Solved

SMTP RELAY for Exchange 2010

Posted on 2014-01-07
2
1,107 Views
Last Modified: 2016-12-08
We just installed JIRA on our local network.  I'd like it to be able to send outbound emails via SMTP.  I've never set up a send/receive connector in Exchange 2010 before.  I'm wondering what security issues I may have around following this set of instructions... or if this is what I should be doing.  Please advise.

https://confluence.atlassian.com/display/JIRA/How+to+Set+Up+SMTP+Relay+in+Exchange+2007

Thanks!
0
Comment
Question by:2_under_par
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 31

Accepted Solution

by:
Frosty555 earned 500 total points
ID: 39763684
The Receive Connector in Exchange is a profile that defines how Exchange will accept incoming SMTP connections (either for the purposes of delivering incoming mail to your users, or for the purposes of relaying outbound mail on behalf of a client such as Outlook, or another server such as JIRA).

You can make several receive connectors and can define a few rules for how they behave:

- What network interface(s) is it listening on and on what port(s)? (This is the "Local ip addresses" section)
- What IP addresses will it accept incoming connections from? (This is the "Remote ip addresses" section)
- Does it insist on a TLS/SSL encrypted connection? (This is the Transport Layer Security checkbox in the authentication section)
- Does it require username/password authentication? (This is the "Basic Authentication" checkbox)
- Are incoming connections allowed to just send the mail without first providing authentication? (This is the "Anonymous Users" checkbox in the Permission Groups section), or does it require a valid username/password for one of your mailboxes (The "Exchange Users" checkbox).


Everything in the JIRA guide is fine, except for that last bit. The powershell command:

Get-ReceiveConnector "JiraTest" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

This, combined with ticking the "Anonymous Users" checkbox, basically means this particular receive connector is an "open relay" - JIRA server (or anyone who uses the JIRA server's IP address) is given unfettered access to relay mail through your Exchange server, from anybody, to anybody. Without authenticating.  

Normally an open relay like this is a big no-no. The danger is mitigated because you have restricted access to this Receive Connector to only the IP addresses of the JIRA server, which means so long as your JIRA server is not compromised, and so long as nobody steals the JIRA server's IP address, it should be fine.

So theoretically, it should be fine. But IMHO, I would have preferred to require authentication. Create a service account for Jira, give it a big randomized password and then configure JIRA to use that, and tick the "Exchange Users" checkbox instead of the "Anonymous Users" checkbox in the receive connector.

Putting it on a nonstandard port other than port 25 wouldn't be a bad idea either... although maybe it would be unnecessary, especially if this is all happening on your LAN.
0
 

Author Closing Comment

by:2_under_par
ID: 39764054
Very good explanation, Frosty.  Thank you!  Thank you!
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
Read this checklist to learn more about the 15 things you should never include in an email signature.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month7 days, 17 hours left to enroll

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question