server, with the default SMTP Virtual Server authentication config. However, we've recently noticed that using a mail client, if we do not check the Server requires SMTP authentication" option on the client, we can "spoof" senders on our internal email. I mean I can send an email to anyone else in the company and it shows as coming from whomever or whatever mail address I place in the address field. How can I force the server to require authentication from all users even if sending email internally? It works fine externally - won't allow email without authentication, but does not require it internally, which has led to some issues, Thanks for your help.
1 Solution
The problem you have here is that the default SMTP virtual server, running on port 25, *needs* Anonymous Authentication switched on. If it was turned off, you would instantly block all mail flow in to your organisation, since other mail servers do not know any credentials with which to authorise with. When you have an SMTP account set up in Outlook, you are sending to this SMTP virtual server, which, since it allows anonymous connections (but will accept users if they connect authenticated, that's not a problem), doesn't require authentication yet it will happily accept and transmit the message internally since it is on the same domain.

The simplest option I can see would be to assign 2 IP addresses to your NIC card. You can edit the default SMTP VS to use one of the IP addresses, and that IP address should also be the one which port 25 is forwarded to in your router's firewall. Then, you would set up another SMTP VS, bound to the other IP on port 25, which you turn off anonymous authentication in. Make sure the IP of this one is what is registered in DNS, so users don't know about the other one. Obviously, since it isn't accessible to the outside world and requires authentication anyway, the internal VS could also have relaying enabled if necessary.

Ideally, this would work best if the server was multihomed (2 NICs), but that's a bad idea with Exchange so don't do it.

There is effectively nothing you can do about this.
What you are describing is one of the reasons why spam is such a major problem.
It is basically spoofing of the sender. Anyone can send an email to your server with anything in the from field. As long as the To:, CC: or BCC: is correct then it will be accepted by Exchange and delivered.
You cannot even block it internally that well, because of how Exchange handles the authentication or connection of the message.


If your question has been answered, please remember to accept the answer and close the question.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now