Master-Squirrel
asked on
Open relay on Exchange 2007 Hub-Transport
Hi.
The theoretic question: - )
I have an Exchange organization with edges, hub-transport servers, client-access servers and mail-sorages. Now if some server (for example, antivirus) tries to send a mail via my hub-transport server it gets an error about authentification is required. Ok, I read about I can make an recieve connector and configure this connector as secured, all works well. But this is open relay for my server!
Antivirus server can authorize (how it was on Exchange 2003) but now it's a problem.
I want to know, antivirus server tries to send mail on myname@mydomain.com, where mydomain.com is configured as local mail suffix. But authentification is still required.
So is it true because authentification is required for sending email for antivirus server but not for recieving the mail for @mydomain.com
The theoretic question: - )
I have an Exchange organization with edges, hub-transport servers, client-access servers and mail-sorages. Now if some server (for example, antivirus) tries to send a mail via my hub-transport server it gets an error about authentification is required. Ok, I read about I can make an recieve connector and configure this connector as secured, all works well. But this is open relay for my server!
Antivirus server can authorize (how it was on Exchange 2003) but now it's a problem.
I want to know, antivirus server tries to send mail on myname@mydomain.com, where mydomain.com is configured as local mail suffix. But authentification is still required.
So is it true because authentification is required for sending email for antivirus server but not for recieving the mail for @mydomain.com
ASKER
Well, thanks for your answer but meanwhile the authentification is required for send for mydomain.
I try to send email to Distribution Group Mygroup@mydomain.com
I gues it's because AV client try to send a mail via Exchange. We talk here about sending from Exchange at first, and about recieving via Exchange at second.
Here is my options on default recieve connector:
Permission Groups:
Anonymous, Exchange users, Exchange Servers
Legacy Exchange Servers
Authentification:
Transport Layer Security, Basic Authentification with Offer basic authentification only after TLS, Exchange Server authentification, Integrated Windows authentification
I try to send email to Distribution Group Mygroup@mydomain.com
I gues it's because AV client try to send a mail via Exchange. We talk here about sending from Exchange at first, and about recieving via Exchange at second.
Here is my options on default recieve connector:
Permission Groups:
Anonymous, Exchange users, Exchange Servers
Legacy Exchange Servers
Authentification:
Transport Layer Security, Basic Authentification with Offer basic authentification only after TLS, Exchange Server authentification, Integrated Windows authentification
You didn't mention that it was a group.
By default on Exchange 2007 groups are set to require that all senders are authenticated. That isn't relaying settings, just authentication in general. You could turn off the requirement to authenticate and your server would be able to send email to the group.
Simon.
By default on Exchange 2007 groups are set to require that all senders are authenticated. That isn't relaying settings, just authentication in general. You could turn off the requirement to authenticate and your server would be able to send email to the group.
Simon.
ASKER
Thanks, but it's open relay for my server!
I try to explain what I mean.
If I switch off authentification on my connector (Specify Externallu Secured checkbox) I can send a mail as in my organization as in outside. But If I switch on an authentification so my mail can't go anywhere. If authentification is on, any attempt to send a mail via this connector finish with NDR Authentification required!
I try to explain what I mean.
If I switch off authentification on my connector (Specify Externallu Secured checkbox) I can send a mail as in my organization as in outside. But If I switch on an authentification so my mail can't go anywhere. If authentification is on, any attempt to send a mail via this connector finish with NDR Authentification required!
Which connector are you referring to? Send or Receive?
Externally secured will turn the server in to an open relay because Exchange is expecting another server to be responsible for authentication. If the connector is exposed to the internet then you have a problem.
The authentication settings I am referring to are on the group, not the connector.
Simon.
Externally secured will turn the server in to an open relay because Exchange is expecting another server to be responsible for authentication. If the connector is exposed to the internet then you have a problem.
The authentication settings I am referring to are on the group, not the connector.
Simon.
ASKER
Well, I configure recieve connector. When I entered some name in this connector as FQDN of my exchange I get this message when I try to connect to this connector. So I decided this is in use when I try to send a mail from my AV server.
I use this connector only gor inside servers so I sould not have a problem.
Let's see so:
When my AV soft tries to send a mail via Exchange what type of connector is in use? Send or recieve.
I see that recieve connector is in use, because If I change the authentification method to externall secured on RECIEVE connector all works fine. But If I use all types of others methods I get an auth error.
I use this connector only gor inside servers so I sould not have a problem.
Let's see so:
When my AV soft tries to send a mail via Exchange what type of connector is in use? Send or recieve.
I see that recieve connector is in use, because If I change the authentification method to externall secured on RECIEVE connector all works fine. But If I use all types of others methods I get an auth error.
ASKER
"The authentication settings I am referring to are on the group, not the connector. "
Look ath http://www.quantumsoftware.com.au/Support/KB/Images/Exchange2007ReceiveConnectorPropertiesNetwork.gif
I see only one authentification settings tab.
Look ath http://www.quantumsoftware.com.au/Support/KB/Images/Exchange2007ReceiveConnectorPropertiesNetwork.gif
I see only one authentification settings tab.
That is a screenshot of the connector, not the group.
Groups in Exchange 2007 are set to require that all senders are authenticated by default, as I have already said. If you have an external server that you want to send to a group then you need to turn off that requirement in the properties of the group under Mail Flow Settings, Mail Delivery Restrictions.
Simon.
Groups in Exchange 2007 are set to require that all senders are authenticated by default, as I have already said. If you have an external server that you want to send to a group then you need to turn off that requirement in the properties of the group under Mail Flow Settings, Mail Delivery Restrictions.
Simon.
ASKER
Well, I have an INTERNAL server that should send a mail to @mydomain.com
I read about groups in Exchange 2007 and found out that there is one right - ms-Exch-SMTP-Accept-Any-Re
As I understood If I configure some group for my recieve connector that has such right so the mail that recieved on this connector will be send to any recipient not depending @mydomain.com or @external.domain
If so, this is an answer,-)
I read about groups in Exchange 2007 and found out that there is one right - ms-Exch-SMTP-Accept-Any-Re
As I understood If I configure some group for my recieve connector that has such right so the mail that recieved on this connector will be send to any recipient not depending @mydomain.com or @external.domain
If so, this is an answer,-)
If the server is NOT an Exchange server, then as far as Exchange is concerned, it is an EXTERNAL server, not an internal server. Internal servers are only other Exchange servers.
Simon.
Simon.
ASKER
Ok. last question fo close this theme If you don't mind...
i have an recieve connector for one my internal server (that is external for exchange as you said).
When I use this connector in cmd I type:
HELO ...
MAIL FROM
RCPT TO:<name@externaldomain.co
and get an error that sending for external recipients is prohibited, but I can send a mail to internal domain.
Why?
i have an recieve connector for one my internal server (that is external for exchange as you said).
When I use this connector in cmd I type:
HELO ...
MAIL FROM
RCPT TO:<name@externaldomain.co
and get an error that sending for external recipients is prohibited, but I can send a mail to internal domain.
Why?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks - )
If the domain the message is being sent to is one on the list of domains Exchange knows it is responsible for, then the email will be received without authentication being required, because the server is not relaying. That should apply to your AV product as well.
The only time authentication would be required is to relay email through the server to an external recipient, that is because it is a relay attempt.
Therefore you AV product should not require authentication to send email to your server IF it is sending to internal recipients.
Simon.