We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.
Disable Exchange 2016 Internal Relay
Recently I setup an Exchange 2016 Server. Everything looks fine except the Exchange 2016 default Receive connector allows internal relay.
Eg: Two emails eric@abc.com and andrew@abc.com in my domain abc.com. An anonymous user can send emails to andrew@abc.com on behalf of eric@abc.com (no authentication required). But if anonymous user try to send email to jason@condoso.com using eric@abc.com, Exchange will refuse to send it.
May I know how could I do to restrict user authentication even for emails in the internal domain? I cannot disable the Anonymous users otherwise Exchange server will not receive any emails.
Eg: Two emails eric@abc.com and andrew@abc.com in my domain abc.com. An anonymous user can send emails to andrew@abc.com on behalf of eric@abc.com (no authentication required). But if anonymous user try to send email to jason@condoso.com using eric@abc.com, Exchange will refuse to send it.
May I know how could I do to restrict user authentication even for emails in the internal domain? I cannot disable the Anonymous users otherwise Exchange server will not receive any emails.
Asked:
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
After Exchange Setup, there are 5 receive connectors by default. Default Frontend is the one faced to Internet and receive emails via port 25. The security settings are set as default.
I tested using SendSMTP tool. The result shows
8/15/2016 4:53:23 PM Connecting to 4.3.2.1.
8/15/2016 4:53:23 PM Connected.
8/15/2016 4:53:23 PM SMTP connection to 4.3.2.1 successful
8/15/2016 4:53:23 PM SSL status: "before/connect initialization"
8/15/2016 4:53:23 PM SSL status: "before/connect initialization"
8/15/2016 4:53:23 PM SSL status: "SSLv3 write client hello A"
8/15/2016 4:53:23 PM SSL status: "SSLv3 read server hello A"
8/15/2016 4:53:23 PM SSL status: "SSLv3 read server certificate A"
8/15/2016 4:53:23 PM SSL status: "SSLv3 read server key exchange A"
8/15/2016 4:53:23 PM SSL status: "SSLv3 read server done A"
8/15/2016 4:53:23 PM SSL status: "SSLv3 write client key exchange A"
8/15/2016 4:53:23 PM SSL status: "SSLv3 write change cipher spec A"
8/15/2016 4:53:23 PM SSL status: "SSLv3 write finished A"
8/15/2016 4:53:23 PM SSL status: "SSLv3 flush data"
8/15/2016 4:53:23 PM SSL status: "SSLv3 read finished A"
8/15/2016 4:53:23 PM SSL status: "SSL negotiation finished successfully"
8/15/2016 4:53:23 PM SSL status: "SSL negotiation finished successfully"
8/15/2016 4:53:23 PM Cipher: name = ECDHE-RSA-AES256-SHA; description = ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
; bits = 256; version = TLSv1/SSLv3;
8/15/2016 4:53:23 PM Encoding text
8/15/2016 4:53:23 PM Disconnecting.
8/15/2016 4:53:23 PM SMTP disconnected from 4.3.2.1
8/15/2016 4:53:23 PM Disconnected.
8/15/2016 4:53:23 PM Message sent successfully.
I expected result shall be like this:
8/15/2016 4:58:17 PM Resolving hostname smtp.office365.com.
8/15/2016 4:58:17 PM Connecting to 132.245.41.98.
8/15/2016 4:58:17 PM Connected.
