Solved

How to tell which Receive Connector is set to allow open relay?

Posted on 2016-11-03
5
27 Views
Last Modified: 2016-11-07
We have several receive connectors. And we did issue the following cmdlet in the past to allow open relay on that specific connector. But now we don't remember which one. How to tell?

Get-ReceiveConnector -identity 'server\receive-connector' | Add-ADPermission –User  "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
0
Comment
Question by:Castlewood
5 Comments
 
LVL 14

Assisted Solution

by:Jason Crawford
Jason Crawford earned 125 total points
ID: 41873352
I can think of two ways:

Method 1
Enable verbose logging on all Receive Connectors:

Get-ReceiveConnector | Set-ReceiveConnector -ProtocolLoggingLevel verbose

Open in new window


Once you do that, relay an email through your Exchange servers and look for the connection in the SMTPReceive Protocol Logs.  The name of the connector will be included in the log.

Method 2
Look for the Ms-Exch-SMTP-Accept-Any-Recipient extended right:

Get-ReceiveConnector | Get-ADPermission | Format-List

Open in new window

0
 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 125 total points
ID: 41873366
You can go into ADSIEdit, Connect to the configuration partition, then navigate to Services>Microsoft Exchange><Org Name> >Administrative Groups > Exchange Administrative Group > Servers > <Server name> > Protocols > SMTP > SMTP Receive Connectors from there, you can see the permissions on the connectors by right clicking them and going to properties, then the security tab. Any of them that show "Anonymous" will likely be your Open Relay.

For the future, though, an easy way to set an open relay if you need one is to set the connector to  Externally Secured on the Authentication tab. You have to have Exchange servers selected on the Permission groups tab before doing so, though. Setting Externally Secured authentication will set the connector to allow anonymous relaying. It's also a lot easier to spot.
0
 
LVL 49

Accepted Solution

by:
Akhater earned 250 total points
ID: 41873942
This should do it for you

Get-ReceiveConnector | Get-ADPermission | where {$_.ExtendedRights -like "*Ms-Exch-SMTP-Accept-Any-Recipient*" -and $_.User -eq "NT AUTHORITY\ANONYMOUS LOGON"}

Open in new window

0
 

Author Comment

by:Castlewood
ID: 41874311
Adam,
You have to have Exchange servers selected on the Permission groups tab
Would it accept only Exchange Server to relay messages? I need a backup computer to send alerting email via this Exchange. If it only allows Exchange sever to connect and relay, then could be an issue. Please advise.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 41877057
No it will allow for any user not only exchange, it is just that the "Externally secured" option cannot be selected unless "Exchange servers" is selected but since in the permission group you have anonymous it will be allowed for anyone listed in the remote IP range
0

Featured Post

The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
transfer from exchange mails to gmail 10 74
exchange, virtualization 1 29
outlook 3 25
Exchange 2003 Message retrieval 3 14
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
how to add IIS SMTP to handle application/Scanner relays into office 365.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now