Solved

How to tell which Receive Connector is set to allow open relay?

Posted on 2016-11-03
5
61 Views
Last Modified: 2016-11-07
We have several receive connectors. And we did issue the following cmdlet in the past to allow open relay on that specific connector. But now we don't remember which one. How to tell?

Get-ReceiveConnector -identity 'server\receive-connector' | Add-ADPermission –User  "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
0
Comment
Question by:Castlewood
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 15

Assisted Solution

by:Jason Crawford
Jason Crawford earned 125 total points
ID: 41873352
I can think of two ways:

Method 1
Enable verbose logging on all Receive Connectors:

Get-ReceiveConnector | Set-ReceiveConnector -ProtocolLoggingLevel verbose

Open in new window


Once you do that, relay an email through your Exchange servers and look for the connection in the SMTPReceive Protocol Logs.  The name of the connector will be included in the log.

Method 2
Look for the Ms-Exch-SMTP-Accept-Any-Recipient extended right:

Get-ReceiveConnector | Get-ADPermission | Format-List

Open in new window

0
 
LVL 40

Assisted Solution

by:Adam Brown
Adam Brown earned 125 total points
ID: 41873366
You can go into ADSIEdit, Connect to the configuration partition, then navigate to Services>Microsoft Exchange><Org Name> >Administrative Groups > Exchange Administrative Group > Servers > <Server name> > Protocols > SMTP > SMTP Receive Connectors from there, you can see the permissions on the connectors by right clicking them and going to properties, then the security tab. Any of them that show "Anonymous" will likely be your Open Relay.

For the future, though, an easy way to set an open relay if you need one is to set the connector to  Externally Secured on the Authentication tab. You have to have Exchange servers selected on the Permission groups tab before doing so, though. Setting Externally Secured authentication will set the connector to allow anonymous relaying. It's also a lot easier to spot.
0
 
LVL 49

Accepted Solution

by:
Akhater earned 250 total points
ID: 41873942
This should do it for you

Get-ReceiveConnector | Get-ADPermission | where {$_.ExtendedRights -like "*Ms-Exch-SMTP-Accept-Any-Recipient*" -and $_.User -eq "NT AUTHORITY\ANONYMOUS LOGON"}

Open in new window

0
 

Author Comment

by:Castlewood
ID: 41874311
Adam,
You have to have Exchange servers selected on the Permission groups tab
Would it accept only Exchange Server to relay messages? I need a backup computer to send alerting email via this Exchange. If it only allows Exchange sever to connect and relay, then could be an issue. Please advise.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 41877057
No it will allow for any user not only exchange, it is just that the "Externally secured" option cannot be selected unless "Exchange servers" is selected but since in the permission group you have anonymous it will be allowed for anyone listed in the remote IP range
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In-place Upgrading Dirsync to Azure AD Connect
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question