Solved

Exchange Server 2013 allows outside systems to send mail as internal users

Posted on 2014-04-12
3
654 Views
Last Modified: 2014-04-13
Dear Support,

I have a new customer with Exchange 2013 and they are receiving email to their internal mailboxes that is addressed as if it came from other employees in the organization.  I know that this can be fixed in Exchange 2010 by using the command:

Get-ReceiveConnector "Default Frontend" | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Remove-ADPermission

I have run this command in Exchange 2013 and it removed the permission but I can still telnet from an outside system and send emails to internal users as if from internal users.  I have restarted the MS Exchange Transport service and this did not solve the problem.

What I would like to know is if this command is no longer relevant in Exchange 2013?  If this is so how would I go about preventing outside systems from creating emails that look like they came from internal users?  If this command should still work does this mean that the Exchange Server has other problems that are not evident?  Like I said this customer is new and I have little back ground on the system.  I am hesitant to jump down the rabbit hole of windows updates and other measures until I know that the command is valid.  I was asked to focus only on this one issue.

Thanks
0
Comment
Question by:AndrewEckstrom
  • 2
3 Comments
 
LVL 25

Accepted Solution

by:
Zephyr ICT earned 250 total points
ID: 39996511
I've read in other forums that this is some kind of "bug" ... It doesn't work like it should for others either ... That being said, the workaround they found was to create a new receive connector and define it as a Hub Transport and not a Front-End Transport... That did the trick to solve the issue... Maybe it helps you?
0
 

Author Comment

by:AndrewEckstrom
ID: 39996894
Dear spravtek,

That suggestion has solved the immediate problem.  Since this solution appears to not be part of Microsoft's best practices are there any steps that I need to take into consideration to make sure that the connector does not open unexpected security holes?

Thanks
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39996952
Hi AndrewEckstrom,

I don't think there will be any issues with this no, though normally it should indeed not be configured like this ... I haven't come across any official documentation either, when I get the change I'll try to ask one of the Exchange guru's I know if he knows more... But that takes a while.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

27 Experts available now in Live!

Get 1:1 Help Now