8/15/2016 4:58:17 PM SMTP connection to smtp.office365.com successful
8/15/2016 4:58:17 PM SSL status: "before/connect initialization"
8/15/2016 4:58:17 PM SSL status: "before/connect initialization"
8/15/2016 4:58:17 PM SSL status: "SSLv3 write client hello A"
8/15/2016 4:58:17 PM SSL status: "SSLv3 read server hello A"
8/15/2016 4:58:17 PM SSL status: "SSLv3 read server certificate A"
8/15/2016 4:58:17 PM SSL status: "SSLv3 read server key exchange A"
8/15/2016 4:58:17 PM SSL status: "SSLv3 read server certificate request A"
8/15/2016 4:58:17 PM SSL status: "SSLv3 read server done A"
8/15/2016 4:58:17 PM SSL status: "SSLv3 write client certificate A"
8/15/2016 4:58:17 PM SSL status: "SSLv3 write client key exchange A"
8/15/2016 4:58:17 PM SSL status: "SSLv3 write change cipher spec A"
8/15/2016 4:58:17 PM SSL status: "SSLv3 write finished A"
8/15/2016 4:58:17 PM SSL status: "SSLv3 flush data"
8/15/2016 4:58:17 PM SSL status: "SSLv3 read finished A"
8/15/2016 4:58:17 PM SSL status: "SSL negotiation finished successfully"
8/15/2016 4:58:17 PM SSL status: "SSL negotiation finished successfully"
8/15/2016 4:58:17 PM Cipher: name = ECDHE-RSA-AES256-SHA; description = ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
; bits = 256; version = TLSv1/SSLv3;
8/15/2016 4:58:22 PM Exception: EIdSMTPReplyError SMTP; Client was not authenticated to send anonymous mail during MAIL FROM.
8/15/2016 4:58:22 PM Exception: The operation completed successfully
I tested using SendSMTP tool. The result shows
8/15/2016 4:53:23 PM Connecting to 4.3.2.1.
8/15/2016 4:53:23 PM Connected.
8/15/2016 4:53:23 PM SMTP connection to 4.3.2.1 successful
8/15/2016 4:53:23 PM SSL status: "before/connect initialization"
8/15/2016 4:53:23 PM SSL status: "before/connect initialization"
8/15/2016 4:53:23 PM SSL status: "SSLv3 write client hello A"
8/15/2016 4:53:23 PM SSL status: "SSLv3 read server hello A"
8/15/2016 4:53:23 PM SSL status: "SSLv3 read server certificate A"
8/15/2016 4:53:23 PM SSL status: "SSLv3 read server key exchange A"
8/15/2016 4:53:23 PM SSL status: "SSLv3 read server done A"
8/15/2016 4:53:23 PM SSL status: "SSLv3 write client key exchange A"
8/15/2016 4:53:23 PM SSL status: "SSLv3 write change cipher spec A"
8/15/2016 4:53:23 PM SSL status: "SSLv3 write finished A"
8/15/2016 4:53:23 PM SSL status: "SSLv3 flush data"
8/15/2016 4:53:23 PM SSL status: "SSLv3 read finished A"
8/15/2016 4:53:23 PM SSL status: "SSL negotiation finished successfully"
8/15/2016 4:53:23 PM SSL status: "SSL negotiation finished successfully"
8/15/2016 4:53:23 PM Cipher: name = ECDHE-RSA-AES256-SHA; description = ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
; bits = 256; version = TLSv1/SSLv3;
8/15/2016 4:53:23 PM Encoding text
8/15/2016 4:53:23 PM Disconnecting.
8/15/2016 4:53:23 PM SMTP disconnected from 4.3.2.1
8/15/2016 4:53:23 PM Disconnected.
8/15/2016 4:53:23 PM Message sent successfully.
I expected result shall be like this:
8/15/2016 4:58:17 PM Resolving hostname smtp.office365.com.
8/15/2016 4:58:17 PM Connecting to 132.245.41.98.
8/15/2016 4:58:17 PM Connected.
8/15/2016 4:58:17 PM SMTP connection to smtp.office365.com successful
8/15/2016 4:58:17 PM SSL status: "before/connect initialization"
8/15/2016 4:58:17 PM SSL status: "before/connect initialization"
8/15/2016 4:58:17 PM SSL status: "SSLv3 write client hello A"
8/15/2016 4:58:17 PM SSL status: "SSLv3 read server hello A"
8/15/2016 4:58:17 PM SSL status: "SSLv3 read server certificate A"
8/15/2016 4:58:17 PM SSL status: "SSLv3 read server key exchange A"
8/15/2016 4:58:17 PM SSL status: "SSLv3 read server certificate request A"
8/15/2016 4:58:17 PM SSL status: "SSLv3 read server done A"
8/15/2016 4:58:17 PM SSL status: "SSLv3 write client certificate A"
8/15/2016 4:58:17 PM SSL status: "SSLv3 write client key exchange A"
8/15/2016 4:58:17 PM SSL status: "SSLv3 write change cipher spec A"
8/15/2016 4:58:17 PM SSL status: "SSLv3 write finished A"
8/15/2016 4:58:17 PM SSL status: "SSLv3 flush data"
8/15/2016 4:58:17 PM SSL status: "SSLv3 read finished A"
8/15/2016 4:58:17 PM SSL status: "SSL negotiation finished successfully"
8/15/2016 4:58:17 PM SSL status: "SSL negotiation finished successfully"
8/15/2016 4:58:17 PM Cipher: name = ECDHE-RSA-AES256-SHA; description = ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
; bits = 256; version = TLSv1/SSLv3;
8/15/2016 4:58:22 PM Exception: EIdSMTPReplyError SMTP; Client was not authenticated to send anonymous mail during MAIL FROM.
