Hi all, I have an application called gradekeeper that has a builtin smtp server that will let any user send email using our exchange 2010 org by putting in thier AD user/password in the smtp part of the application. For obvious reasons we want to control this. My org is set like this, exchange 2010 sp1 ru5 on win2k8. 3 cas servers in a NLB that have the hub transport role with on them and client and default receive connectors, 2 hub transport servers. with client and default receive connectors, plus an additional receive connector to our external smtp servers. I believe the app is connecting to our front ends via the owa url and authenticating just like a normal user. What for the life of me I cant see a way to stop this from happing, without stopping other users from sending out email... Any suggestions please... tiny

Shaba, thanks for the quick response!... Could you tell me how you think that its the hub transport servers that sending it out not the hub transport role on the cas servers? or do you mean that it could be any one of the hub transport server roles doing the sending? Do you mean the network tab of the "default" recieve connector under "Recieve mail from remote servers that have these ip addresses"? tiny..

Shaba, thanks for the quick response!... Could you tell me how you think that its the hub transport servers that sending it out not the hub transport role on the cas servers? or do you mean that it could be any one of the hub transport server roles doing the sending? Do you mean the network tab of the "default" recieve connector under "Recieve mail from remote servers that have these ip addresses"? tiny.. As I mentioned, I just want you to clarify that the app triggers email, irrespective of the from address, it will get processed by HUB. You should remove the ip address of the app server from the list of ipaddress who can relay email to that receive connector.-Cheers Shaba

Shaba, thank you....no offense intended, but this is all new..... My concern is if I remove the ip address of all our internal ip address (because anyone could get a hold of this app) except our exchange servers that from the recieve conector that nobody will be albe to send email (ie pop3 or imap, outlook). Also Ive read not to touch the defailt recieve connector.... If a created another recieve connector and only allowed the exchange server's ip address to relay would that connector be used first? tiny

This app that everyone can use, are there any SMTP settings in the app? Check this 1st and see where this points to. If this doesn't exist, then check with the app vendor to see if this has been coded somewhere. As a test, send an email yourself from the app to a valid internal recipient and check the messahe headers to see which hops the messgae took. From here you should be able to ee what HUB servers it used (Load balanced ones or the other 2). Then decide if this app is allowed to rely or not and who is allowed to relay using that app. Create a receive connector for relaying - http://blogs.technet.com/b/jribeiro/archive/2010/01/12/how-to-anonymously-relay-in-exchange-server-2007-2010.aspx - leave the default connectors alone. Where are the users relaying to, internal users or external? Sukh

Sukh, thanks for the info. 1. Yes there are smtp settings, server name (which when I tested using our OWA/pop3 external url for our CAS Server NLB Array), login name/password which I filled out with "domain/username, password, which let me send out the email. 2. Installed this on an external pc and tested. Emial going to an internal reciepient, goes from cas server to mailbox. Email to an external recpient (hotmail.com) goes from cas, to hub, to hub connector for 2003, to our external smtp servers. 3. Right now mgmt wants us to turn off the ability for anybody internal/external to use this prgram as a relay. 4. This is a prgrm for student grades so its to internal/external mail recpients. so i'm thinking that for this connector I would just add our exchange servers to the allow relay and for authentication have it set up like our defualt connector except no anonmous

The issue is currently how Exch is configured is allows that app to relay. How many receive connector do you have and do either of them allow relaying. The settings you put in for username/password I assume is for a mailbox which have? If yes to point 2, for now remove this, this will stop SMTP for the app straight away. Then if this is how the app works, then yuo can enter these details again, but then YOU have to control who can access this application. Sukh

2. 3 Cas servers (each cas server has the hub transport role installed on it)has 2 clientdefault. and 2 Hub tranport servers , have 3, client, default and one for receiveing email from our external smtp servers. All allow relaying from any ip address provided user supplies a login. 4. If I remove the setting for all iip addresses will that stop my users from sending email?

2. 3 Cas servers (each cas server has the hub transport role installed on it)has 2 clientdefault. and 2 Hub tranport servers , have 3, client, default and one for receiveing email from our external smtp servers. All allow relaying from any ip address provided user supplies a login. 4. If I remove the setting for all iip addresses will that stop my users from sending email? Sorry, it was meant to be "If yes to point 3, for now remove this, this will stop SMTP for the app straight away"Sukh

Hi, You have to do something on server so that end user can't guess about it and they get failed to send email thru exchange ? like change smtp port and nobody will knows abou it except you ? This way end user will not able to configure their smtp setting at their builtin smtp server. Thanks AmitAmit Rawat | MCITP - Exchange 2007/2010| CCNA |MCSE- 2003| Lync 2010|