receive connector should not be an open relay
We are on Exchange 2007 SP1 Exchange Server Name:EXG01 we have 2 receive connectors 1.Default EXG01 2.Client EXG01 Currently I have ran tests using telnet & I am sure this is an open relay, I am able to send emails from my gmail account to my exchange account & I am able to send emails from non-existant domain accounts to my exchange account. For example, I tried sending an email from abcd@domain.com (this email address does not exist) to my email address philip@domain.com & the email came through. I need to ensure both these connectors are configured to ensure they are not open relays and at the same time emails can flow withing the organization & also from & to the internet. All our incoming mails pass through a cloud to ensure no spams & virus come thru. they have only public IPs and host names. is it possible to create a receive connector only to accept emails from this cloud service? my current "authentication" & "permission groups" for "Default EXG01" are: 1. Transport Layer Security - Checked 2. Enable Domain Security - Unchecked 3. Basic Authentication - Checked 4. Offer Basic Authentication only after starting TLS - Checked 5. Exchange Server Authentication - Checked 6. Integrated Windows Authentication - Checked 7. Externally Secured - Unchecked Permission Groups 1. Anonymous Users - Checked 2. Exchange Users - Checked 3. Exchange Server - Checked 4. legacy exchange Servers - Checked 5. Partners - Uncheked And for "Client EXG01" are: 1. Transport Layer Security - Checked 2. Enable Domain Security - Unchecked 3. Basic Authentication - Checked 4. Offer Basic Authentication only after starting TLS - Checked 5. Exchange Server Authentication - Checked 6. Integrated Windows Authentication - Checked 7. Externally Secured - Unchecked Permission Groups 1. Anonymous Users - Unchecked 2. Exchange Users - Checked 3. Exchange Server - Checked 4. legacy exchange Servers - Checked 5. Partners - Uncheked Kindly help me to correct these & ensure that my exchange is not an open relay.
September 18th, 2012 5:07pm

I would setup a receive connector to receive email from the cloud service. In addition to that test open relay using - https://www.testexchangeconnectivity.com/ Seems like you're spoofing rather than open relay. Sukh
Free Windows Admin Tool Kit Click here and download it now
September 18th, 2012 7:27pm

Hi Sukh, Thanks for your response. Much appreciated. Please tell me how do I setup a receive connector to receive emai from the cloud service? The coud service only has public IPs & hostnames. All I have seen are with local IPs. Kindly help. Also in doing so, should I change anything with the existing 2 connectors? Or just leave them as it is. Please tell me the changes I need to make on the 2 existing connectors as well. Thanks Philip
September 18th, 2012 10:25pm

Hi Create a custom receive connector and specify the IP's from the cloud and any authentication if you wish. Receive connector. You can leave the default and client, the client can be disabled if you dont have any clients that use for submitting emails using SMTP on port 587, BUT leave the default. You would eventually want to remove anonymous (permission groups) from the Default connector once you have the NEW custom connector setup. Sukh
Free Windows Admin Tool Kit Click here and download it now
September 19th, 2012 5:06am

Thanks Sukh. 1. Can we enter the public IPs of the cloud on the new connector? 2. Can this be an Internet or Custom Connector? 3. can we uncheck anonymous users from the default & client connectors? we do have most users from overseas using SMTP.
September 19th, 2012 5:17am

Yes.Custom.Depends on how these overseas user submit email, are they on the LAN? VPN? or do they sumbit directly off the Exch (HUB I assume) which is exposed externally? Sukh
Free Windows Admin Tool Kit Click here and download it now
September 19th, 2012 5:24am

Thanks Sukh. Answering your question, most overseas users connect to our exchange server via the internet using the POP3/SMTP settings. I believe your assumptions are correct "do they sumbit directly off the Exch (HUB I assume) which is exposed externally" Now my last questions I believe, 1. What must be my authntication for this new connector? 2. What must be the permission groups for the new connector? 3. Can we uncheck the anonymous on the client & default connector? 4. Would appreciate if you can tell me what must be set on the "Authentication" & "Permission Groups" for both the "Default" & "Client" Connectors.
September 19th, 2012 5:38am

Thanks Sukh. Answering your question, most overseas users connect to our exchange server via the internet using the POP3/SMTP settings. I believe your assumptions are correct "do they sumbit directly off the Exch (HUB I assume) which is exposed externally" Now my last questions I believe, 1. What must be my authntication for this new connector? 2. What must be the permission groups for the new connector? 3. Can we uncheck the anonymous on the client & default connector? 4. Would appreciate if you can tell me what must be set on the "Authentication" & "Permission Groups" for both the "Default" & "Client" Connectors. One more question, the local IP can be the local IP of the exchange server?
Free Windows Admin Tool Kit Click here and download it now
September 19th, 2012 5:43am

Depends if the cloud service offers/does authentication, if not, then just lock down via IP.The permission groups will either need to have anonymous or externally secured depending on how secure/trust the connection. It will be locked down via IP anyway, but go for anonymous.Only after the new connector has been created.Leave the defaults on there but remove the anonymous from the Default after the new connector. Sukh
September 19th, 2012 5:55am

Thanks Sukh. Now I havent created or edited any of the connectors as of yet. However, we have POP3/SMTP users complaining of gettting return emails saying " 550 5.7.1 Unable to relay Is this something to do with the authentication & permission groups on the connectors. some of them are even complaining of unable to authenticate to the server, keeps popping up with username & password. Only POP3 users are having this problem. When you say lockdown by IP, how do we do that? The options under the Authentication TAB are: 1. Transport Layer Security 2. Enable Domain Security 3. Basic Authentication 4. Offer Basic Authentication only after starting TLS 5. Exchange Server Authentication 6. Integrated Windows Authentication 7. Externally Secured
Free Windows Admin Tool Kit Click here and download it now
September 19th, 2012 6:37am

So NO changes have been made right? And you have this issue? On the Network Tab>remote IP changes. Sukh
September 19th, 2012 6:42am

To be honest, I believe one of my colleagues played with the authentication & permission groups tab to ensure our exchange is not an open relay. soon afterwards we are having this issue only with POP3/SMTP users. they get cannot relay, your email server rejected your login etc. no changes were made on the Network Tab>remote IP changes please help
Free Windows Admin Tool Kit Click here and download it now
September 19th, 2012 7:26am

Up the logging on the client connector to verbose and check the logs, should give you an idea. Sukh
September 19th, 2012 8:29am

SMTP Relay issue Our Incoming & Outgoing Mail servers are: mail.domain.com IP: 1.1.1.1 when the users try to login by using the incoming & outgoing mail servers as mail.domain.com they get an error saying your email server rejected your login when they give the IP address they can login to the exchange server but when they send an email to outside domains they get a bounce email saying they cannot relay. these issues are only with users who are using POP3/SMTP.
Free Windows Admin Tool Kit Click here and download it now
September 19th, 2012 9:24am

Logging as mentioned above?Sukh
September 19th, 2012 9:27am

how do i elevate the logging to verbose?
Free Windows Admin Tool Kit Click here and download it now
September 19th, 2012 9:36am

LoggingConnector Info Sukh
September 19th, 2012 9:39am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics