SMTP RELAY for Exchange 2010

We just installed JIRA on our local network.  I'd like it to be able to send outbound emails via SMTP.  I've never set up a send/receive connector in Exchange 2010 before.  I'm wondering what security issues I may have around following this set of instructions... or if this is what I should be doing.  Please advise.

https://confluence.atlassian.com/display/JIRA/How+to+Set+Up+SMTP+Relay+in+Exchange+2007

Thanks!
2_under_parAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Frosty555Commented:
The Receive Connector in Exchange is a profile that defines how Exchange will accept incoming SMTP connections (either for the purposes of delivering incoming mail to your users, or for the purposes of relaying outbound mail on behalf of a client such as Outlook, or another server such as JIRA).

You can make several receive connectors and can define a few rules for how they behave:

- What network interface(s) is it listening on and on what port(s)? (This is the "Local ip addresses" section)
- What IP addresses will it accept incoming connections from? (This is the "Remote ip addresses" section)
- Does it insist on a TLS/SSL encrypted connection? (This is the Transport Layer Security checkbox in the authentication section)
- Does it require username/password authentication? (This is the "Basic Authentication" checkbox)
- Are incoming connections allowed to just send the mail without first providing authentication? (This is the "Anonymous Users" checkbox in the Permission Groups section), or does it require a valid username/password for one of your mailboxes (The "Exchange Users" checkbox).


Everything in the JIRA guide is fine, except for that last bit. The powershell command:

Get-ReceiveConnector "JiraTest" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

This, combined with ticking the "Anonymous Users" checkbox, basically means this particular receive connector is an "open relay" - JIRA server (or anyone who uses the JIRA server's IP address) is given unfettered access to relay mail through your Exchange server, from anybody, to anybody. Without authenticating.  

Normally an open relay like this is a big no-no. The danger is mitigated because you have restricted access to this Receive Connector to only the IP addresses of the JIRA server, which means so long as your JIRA server is not compromised, and so long as nobody steals the JIRA server's IP address, it should be fine.

So theoretically, it should be fine. But IMHO, I would have preferred to require authentication. Create a service account for Jira, give it a big randomized password and then configure JIRA to use that, and tick the "Exchange Users" checkbox instead of the "Anonymous Users" checkbox in the receive connector.

Putting it on a nonstandard port other than port 25 wouldn't be a bad idea either... although maybe it would be unnecessary, especially if this is all happening on your LAN.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
2_under_parAuthor Commented:
Very good explanation, Frosty.  Thank you!  Thank you!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.