Solved

How to secure exchange send/receive connectors

Posted on 2011-02-14
7
1,255 Views
Last Modified: 2012-05-11
It's possible that I am wrong but I got this feeling that some external users maybe able to use my exchange server.

Currently I have 3 receive connectors and one send connector.

Send connector doesn't have any specific restrictions in exchange 2010 SP1.

My receive connector is listening to anything ( all IPv4 IP addresses ) and following permissions group are enabled.

Anonymous users
Exchaneg users
Exchange servers
Legacy exchange servers

Is this okay ?

I want to make sure that our email server never ends up to spam black list !

0
Comment
Question by:akhalighi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 6

Expert Comment

by:craig_j_Lawrence
ID: 34894300
Having anonymous users enabled will allow anyone to connect to your recieve connector and send email, especially if you are not blocking connections via IP address.

I would recommend the following:
1. identify which servers in your environment will need to you Exchange as an SMTP relay
2. create a new recieve connector, limiting connections only from the IP addresses of the servers identified in step 1 (you will still need to enable anonymous connections for the connector if the servers can authenticate prior to sending emails)
3. remove anonymous connections from your existing connector.

test sending emails for the allowed servers (manually telnetting to the Exchange server will suffice)
and also from a client workstation (which shoudl fail)
0
 
LVL 10

Author Comment

by:akhalighi
ID: 34896653
Thanks Craig

I already have another Relay connector which listens on port 4500 and has IP address limits.

My default receive connector listens on port 25 and accepts anonymous. If I remve anonymous , does that still accepting emails from Internet withou any issues ?
0
 
LVL 10

Author Comment

by:akhalighi
ID: 34896926
I removed "Anonymous Users" from default receive connector ( port 25) , it looks okay .
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 10

Author Comment

by:akhalighi
ID: 34899792
Hmm ... this is odd ,, after a few hours , exchange has stopped receiving emails from external users (e.g. Hotmail) ; after I re-enabled anonymous ; I was able to receive emails. Not sure if that was the case ... or something else... this is odd.
0
 
LVL 6

Expert Comment

by:craig_j_Lawrence
ID: 34913283
So you have your exchange hub transport server published to the internet - not a preferred solution :)

What you were seeing is expected if mail is coming direct to your hub transport.

Consider implementing an edge transport server in front of the hub transport server. this will scan email for viruses and SPAM before it comes to the hub transport.

Another option is to look forefront online protection for Exchange. This provides the same service in the cloud for a monthly fee

Cheers,
Craig
0
 
LVL 10

Author Comment

by:akhalighi
ID: 34916062
Hi Craig

Our environment is fairly small. almost 70 users.
Exchange server is behind a firewall with advanced security features, it doesn't have a public IP assigned to it. There is a NAT rule in Firewall that sends SMTP traffic to Exchange server . also we run Forefront protection for exchange on exchange server itself.

0
 
LVL 6

Accepted Solution

by:
craig_j_Lawrence earned 500 total points
ID: 34922869
OK apologies for not asking this earlier. unless you have another server as an SMTP gateway in front of your exchange hub transport role, you will need to leave the default recieve connector set to accept anonymous connections.

This is not an ideal situation, I would definitely take a look at a SMTP gateway provider, such as forefront online protection for exchange. more information here
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question