Solved

Exchange Server 2013 allows outside systems to send mail as internal users

Posted on 2014-04-12
3
649 Views
Last Modified: 2014-04-13
Dear Support,

I have a new customer with Exchange 2013 and they are receiving email to their internal mailboxes that is addressed as if it came from other employees in the organization.  I know that this can be fixed in Exchange 2010 by using the command:

Get-ReceiveConnector "Default Frontend" | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Remove-ADPermission

I have run this command in Exchange 2013 and it removed the permission but I can still telnet from an outside system and send emails to internal users as if from internal users.  I have restarted the MS Exchange Transport service and this did not solve the problem.

What I would like to know is if this command is no longer relevant in Exchange 2013?  If this is so how would I go about preventing outside systems from creating emails that look like they came from internal users?  If this command should still work does this mean that the Exchange Server has other problems that are not evident?  Like I said this customer is new and I have little back ground on the system.  I am hesitant to jump down the rabbit hole of windows updates and other measures until I know that the command is valid.  I was asked to focus only on this one issue.

Thanks
0
Comment
Question by:AndrewEckstrom
  • 2
3 Comments
 
LVL 25

Accepted Solution

by:
Zephyr ICT earned 250 total points
ID: 39996511
I've read in other forums that this is some kind of "bug" ... It doesn't work like it should for others either ... That being said, the workaround they found was to create a new receive connector and define it as a Hub Transport and not a Front-End Transport... That did the trick to solve the issue... Maybe it helps you?
0
 

Author Comment

by:AndrewEckstrom
ID: 39996894
Dear spravtek,

That suggestion has solved the immediate problem.  Since this solution appears to not be part of Microsoft's best practices are there any steps that I need to take into consideration to make sure that the connector does not open unexpected security holes?

Thanks
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39996952
Hi AndrewEckstrom,

I don't think there will be any issues with this no, though normally it should indeed not be configured like this ... I haven't come across any official documentation either, when I get the change I'll try to ask one of the Exchange guru's I know if he knows more... But that takes a while.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Resolve DNS query failed errors for Exchange
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now