Garry Shape
asked on
Exchange 2010 Receivers - Permission Group question
In Exchange 2010 Hub Transport for Receive Connectors, what does the "Exchange servers" Permission Group mean?
Does that mean that the Receive Connect could be used as a relay from an internal device such as a backup device?
Or is "Anonymous Users" have to be checked?
The backup device is on the subnet that is allowed on the Network list, so does it even need any permission groups as long as it's sending to accepted domain addresses (recipient@OurOrganization .com)?
Does that mean that the Receive Connect could be used as a relay from an internal device such as a backup device?
Or is "Anonymous Users" have to be checked?
The backup device is on the subnet that is allowed on the Network list, so does it even need any permission groups as long as it's sending to accepted domain addresses (recipient@OurOrganization
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Wow you're right it looks like I was able to relay from the outside world. Who the #$%! thought it'd be good to turn that on...?
Amazing...
Amazing...
ASKER
So Anonymous Access just means that while the mail server is accessible without being authenticated, you can still only send to/from a recipient who's on an accepted domain.
So it doesn't mean you could relay and use from address at yahoo.com to send to anyone at another domain like gmail.com.
But you could make from address any e-mail on the internet, sending to an accepted domain.com user in the Exchange organization..?
So it doesn't mean you could relay and use from address at yahoo.com to send to anyone at another domain like gmail.com.
But you could make from address any e-mail on the internet, sending to an accepted domain.com user in the Exchange organization..?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yeah because to me that means somebody could send e-mail to/from people within the organization, as a prank or social engineering. Maybe even include a file attachment that's malicious and users will open it trusting the "sender".
ASKER
I have a smartsniff running on TCP port 25 to see what connects. That may help me figure out what servers use the specific relay.
If I create the same receive connector on another hub transport in dame organization, would that offer redundancy incase the other hub transport went down?
Would I just have to configure the same fqdn ip addresses and permission groups?
If I create the same receive connector on another hub transport in dame organization, would that offer redundancy incase the other hub transport went down?
Would I just have to configure the same fqdn ip addresses and permission groups?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks a lot. Hopefully after this I can get a separate OWA client access servers and load balance them.
However I'm on 2010 and I'd imagine it'd be best to just spin up 2013 and migrate mailboxes.
I hear the 2013 is better than 2010 in terms of high availability, performance and reliability.
Haven't seen any comparisons on HA specifically though.
However I'm on 2010 and I'd imagine it'd be best to just spin up 2013 and migrate mailboxes.
I hear the 2013 is better than 2010 in terms of high availability, performance and reliability.
Haven't seen any comparisons on HA specifically though.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
On the other Hub Transport server Mail1, I noticed on the "Default Mail2", the range is 0.0.0.0-255.255.255.255
It has "Anonymous users", "Exchange users" and "Exchange Servers" checked.
Authentication has TLS, Basic/Offer, Exchange server and Integrated Windows, authentications checked...