I've recently started work with a new organisation and they have a problem with mail from external parties getting through to internal distribution lists. I've checked some of the lists in question and the option "Require that all senders are authenticated" is definitely CHECKED. Mystified, I had a look at the Receive Connectors and found that the connector which handles the mail from our spam/virus filtering company is secured with IPSEC, but all other forms of authentication have been turned OFF on that connector (e.g. TLS, Basic, Exchange Server and Windows authentication are turned OFF). Am I on the right track? Is Exchange saying to itself "Mail for this distribution list requires authentication; let me check: OK, that connector is secured with IPSEC Authentication, so therefore I can let this email go through"? Or is something else going on? Wondering what options I have and what the implications might be if I tried turning on the other authentication methods?

I've checked some of the lists in question and the option "Require that all senders are authenticated" is definitely CHECKED. If this is checked then DLs will not get emails from the email addresses outside your exchange server. If you want to receive emails from outside email addresses then uncheck this flag. Regards,Laeeq Qazi|Team Lead(Exchange + Sharepoint + BES + DynamicsCRM) www.HostingController.com

On Fri, 28 May 2010 03:53:14 +0000, Frosty at CBM wrote: > > >I've recently started work with a new organisation and they have a problem with mail from external parties getting through to internal distribution lists. I've checked some of the lists in question and the option "Require that all senders are authenticated" is definitely CHECKED. > >Mystified, I had a look at the Receive Connectors and found that the connector which handles the mail from our spam/virus filtering company is secured with IPSEC, Is it really using IPSec? Or do you mean that the "Externally secured" box is checked on the "Authentication" tab of connector's property page? "Externally Secured" means that the other machine has authenticated the sender. Checking that box says that all e-mail arriving on that connector bypasses all anti-spam checking. >but all other forms of authentication have been turned OFF on that connector (e.g. TLS, Basic, Exchange Server and Windows authentication are turned OFF). > >Am I on the right track? Is Exchange saying to itself "Mail for this distribution list requires authentication; let me check: OK, that connector is secured with IPSEC Authentication, so therefore I can let this email go through"? > >Or is something else going on? Wondering what options I have and what the implications might be if I tried turning on the other authentication methods? I think that receive connector is misconfigured. If the spam filter isn't authenticating with your server then the authentication for that connector should be set to "anonymous" and the RemoteIPRange should be set to accept connections only from the spam filter machine (or network). Alternatively, you should be able to configure the spam filter to reject e-mail to the SMTP addresses of the those distribution groups that should not receive e-mail from the Internet -- or populate those groups with a property that can be used by an Email Address Policy to assign SMTP addresses in the, say, ".local" top-level domain making them unaddressable from outside your Exchange organization. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

You are using default receive conenctor for accept email from Spam filter server. If yed then please create one new receive connector and give permission group "anonymous". Then check mail flow and later you can change setting for this connector.Anil

Is it really using IPSec? Or do you mean that the "Externally secured" box is checked on the "Authentication" tab of connector's property page? "Externally Secured" means that the other machine has authenticated the sender. Checking that box says that all e-mail arriving on that connector bypasses all anti-spam checking. ... I think that receive connector is misconfigured. If the spam filter isn't authenticating with your server then the authentication for that connector should be set to "anonymous" and the RemoteIPRange should be set to accept connections only from the spam filter machine (or network). Alternatively, you should be able to configure the spam filter to reject e-mail to the SMTP addresses of the those distribution groups that should not receive e-mail from the Internet -- or populate those groups with a property that can be used by an Email Address Policy to assign SMTP addresses in the, say, ".local" top-level domain making them unaddressable from outside your Exchange organization. Rich, thanks for that ... you're right ... I mis-read the screen a little ... the option "Externally secured" is the one that is checked for that connector, and all the other boxes are empty. I will take a closer look at the external spam/virus filtering service, as its likely that I will be able to block sending to those mailing lists manually by using their administration interface.