Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

SMTP RELAY for Exchange 2010

Posted on 2014-01-07
2
Medium Priority
?
1,117 Views
Last Modified: 2016-12-08
We just installed JIRA on our local network.  I'd like it to be able to send outbound emails via SMTP.  I've never set up a send/receive connector in Exchange 2010 before.  I'm wondering what security issues I may have around following this set of instructions... or if this is what I should be doing.  Please advise.

https://confluence.atlassian.com/display/JIRA/How+to+Set+Up+SMTP+Relay+in+Exchange+2007

Thanks!
0
Comment
Question by:2_under_par
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 31

Accepted Solution

by:
Frosty555 earned 2000 total points
ID: 39763684
The Receive Connector in Exchange is a profile that defines how Exchange will accept incoming SMTP connections (either for the purposes of delivering incoming mail to your users, or for the purposes of relaying outbound mail on behalf of a client such as Outlook, or another server such as JIRA).

You can make several receive connectors and can define a few rules for how they behave:

- What network interface(s) is it listening on and on what port(s)? (This is the "Local ip addresses" section)
- What IP addresses will it accept incoming connections from? (This is the "Remote ip addresses" section)
- Does it insist on a TLS/SSL encrypted connection? (This is the Transport Layer Security checkbox in the authentication section)
- Does it require username/password authentication? (This is the "Basic Authentication" checkbox)
- Are incoming connections allowed to just send the mail without first providing authentication? (This is the "Anonymous Users" checkbox in the Permission Groups section), or does it require a valid username/password for one of your mailboxes (The "Exchange Users" checkbox).


Everything in the JIRA guide is fine, except for that last bit. The powershell command:

Get-ReceiveConnector "JiraTest" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

This, combined with ticking the "Anonymous Users" checkbox, basically means this particular receive connector is an "open relay" - JIRA server (or anyone who uses the JIRA server's IP address) is given unfettered access to relay mail through your Exchange server, from anybody, to anybody. Without authenticating.  

Normally an open relay like this is a big no-no. The danger is mitigated because you have restricted access to this Receive Connector to only the IP addresses of the JIRA server, which means so long as your JIRA server is not compromised, and so long as nobody steals the JIRA server's IP address, it should be fine.

So theoretically, it should be fine. But IMHO, I would have preferred to require authentication. Create a service account for Jira, give it a big randomized password and then configure JIRA to use that, and tick the "Exchange Users" checkbox instead of the "Anonymous Users" checkbox in the receive connector.

Putting it on a nonstandard port other than port 25 wouldn't be a bad idea either... although maybe it would be unnecessary, especially if this is all happening on your LAN.
0
 

Author Closing Comment

by:2_under_par
ID: 39764054
Very good explanation, Frosty.  Thank you!  Thank you!
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question