Jer
asked on
Copier SMTP Authentication thru Exchange 2010
Greetings,
Unfortunately, I've been instructed to setup a receive connector that will allow copiers to send to external domains. While I can do anonymous relaying by IP address, I'd much more prefer to use SMTP Authentication. I have the RC created, as well as the "copier" account. The issue for me is identifying what permissions the authenticating account needs. If I add the "copier" user to Domain Admins, the copier sends without issue. Obviously, I have no plans to have such an account have any more rights than necessary. However, if I have the "copier" account be a member of the Domain Users group, the copier no longer sends. I'd rather not have the "copier" account even be a member of Domain Users. I just want it to have the minimum rights required, reducing the risk to my environment if the "copier" account is compromised. I've seen a few posts mentioning edits to the actual RC, using commands similar to:
Add-ADPermission "Copier Relay RC" –User "Copier User" –ExtendedRights ms-Exch-SMTP-Accept-Author itative-Do main-Sende r
Add-ADPermission "Copier Relay RC" –User "Copier User" –ExtendedRights ms-Exch-SMTP-Accept-Any-Se nder
However, I'm not sure if they apply and when I tested these in my test environment (which doesn't have a copier), I couldn't confirm what had changed with anything. As such, I'm not keen on performing anything in production without more information.
So, I'm hoping you can help me out. What do I need to do to the "copier" user or to the "Copier Relay RC" to make SMTP authentication work with the absolute least rights for the "copier" user?
I appreciate any assistance that you can provide.
Thanks,
Jeremy
Unfortunately, I've been instructed to setup a receive connector that will allow copiers to send to external domains. While I can do anonymous relaying by IP address, I'd much more prefer to use SMTP Authentication. I have the RC created, as well as the "copier" account. The issue for me is identifying what permissions the authenticating account needs. If I add the "copier" user to Domain Admins, the copier sends without issue. Obviously, I have no plans to have such an account have any more rights than necessary. However, if I have the "copier" account be a member of the Domain Users group, the copier no longer sends. I'd rather not have the "copier" account even be a member of Domain Users. I just want it to have the minimum rights required, reducing the risk to my environment if the "copier" account is compromised. I've seen a few posts mentioning edits to the actual RC, using commands similar to:
Add-ADPermission "Copier Relay RC" –User "Copier User" –ExtendedRights ms-Exch-SMTP-Accept-Author
Add-ADPermission "Copier Relay RC" –User "Copier User" –ExtendedRights ms-Exch-SMTP-Accept-Any-Se
However, I'm not sure if they apply and when I tested these in my test environment (which doesn't have a copier), I couldn't confirm what had changed with anything. As such, I'm not keen on performing anything in production without more information.
So, I'm hoping you can help me out. What do I need to do to the "copier" user or to the "Copier Relay RC" to make SMTP authentication work with the absolute least rights for the "copier" user?
I appreciate any assistance that you can provide.
Thanks,
Jeremy
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Solution offered
ASKER
Depending on the models of the copiers, authentication proved to be inconsistent. Ultimately, we abandoned the use of authentication and simply went with anonymous, with IP restrictions (as we had done previously).
Hi Jer,
Glad it's working.
As I noted above, that's what I usually do too.
Alan.
Glad it's working.
As I noted above, that's what I usually do too.
Alan.
ASKER
Thanks for the reply. Anonymous relaying for select IPs is actually what I have been doing up to this point. While it is easy and not the biggest risk in the world, I was hoping to get a bit more secure, if reasonable (using IP AND authentication). It may just be me being overcautious, but I do have users that will click and trust everything. Anything I can do to reduce the risk of being an unintended spammer, the better.
Jeremy