8/15/2016 4:58:22 PM Exception: The operation completed successfully
In two test, I pretend one domain user, send email to another user in the same domain without authentication.
The first log is the current config, The email sent successfully.
The second log is tested in office365 domain, the email is rejected.
I need to configure the system so it will work as second test.
The first log is the current config, The email sent successfully.
The second log is tested in office365 domain, the email is rejected.
I need to configure the system so it will work as second test.
Why on earth would you want to allow internal users to Sen I authenticated? Using what client to send?
This would be a big security risk and a daft thing to do to be honest without a Very very good reason.
This would be a big security risk and a daft thing to do to be honest without a Very very good reason.
Yes I agree. I don't want user to send emails without authentication, no matter it is send to external domain or internal domain. But after I configured the Exchange, it is the behaviour by default. I need to know how to stop it.
Currently Port 587 has no issue. All sender need to be authenticated. But port 25, senders doesn't need to authenticated, if From and To address are in same hosted domain (I want to stop it). I cannot simply untick "Anonymous users" otherwise no email will go into the server.
Currently Port 587 has no issue. All sender need to be authenticated. But port 25, senders doesn't need to authenticated, if From and To address are in same hosted domain (I want to stop it). I cannot simply untick "Anonymous users" otherwise no email will go into the server.
Your standard internal receive connector should, assuming you use outlook clients Only accept authenticated MAPI connections. Why would you have port 25 on an internal connector?
The external connector should never be accepting emails that are from your internal users. IF it does then you become a spam trap and will have millions of emails on your server as soon as it is found out and trust me, that will not take long nowadays.
External connectors are for just that, EXTERNAL emails NOT emails from inside your organisation. the test you did is a good one and proved that your configuration is CORRECT.
Of course the best way to protect it to have an "Edge Transport Server" set up and then you can have a simple reject rule on it if an email comes into your domain with a From: address that is xxxxx@Yourdomain.com
You should never expect to see inbound smtp traffic from one of your own internal accounts.
The external connector should never be accepting emails that are from your internal users. IF it does then you become a spam trap and will have millions of emails on your server as soon as it is found out and trust me, that will not take long nowadays.
External connectors are for just that, EXTERNAL emails NOT emails from inside your organisation. the test you did is a good one and proved that your configuration is CORRECT.
Of course the best way to protect it to have an "Edge Transport Server" set up and then you can have a simple reject rule on it if an email comes into your domain with a From: address that is xxxxx@Yourdomain.com
You should never expect to see inbound smtp traffic from one of your own internal accounts.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
Port 25 is bind to Front End Transport role, which I believe it shall be the external connector. "The external connectors shall never be accepting emails that are from your internal users". This is exactly what I want but I cannot find the way to do. I cannot find from web UI. If it shall be done from PowerShell please help to provide the command of PowerShell. It is a single Exchange server deployment.
I setup the Edge server and so far this shall be the only way to block unauthorised spam mail. I still cannot find a proper way to block the unauthorised emails without Edge server.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange
From novice to tech pro — start learning today.
-
Microsoft ApplicationsCertification: MOS Microsoft Office Specialist - Word 2016 Part … 174 lessons
-
Microsoft ApplicationsCertification: MOS Microsoft Office Specialist - Word 2007 Inter… 197 lessons
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
Emails from the Internet do not come via the internal connector.