I have been all over the net today. Everything I find says that Exchange server 2010 is not an open relay by default. I agree that it is not an "open relay", but only with a strict defamation of the term. This is my situation.... I have a single 2010 Exchange server. I configure outlook at multiple locations for testing. (all outside of my network) I can send mail to any email address (not just internal) just by supplying a valid domain account. No password required! I want to require a password for this action. I understand that this is the default behavior. If someone can give me a reason why I should leave it the way it is, I'm listening.

HiWhen you send e-mail with outside of your network, you use Outlook Anywhere or what ? You can in setting Outlook profile (E-Mail Accounts-Change-More Setting-Security-User Identification) check this box and re-open Outlook. When you open Outlook you must enter your user domain credentials. I think what require a password when you send E-Mail for any email address not reality without use 3rd Software (not MS) .

I setup outlook with pop3 account. I can't receive mail, but I can send it out. All without ever putting in my password. I want to configure my exchange server to require authentication before sending to external domains

I deleted the receive connectors that were created when I installed Exchange 2010 and then recreated the receive connectors. Now I am required to provide a password and it requires SSL to send, no longer an open relay

Hi,Did you mean the user can send the email to the Internet user without doing the authentication? Could you ensure the email is sent to the final user?Please understand that any one can send the email withouth doing the authentication via the Exchange server if the Anonymous user is checked on the Receive Connector. However, the NDR will be received if the email is sent to the external user without doing the authentication. To relay from the Exchange server, the authentication is required.To keep the Anonymous user available, the internal user can receive the Internet email.ThanksAllen

Hi all, I am also having similar doubts and was wondering if you could help me figure out if all is by design. My exchange 2010 has the default receive connector for port 25. Permissions are: Anonymous, Exchange users, Exchange Servers. Authencation is set: TLS & Basic The problem is that if anyone sets up a basic POP/SMTP account on a mail client such as Outlook and puts in the SMTP IP address and any bogus account details with bogus credentials....and tries to send email to any internal mailbox or even administrator@mydomain.com .... the result is : the email IS delivered. I see this as being a serious problem. When doing this same test to an external email address then I get the Server error: '550 5.1.1 <administrator@mydomain.com>: Recipient address rejected: mydomain.com' Please let me know if I am missing something or can protect the mailserver from this happening. Ideally I would like the mailserver to insist on SMTP authenication credentials when sending mail. Best regards and thanks in advance

Hi Allen, please could you take a look at my post and let me know what you think. Thanks a lot.