Recently I setup an Exchange 2016 Server. Everything looks fine except the Exchange 2016 default Receive connector allows internal relay.
Eg: Two emails eric@abc.com and andrew@abc.com in my domain abc.com. An anonymous user can send emails to andrew@abc.com on behalf of eric@abc.com (no authentication required). But if anonymous user try to send email to jason@condoso.com using eric@abc.com, Exchange will refuse to send it.
May I know how could I do to restrict user authentication even for emails in the internal domain? I cannot disable the Anonymous users otherwise Exchange server will not receive any emails.
ExchangeEmail ServersInternet / Email Software
Last Comment
David_zu
8/22/2022 - Mon
Neil Russell
Internal connector should never need anon access.
Emails from the Internet do not come via the internal connector.
David_zu
ASKER
After Exchange Setup, there are 5 receive connectors by default. Default Frontend is the one faced to Internet and receive emails via port 25. The security settings are set as default.
Why on earth would you want to allow internal users to Sen I authenticated? Using what client to send?
This would be a big security risk and a daft thing to do to be honest without a Very very good reason.
David_zu
ASKER
Yes I agree. I don't want user to send emails without authentication, no matter it is send to external domain or internal domain. But after I configured the Exchange, it is the behaviour by default. I need to know how to stop it.
Currently Port 587 has no issue. All sender need to be authenticated. But port 25, senders doesn't need to authenticated, if From and To address are in same hosted domain (I want to stop it). I cannot simply untick "Anonymous users" otherwise no email will go into the server.
Port 25 is bind to Front End Transport role, which I believe it shall be the external connector. "The external connectors shall never be accepting emails that are from your internal users". This is exactly what I want but I cannot find the way to do. I cannot find from web UI. If it shall be done from PowerShell please help to provide the command of PowerShell. It is a single Exchange server deployment.
I setup the Edge server and so far this shall be the only way to block unauthorised spam mail. I still cannot find a proper way to block the unauthorised emails without Edge server.
David_zu
ASKER
The Edge Transport server so far is the only way to block unauthorised emails.
Emails from the Internet do not come via the internal connector.