• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 86
  • Last Modified:

How to tell which Receive Connector is set to allow open relay?

We have several receive connectors. And we did issue the following cmdlet in the past to allow open relay on that specific connector. But now we don't remember which one. How to tell?

Get-ReceiveConnector -identity 'server\receive-connector' | Add-ADPermission –User  "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
0
Castlewood
Asked:
Castlewood
3 Solutions
 
Jason CrawfordExchange EngineerCommented:
I can think of two ways:

Method 1
Enable verbose logging on all Receive Connectors:

Get-ReceiveConnector | Set-ReceiveConnector -ProtocolLoggingLevel verbose

Open in new window


Once you do that, relay an email through your Exchange servers and look for the connection in the SMTPReceive Protocol Logs.  The name of the connector will be included in the log.

Method 2
Look for the Ms-Exch-SMTP-Accept-Any-Recipient extended right:

Get-ReceiveConnector | Get-ADPermission | Format-List

Open in new window

0
 
Adam BrownSr Solutions ArchitectCommented:
You can go into ADSIEdit, Connect to the configuration partition, then navigate to Services>Microsoft Exchange><Org Name> >Administrative Groups > Exchange Administrative Group > Servers > <Server name> > Protocols > SMTP > SMTP Receive Connectors from there, you can see the permissions on the connectors by right clicking them and going to properties, then the security tab. Any of them that show "Anonymous" will likely be your Open Relay.

For the future, though, an easy way to set an open relay if you need one is to set the connector to  Externally Secured on the Authentication tab. You have to have Exchange servers selected on the Permission groups tab before doing so, though. Setting Externally Secured authentication will set the connector to allow anonymous relaying. It's also a lot easier to spot.
0
 
AkhaterCommented:
This should do it for you

Get-ReceiveConnector | Get-ADPermission | where {$_.ExtendedRights -like "*Ms-Exch-SMTP-Accept-Any-Recipient*" -and $_.User -eq "NT AUTHORITY\ANONYMOUS LOGON"}

Open in new window

0
 
CastlewoodAuthor Commented:
Adam,
You have to have Exchange servers selected on the Permission groups tab
Would it accept only Exchange Server to relay messages? I need a backup computer to send alerting email via this Exchange. If it only allows Exchange sever to connect and relay, then could be an issue. Please advise.
0
 
AkhaterCommented:
No it will allow for any user not only exchange, it is just that the "Externally secured" option cannot be selected unless "Exchange servers" is selected but since in the permission group you have anonymous it will be allowed for anyone listed in the remote IP range
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now