Hello, What are the ideal authentication and permissions groups to set for an internet incoming receive connector. All external e-mails are received on port 25, internal e-mail are also received on port 25 from Outlook clients ( MAPI ), so which programs use port 587 as one of the receive connectors has this port set.

These are the receive connector permissions for Exchange 2007 ( 2010 almost similar) http://blogs.technet.com/b/trex/archive/2008/11/06/receive-connector-security-permissions.aspx

http://www.addictivetips.com/windows-tips/microsoft-outlook-2010-email-account-settings/ regarding port 587 http://technet.microsoft.com/en-us/library/bb331973.aspx

I have a scanner connected directly to the network and I want to scan documents and send them to recipients on the internet directly, how would I go about doing this since I would need to create a receive connector for this purpose only right. Is it safe to make it anonymous and what authentication would I use ? Thanks

To add on it, once the receive connector is set up, does this by default means that the scanner or whatever the accepted client is can send e-mails to everyone in the world by routing the sent mail through the send connector ( assuming all is default and send connector is for all domains * )

On Wed, 17 Nov 2010 05:31:14 +0000, acmsoft wrote: >I have a scanner connected directly to the network and I want to scan documents and send them to recipients on the internet directly, how would I go about doing this since I would need to create a receive connector for this purpose only right. Is it safe to make it anonymous and what authentication would I use ? I usually create a two receive connectors. One that allows SMTP e-mail from anonymous connections, but only to internal addresses. Another that allows e-mail from anonymous connections but doesn't restrict the destination domain to only internal addresses. Both are controlled by the IP range (or individual IP address). By restricting the use of the receive connector it's safe -- assuming you don't start adding external (or untrusted) IP address to the list -- to allow anonymous connections. If you're sure of the security on the machines you allow to use these connectors you can use the "Externally Secured" permission. If the set of permissions is too broad for your taste, you can set the AD permissions on the connector yourself. http://technet.microsoft.com/en-us/library/bb232021(EXCHG.80).aspx --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

What option makes it possible to or to not be able to send e-mails to external recipients, is it done from the Shell or is there any option in the connector from the management console. Thanks

On Wed, 17 Nov 2010 19:22:16 +0000, acmsoft wrote: >What option makes it possible to or to not be able to send e-mails to external recipients, is it done from the Shell or is there any option in the connector from the management console. Have you decided that "Externally Secured" isn't what you want to use? There's no "option", it's a extended permission assigned to the the receive connector: Ms-Exch-SMTP-Accept-Any-Recipient --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

ok so if I set a receive connector with anonymous permission only by default does not have permission to send e-mails to external recepients.

On Sat, 20 Nov 2010 11:28:27 +0000, acmsoft wrote: >ok so if I set a receive connector with anonymous permission only by default does not have permission to send e-mails to external recepients. That's correct. And if you DO allow that you should be very sure you don't permit any connections from the Internet to use that connector. If you do you'll have an open SMTP relay and you'll quickly find your server bogged down and your IP address listed in numerous DNSBLs and reputation filters. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

ok so generally speaking the internet receive connector which listens on port 25 should not have the anonymous ticked, but amongts all other Permission Groups and Authentication options, how do I know which of them I need to tick since e-mails will arrive from all sorts of programs not only Exchange and their security is unknown.

On Sun, 21 Nov 2010 06:50:24 +0000, acmsoft wrote: >ok so generally speaking the internet receive connector which listens on port 25 should not have the anonymous ticked, That wasn't what I said. If you want to receive e-mail from the Internet you'll have to allow anonymous access. What I said was that you don't want to all anonymous access to a receive connector that permits the use of unrestricted SMTP relay. >but amongts all other Permission Groups and Authentication options, how do I know which of them I need to tick since e-mails will arrive from all sorts of programs not only Exchange and their security is unknown. Create another receive connector. The 2nd receive connector allows anonymous access and SMTP relay and is restricted to only the IP addresses that you want to allow the use of that SMTP relay. Leave the default receive connector alone. You can enable anonymous access on the connector so anyone can send SMTP mail to your domain if you like -- or you can create a 3rd receive connector if you want to restrict the use of the default receive connector to just your Exchange server's IP addresses. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

So the default receive connector does not permit to send any e-mails to external recipients ( only to internal recipients ) To be able to send e-mails externally another receive connector has to be created and if it has only the anonymous ticked ideally the source ip is specified and then given permission to send to external recipients with the command shell. Is this correct please ?

On Sun, 21 Nov 2010 22:16:26 +0000, acmsoft wrote: >So the default receive connector does not permit to send any e-mails to external recipients ( only to internal recipients ) That's correct. And that's the way you want to keep it. >To be able to send e-mails externally another receive connector has to be created and if it has only the anonymous ticked ideally the source ip is specified and then given permission to send to external recipients with the command shell. You'd add the IP addresses of the machines you want to use that connector to the connector's properties (you can use the UI to do that, or the set-receiveconnector cmdlet). Allowing anonynous connections on the connector is also a "good thing". But those two things won't allow use of the connector to send e-mail to external addresses. To do that, the easiest way is to select "Externally Secured" on the "Permissions" tab of the receiver's property page (or set it with Powershell). As I said before, if "Externally Secured" give too much permission then you can set just the "Ms-Exch-SMTP-Accept-Any-Recipient" permission on the connector. >Is this correct please ? Did you read the link I included in my reply on November 17th? http://technet.microsoft.com/en-us/library/bb232021(EXCHG.80).aspx --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Yes In fact my last answer done thanks to that link although this is still not clear : The messages that originate from the specified IP addresses are treated as anonymous messages. Therefore, the messages don't bypass anti-spam checks, don't bypass message size limit checks, and anonymous senders can't be resolved. The process of resolving anonymous senders forces an attempted match between the anonymous sender's e-mail address and the corresponding display name in the global address list. Why would other messages bypass such important security checks ? anti-spam checks message size

On Sun, 21 Nov 2010 23:14:22 +0000, acmsoft wrote: > > >Yes In fact my last answer done thanks to that link although this is still not clear : > > > >The messages that originate from the specified IP addresses are treated as anonymous messages. Therefore, the messages don't bypass anti-spam checks, don't bypass message size limit checks, and anonymous senders can't be resolved. The process of resolving anonymous senders forces an attempted match between the anonymous sender's e-mail address and the corresponding display name in the global address list. > > >Why would other messages bypass such important security checks ? Because you obviously trust those people/machines using authenticated connections. If you don't they wouldn'd be able to authenticate because they wouldn't have an account in your AD. >anti-spam checks Spam is all about permission and content. If you trust the sender it's unlikely the content is going to be a problem. >message size Again, the issue is trust. If they behave badly, revoke that trust. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP