Exchange 2010: Block server accepting mail that originates from outside domain that uses internal send/receive address

I need to find a way in Exchange 2010 to block mail that uses an internal "FROM" address being accepted if it is received from outside of the internal network.  

For example, the public domain name is  Right now, anyone can telnet to the mail server and use as the FROM address and can send mail to a known mailbox.  I need to block this from being allowed if the origin is from outside of the internal domain.

However, I have some legacy devices inside the network that need to be able to send mail anonymously to the internal address of the SMTP server.  For this reason, I can't just turn off or block all anonymous mail.  

I'd appreciate any thoughts on the best way to accomplish this.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan HardistyCo-OwnerCommented:
First of all - are you using any 3rd party Anti-Spam software or the built-in Exchange Anti-Spam software?
DynamiteMonkeyAuthor Commented:
GFI MailEssentials 2012 (Latest version)

The Exchange 2010 server is also the Hub Transport server and the GFI software is on that server too.
Alan HardistyCo-OwnerCommented:
Okay - not sure about the capabilities of GFI, but the following command should sort the problem for you:

Get-ReceiveConnector “Internet ReceiveConnector” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission

Change the "Internet ReceiveConnector" to match your public facing Receive Connector Name and run the command.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

DynamiteMonkeyAuthor Commented:
I ran it and it is working perfectly for the inbound mail being blocked.  Thanks for the quick response.  

However, anonymous internal mail is also now being blocked.  I basically need it so if a machine of any type is on the internal network (not domain authenticated) it is able to send mail through the mail server.  The from address could be
Alan HardistyCo-OwnerCommented:
Setup a new Receive Connector for your internal LAN only and then you should be fine.

If you external and internal traffic uses the same Receive Connector that's why you are having this problem.

DynamiteMonkeyAuthor Commented:
Ok, all done.  I restricted the new connector by internal IP and allowed anonymous connections.  Everything is working.  

Thanks for the fast responses.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.