Solved

SMTP RELAY for Exchange 2010

Posted on 2014-01-07
2
1,054 Views
Last Modified: 2014-01-07
We just installed JIRA on our local network.  I'd like it to be able to send outbound emails via SMTP.  I've never set up a send/receive connector in Exchange 2010 before.  I'm wondering what security issues I may have around following this set of instructions... or if this is what I should be doing.  Please advise.

https://confluence.atlassian.com/display/JIRA/How+to+Set+Up+SMTP+Relay+in+Exchange+2007

Thanks!
0
Comment
Question by:2_under_par
2 Comments
 
LVL 31

Accepted Solution

by:
Frosty555 earned 500 total points
ID: 39763684
The Receive Connector in Exchange is a profile that defines how Exchange will accept incoming SMTP connections (either for the purposes of delivering incoming mail to your users, or for the purposes of relaying outbound mail on behalf of a client such as Outlook, or another server such as JIRA).

You can make several receive connectors and can define a few rules for how they behave:

- What network interface(s) is it listening on and on what port(s)? (This is the "Local ip addresses" section)
- What IP addresses will it accept incoming connections from? (This is the "Remote ip addresses" section)
- Does it insist on a TLS/SSL encrypted connection? (This is the Transport Layer Security checkbox in the authentication section)
- Does it require username/password authentication? (This is the "Basic Authentication" checkbox)
- Are incoming connections allowed to just send the mail without first providing authentication? (This is the "Anonymous Users" checkbox in the Permission Groups section), or does it require a valid username/password for one of your mailboxes (The "Exchange Users" checkbox).


Everything in the JIRA guide is fine, except for that last bit. The powershell command:

Get-ReceiveConnector "JiraTest" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

This, combined with ticking the "Anonymous Users" checkbox, basically means this particular receive connector is an "open relay" - JIRA server (or anyone who uses the JIRA server's IP address) is given unfettered access to relay mail through your Exchange server, from anybody, to anybody. Without authenticating.  

Normally an open relay like this is a big no-no. The danger is mitigated because you have restricted access to this Receive Connector to only the IP addresses of the JIRA server, which means so long as your JIRA server is not compromised, and so long as nobody steals the JIRA server's IP address, it should be fine.

So theoretically, it should be fine. But IMHO, I would have preferred to require authentication. Create a service account for Jira, give it a big randomized password and then configure JIRA to use that, and tick the "Exchange Users" checkbox instead of the "Anonymous Users" checkbox in the receive connector.

Putting it on a nonstandard port other than port 25 wouldn't be a bad idea either... although maybe it would be unnecessary, especially if this is all happening on your LAN.
0
 

Author Closing Comment

by:2_under_par
ID: 39764054
Very good explanation, Frosty.  Thank you!  Thank you!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Easy CSR creation in Exchange 2007,2010 and 2013
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
how to add IIS SMTP to handle application/Scanner relays into office 365.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now