Exchange Server 2013 and ms-Exch-SMTP-Accept-Authoritative- Domain-Sender

Hello, Team!

I think Ive found a serious issue in last CU releases. This is the case:

1 Multirole server Exchange 2013 SP1 (and older) , one creceive connector from internet to this server, no edge, nothing.

I care about preventing spoofing my companys email addresses, and remove remove the ms-Exch-SMTP-Accept-Authoritative-Domain-Sender transport permission from anonymous senders.

To do this, we usually simple run powershell command

Remove-ADPermission <ReceiveConnector Name> user NT AUTHORITY\Anonymous Logon ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

This command works on Exchange SP1, the client (telnet session, f.e.) which try spoof address of company will be refused. (see screenshot below)

But in Exchange 2013 CU5, CU6 and even CU7 release this revoke permissions DOESNT WORKS without any errors, softly. I've try Powershell and ADSI but unsuccessfully.

Then we take off permission on connector above, we keep 3 default permissions:

Accept-any-sender

Accept-Routing-Headers

Submit-Message to Server

It is wonderful works only on server SP1, but not on servers with older versions, which have right settings.

The saddest thing is I have information about Office 365 this behavior reproduced too. And I also think what in your lab you could take 15 minutes and play this simply thing....

I found only that information on connector side is diffenent on SP1 and CU5,6,7.

This is normal connection on SP1, when somebody try spoofed address. We can see a 250 AUTH Response on server side, and server refuse fake connection, all right.

And on CU5 and newest versions we doesnt see this code. Maybe auth mechanism miss something?

Any suggestions? On MS connect site a didn't found exchange bugs topic :)




January 8th, 2015 7:18pm

So if someone wants to reproduce the issue, take one SP1 server, and one CU7 or 6 or 5.

Take receive connector and remove permissions to anonymous users:

Remove-ADPermission <ReceiveConnector Name> user NT AUTHORITY\Anonymous Logon ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

Result on SP1:

if message come from Internet to expect connector we change, it will be refused.

Result on CU6,7:

if message come from Internet to expect connector we change, it will be received!

Free Windows Admin Tool Kit Click here and download it now
January 9th, 2015 5:20pm

Hi Dmitriy,

Thank you for your point. This is a quick note to let you know that I am trying to involve someone familiar with this topic to further look at this issue.

Regards,

January 12th, 2015 2:04am

Hi Dmitriy,

Do you compare the AD permission of the Internet connectors between SP1 and CU7?

Meanwhile, if there is no 250-auth in the telnet, what is the authentication setting of the Internet receive connector?

Thanks.

Free Windows Admin Tool Kit Click here and download it now
January 14th, 2015 8:28am

Hi, Richard!

Of course, I compared these permissions, and it match.

In default installation we have four AD permission for anon users, these are:

Accept-any-sender, Accept-Routing-Headers, Submit-Message to Server and

ms-Exch-SMTP-Accept-Authoritative-Domain-Sender. The powershell command remove last permission on connector, and only three remain.

These settings are identical on both servers, but only SP1 server rejects connections, not both.

You can check this as quickly as I had, and go to test the situation in the lab.

January 14th, 2015 8:50am

Hi Dmitriy,

Thanks for your update.

Then how about the receive connector configuration? Are they using the same authentication settings?

Thanks.

Free Windows Admin Tool Kit Click here and download it now
January 14th, 2015 10:13am

Hi Dmitriy,

Seems like as a bug .I have found a similar issue like you are facing .

Please check this link.

https://social.technet.microsoft.com/Forums/office/en-US/0fdf213c-02e3-4ea1-9e6d-242abf9559b8/prevent-own-domain-spoofed-spam?forum=exchangesvrsecuremessaging

January 14th, 2015 10:17am

Yes, of course. I try remove Default connector, create Default receive internet connector on both servers, THEN remove a permission.
Free Windows Admin Tool Kit Click here and download it now
January 14th, 2015 10:25am

Hi Dmitriy,

Thanks for your update.

Then how about the receive connector configuration? Are they using the same authentication settings?

Thanks.

I would like to clarify the situation a little for you.
I carried out a large migration project environment from EX2010 to 2013.
When I support this environment for 2013 more than two years.
And setting worked well in 2010,CU1,CU2,CU3,and finally in SP1 over from my upgrades.
Understand that it does not work in versions of the above, and I'd really like to know why.

I repeat that I would like to know in the first place, why it does not work anymore?
Why it is not documented?

As You can see, if you approach with the existing and available information on the problem, not you will immediately understand that there are serious problems caused serious changes.

I want to attract the attention of the  Exchange team  and other peoples to the problem and find out why this is happening.

 
January 15th, 2015 6:48am

Hi Dmitriy,

Seems like as a bug .I have found a similar issue like you are facing .

Please check this link.

https://social.technet.microsoft.com/Forums/office/en-US/0fdf213c-02e3-4ea1-9e6d-242abf9559b8/prevent-own-domain-spoofed-spam?forum=exchangesvrsecuremes

Free Windows Admin Tool Kit Click here and download it now
January 15th, 2015 7:45am

Hello all,

I am facing with this issue. Does anyone have solution for this ?

And how about this issue on CU8 ?

Thanks and Brgds,

Quang


March 27th, 2015 8:30am

Hi nquang123, unfortunately same issue on a CU8 too. :(
Free Windows Admin Tool Kit Click here and download it now
April 2nd, 2015 7:34am

Currently having this issue, does anyone know if it was fixed in CU9?

If not, Dmitriy, have you come up with another way to accomplish similar results? 

August 4th, 2015 1:16pm

Unfortunatly, I didn't check issue in CU9, but I think it's in the same place.

From my perspective, I've decided to use small postfix server, which really helps me resolve problem. ^^

Free Windows Admin Tool Kit Click here and download it now
August 4th, 2015 1:26pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics