akhalighi
asked on
How to secure exchange send/receive connectors
It's possible that I am wrong but I got this feeling that some external users maybe able to use my exchange server.
Currently I have 3 receive connectors and one send connector.
Send connector doesn't have any specific restrictions in exchange 2010 SP1.
My receive connector is listening to anything ( all IPv4 IP addresses ) and following permissions group are enabled.
Anonymous users
Exchaneg users
Exchange servers
Legacy exchange servers
Is this okay ?
I want to make sure that our email server never ends up to spam black list !
Currently I have 3 receive connectors and one send connector.
Send connector doesn't have any specific restrictions in exchange 2010 SP1.
My receive connector is listening to anything ( all IPv4 IP addresses ) and following permissions group are enabled.
Anonymous users
Exchaneg users
Exchange servers
Legacy exchange servers
Is this okay ?
I want to make sure that our email server never ends up to spam black list !
ASKER
Thanks Craig
I already have another Relay connector which listens on port 4500 and has IP address limits.
My default receive connector listens on port 25 and accepts anonymous. If I remve anonymous , does that still accepting emails from Internet withou any issues ?
I already have another Relay connector which listens on port 4500 and has IP address limits.
My default receive connector listens on port 25 and accepts anonymous. If I remve anonymous , does that still accepting emails from Internet withou any issues ?
ASKER
I removed "Anonymous Users" from default receive connector ( port 25) , it looks okay .
ASKER
Hmm ... this is odd ,, after a few hours , exchange has stopped receiving emails from external users (e.g. Hotmail) ; after I re-enabled anonymous ; I was able to receive emails. Not sure if that was the case ... or something else... this is odd.
So you have your exchange hub transport server published to the internet - not a preferred solution :)
What you were seeing is expected if mail is coming direct to your hub transport.
Consider implementing an edge transport server in front of the hub transport server. this will scan email for viruses and SPAM before it comes to the hub transport.
Another option is to look forefront online protection for Exchange. This provides the same service in the cloud for a monthly fee
Cheers,
Craig
What you were seeing is expected if mail is coming direct to your hub transport.
Consider implementing an edge transport server in front of the hub transport server. this will scan email for viruses and SPAM before it comes to the hub transport.
Another option is to look forefront online protection for Exchange. This provides the same service in the cloud for a monthly fee
Cheers,
Craig
ASKER
Hi Craig
Our environment is fairly small. almost 70 users.
Exchange server is behind a firewall with advanced security features, it doesn't have a public IP assigned to it. There is a NAT rule in Firewall that sends SMTP traffic to Exchange server . also we run Forefront protection for exchange on exchange server itself.
Our environment is fairly small. almost 70 users.
Exchange server is behind a firewall with advanced security features, it doesn't have a public IP assigned to it. There is a NAT rule in Firewall that sends SMTP traffic to Exchange server . also we run Forefront protection for exchange on exchange server itself.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would recommend the following:
1. identify which servers in your environment will need to you Exchange as an SMTP relay
2. create a new recieve connector, limiting connections only from the IP addresses of the servers identified in step 1 (you will still need to enable anonymous connections for the connector if the servers can authenticate prior to sending emails)
3. remove anonymous connections from your existing connector.
test sending emails for the allowed servers (manually telnetting to the Exchange server will suffice)
and also from a client workstation (which shoudl fail)