Solved

SMTP RELAY for Exchange 2010

Posted on 2014-01-07
2
1,078 Views
Last Modified: 2016-12-08
We just installed JIRA on our local network.  I'd like it to be able to send outbound emails via SMTP.  I've never set up a send/receive connector in Exchange 2010 before.  I'm wondering what security issues I may have around following this set of instructions... or if this is what I should be doing.  Please advise.

https://confluence.atlassian.com/display/JIRA/How+to+Set+Up+SMTP+Relay+in+Exchange+2007

Thanks!
0
Comment
Question by:2_under_par
2 Comments
 
LVL 31

Accepted Solution

by:
Frosty555 earned 500 total points
ID: 39763684
The Receive Connector in Exchange is a profile that defines how Exchange will accept incoming SMTP connections (either for the purposes of delivering incoming mail to your users, or for the purposes of relaying outbound mail on behalf of a client such as Outlook, or another server such as JIRA).

You can make several receive connectors and can define a few rules for how they behave:

- What network interface(s) is it listening on and on what port(s)? (This is the "Local ip addresses" section)
- What IP addresses will it accept incoming connections from? (This is the "Remote ip addresses" section)
- Does it insist on a TLS/SSL encrypted connection? (This is the Transport Layer Security checkbox in the authentication section)
- Does it require username/password authentication? (This is the "Basic Authentication" checkbox)
- Are incoming connections allowed to just send the mail without first providing authentication? (This is the "Anonymous Users" checkbox in the Permission Groups section), or does it require a valid username/password for one of your mailboxes (The "Exchange Users" checkbox).


Everything in the JIRA guide is fine, except for that last bit. The powershell command:

Get-ReceiveConnector "JiraTest" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

This, combined with ticking the "Anonymous Users" checkbox, basically means this particular receive connector is an "open relay" - JIRA server (or anyone who uses the JIRA server's IP address) is given unfettered access to relay mail through your Exchange server, from anybody, to anybody. Without authenticating.  

Normally an open relay like this is a big no-no. The danger is mitigated because you have restricted access to this Receive Connector to only the IP addresses of the JIRA server, which means so long as your JIRA server is not compromised, and so long as nobody steals the JIRA server's IP address, it should be fine.

So theoretically, it should be fine. But IMHO, I would have preferred to require authentication. Create a service account for Jira, give it a big randomized password and then configure JIRA to use that, and tick the "Exchange Users" checkbox instead of the "Anonymous Users" checkbox in the receive connector.

Putting it on a nonstandard port other than port 25 wouldn't be a bad idea either... although maybe it would be unnecessary, especially if this is all happening on your LAN.
0
 

Author Closing Comment

by:2_under_par
ID: 39764054
Very good explanation, Frosty.  Thank you!  Thank you!
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Partially Migrating from On-Premise CRM 4.0 and Exchange 2010 to the Cloud 5 39
Office 365 Login Audit Report 1 34
Export Exchange Cert 5 40
exchange powershell question 5 34
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question