Exchange connectivity
Hello,
What are the ideal authentication and permissions groups to set for an internet incoming receive connector. All external e-mails are received on port 25, internal e-mail are also received on port 25 from Outlook clients ( MAPI ), so which programs use port
587 as one of the receive connectors has this port set.
November 16th, 2010 1:48am
These are the receive connector permissions for Exchange 2007 ( 2010 almost similar)
http://blogs.technet.com/b/trex/archive/2008/11/06/receive-connector-security-permissions.aspx
Free Windows Admin Tool Kit Click here and download it now
November 16th, 2010 1:57am
http://www.addictivetips.com/windows-tips/microsoft-outlook-2010-email-account-settings/ regarding port 587
http://technet.microsoft.com/en-us/library/bb331973.aspx
November 16th, 2010 2:06am
I have a scanner connected directly to the network and I want to scan documents and send them to recipients on the internet directly, how would I go about doing this since I would need to create a receive connector for this purpose only right.
Is it safe to make it anonymous and what authentication would I use ?
Thanks
Free Windows Admin Tool Kit Click here and download it now
November 17th, 2010 12:35am
To add on it,
once the receive connector is set up, does this by default means that the scanner or whatever the accepted client is can send e-mails to everyone in the world by routing the sent mail through the send connector ( assuming all is default and send connector
is for all domains * )
November 17th, 2010 1:20am
On Wed, 17 Nov 2010 05:31:14 +0000, acmsoft wrote:
>I have a scanner connected directly to the network and I want to scan documents and send them to recipients on the internet directly, how would I go about doing this since I would need to create a receive connector for this purpose only right. Is it safe
to make it anonymous and what authentication would I use ?
I usually create a two receive connectors. One that allows SMTP e-mail
from anonymous connections, but only to internal addresses. Another
that allows e-mail from anonymous connections but doesn't restrict the
destination domain to only internal addresses. Both are controlled by
the IP range (or individual IP address).
By restricting the use of the receive connector it's safe -- assuming
you don't start adding external (or untrusted) IP address to the list
-- to allow anonymous connections.
If you're sure of the security on the machines you allow to use these
connectors you can use the "Externally Secured" permission. If the set
of permissions is too broad for your taste, you can set the AD
permissions on the connector yourself.
http://technet.microsoft.com/en-us/library/bb232021(EXCHG.80).aspx
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
November 17th, 2010 11:49am
What option makes it possible to or to not be able to send e-mails to external recipients, is it done from the Shell or is there any option in the connector from the management console.
Thanks
November 17th, 2010 2:26pm
On Wed, 17 Nov 2010 19:22:16 +0000, acmsoft wrote:
>What option makes it possible to or to not be able to send e-mails to external recipients, is it done from the Shell or is there any option in the connector from the management console.
Have you decided that "Externally Secured" isn't what you want to use?
There's no "option", it's a extended permission assigned to the the
receive connector:
Ms-Exch-SMTP-Accept-Any-Recipient
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
November 17th, 2010 4:55pm
ok so if I set a receive connector with anonymous permission only by default does not have permission to send e-mails to external recepients.
November 20th, 2010 6:32am
On Sat, 20 Nov 2010 11:28:27 +0000, acmsoft wrote:
>ok so if I set a receive connector with anonymous permission only by default does not have permission to send e-mails to external recepients.
That's correct. And if you DO allow that you should be very sure you
don't permit any connections from the Internet to use that connector.
If you do you'll have an open SMTP relay and you'll quickly find your
server bogged down and your IP address listed in numerous DNSBLs and
reputation filters.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
November 20th, 2010 4:31pm
ok so generally speaking the internet receive connector which listens on port 25 should not have the anonymous ticked, but amongts all other Permission Groups and Authentication options, how do I know which of them I need to tick since e-mails will arrive
from all sorts of programs not only Exchange and their security is unknown.
November 21st, 2010 1:54am
On Sun, 21 Nov 2010 06:50:24 +0000, acmsoft wrote:
>ok so generally speaking the internet receive connector which listens on port 25 should not have the anonymous ticked,
That wasn't what I said. If you want to receive e-mail from the
Internet you'll have to allow anonymous access. What I said was that
you don't want to all anonymous access to a receive connector that
permits the use of unrestricted SMTP relay.
>but amongts all other Permission Groups and Authentication options, how do I know which of them I need to tick since e-mails will arrive from all sorts of programs not only Exchange and their security is unknown.
Create another receive connector. The 2nd receive connector allows
anonymous access and SMTP relay and is restricted to only the IP
addresses that you want to allow the use of that SMTP relay.
Leave the default receive connector alone. You can enable anonymous
access on the connector so anyone can send SMTP mail to your domain if
you like -- or you can create a 3rd receive connector if you want to
restrict the use of the default receive connector to just your
Exchange server's IP addresses.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
November 21st, 2010 11:33am
So the default receive connector does not permit to send any e-mails to external recipients ( only to internal recipients )
To be able to send e-mails externally another receive connector has to be created and if it has only the anonymous ticked ideally the source ip is specified and then given permission to send to external recipients with the command shell.
Is this correct please ?
November 21st, 2010 5:21pm
On Sun, 21 Nov 2010 22:16:26 +0000, acmsoft wrote:
>So the default receive connector does not permit to send any e-mails to external recipients ( only to internal recipients )
That's correct. And that's the way you want to keep it.
>To be able to send e-mails externally another receive connector has to be created and if it has only the anonymous ticked ideally the source ip is specified and then given permission to send to external recipients with the command shell.
You'd add the IP addresses of the machines you want to use that
connector to the connector's properties (you can use the UI to do
that, or the set-receiveconnector cmdlet).
Allowing anonynous connections on the connector is also a "good
thing".
But those two things won't allow use of the connector to send e-mail
to external addresses. To do that, the easiest way is to select
"Externally Secured" on the "Permissions" tab of the receiver's
property page (or set it with Powershell). As I said before, if
"Externally Secured" give too much permission then you can set just
the "Ms-Exch-SMTP-Accept-Any-Recipient" permission on the connector.
>Is this correct please ?
Did you read the link I included in my reply on November 17th?
http://technet.microsoft.com/en-us/library/bb232021(EXCHG.80).aspx
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
November 21st, 2010 5:33pm
Yes In fact my last answer done thanks to that link although this is still not clear :
The messages that originate from the specified IP addresses are treated as anonymous messages. Therefore, the messages don't bypass anti-spam checks, don't bypass message size limit checks, and anonymous senders can't be resolved. The process
of resolving anonymous senders forces an attempted match between the anonymous sender's e-mail address and the corresponding display name in the global address list.
Why would other messages bypass such important security checks ?
anti-spam checks
message size
November 21st, 2010 6:19pm
On Sun, 21 Nov 2010 23:14:22 +0000, acmsoft wrote:
>
>
>Yes In fact my last answer done thanks to that link although this is still not clear :
>
>
>
>The messages that originate from the specified IP addresses are treated as anonymous messages. Therefore, the messages don't bypass anti-spam checks, don't bypass message size limit checks, and anonymous senders can't be resolved. The process of resolving
anonymous senders forces an attempted match between the anonymous sender's e-mail address and the corresponding display name in the global address list.
>
>
>Why would other messages bypass such important security checks ?
Because you obviously trust those people/machines using authenticated
connections. If you don't they wouldn'd be able to authenticate
because they wouldn't have an account in your AD.
>anti-spam checks
Spam is all about permission and content. If you trust the sender it's
unlikely the content is going to be a problem.
>message size
Again, the issue is trust. If they behave badly, revoke that trust.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
November 21st, 2010 7:08pm