How to require authentication in internal email on Exchange 2003

Posted on 2007-10-16
Last Modified: 2013-11-30
We have a standalone Exchange 2003 server, with the default SMTP Virtual Server authentication config. However, we've recently noticed that using a mail client, if we do not check the Server requires SMTP authentication" option on the client, we can "spoof" senders on our internal email. I mean I can send an email to anyone else in the company and it shows as coming from whomever or whatever mail address I place in the address field. How can I force the server to require authentication from all users even if sending email internally? It works fine externally - won't allow email without authentication, but does not require it internally, which has led to some issues, Thanks for your help.
Question by:welshiv
    LVL 58

    Expert Comment

    The problem you have here is that the default SMTP virtual server, running on port 25, *needs* Anonymous Authentication switched on. If it was turned off, you would instantly block all mail flow in to your organisation, since other mail servers do not know any credentials with which to authorise with. When you have an SMTP account set up in Outlook, you are sending to this SMTP virtual server, which, since it allows anonymous connections (but will accept users if they connect authenticated, that's not a problem), doesn't require authentication yet it will happily accept and transmit the message internally since it is on the same domain.

    The simplest option I can see would be to assign 2 IP addresses to your NIC card. You can edit the default SMTP VS to use one of the IP addresses, and that IP address should also be the one which port 25 is forwarded to in your router's firewall. Then, you would set up another SMTP VS, bound to the other IP on port 25, which you turn off anonymous authentication in. Make sure the IP of this one is what is registered in DNS, so users don't know about the other one. Obviously, since it isn't accessible to the outside world and requires authentication anyway, the internal VS could also have relaying enabled if necessary.

    Ideally, this would work best if the server was multihomed (2 NICs), but that's a bad idea with Exchange so don't do it.

    LVL 104

    Accepted Solution

    There is effectively nothing you can do about this.
    What you are describing is one of the reasons why spam is such a major problem.
    It is basically spoofing of the sender. Anyone can send an email to your server with anything in the from field. As long as the To:, CC: or BCC: is correct then it will be accepted by Exchange and delivered.
    You cannot even block it internally that well, because of how Exchange handles the authentication or connection of the message.


    If your question has been answered, please remember to accept the answer and close the question.

    Featured Post

    Wish Marketing would stop bothering you?

    Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

    Join & Write a Comment

    Use these top 10 tips to master the art of email signature design. Create an email signature design that will easily wow recipients, promote your brand and highlight your professionalism.
    Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
    Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
    The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now