Close open relay on Exchange 2013

Hi,

I have one CAS 2013 and Mailbox 2013 server. I figured out that relay is open on server and when some from external site try telnet and easily connect with server and send email from external domain and I want to close this at earliest. I have user connect with POP and IMAP which do not use option server authentication required. I want all these POP and IMAP client to connect with server required authetication. 

What I believe that this is the main problem that the authentication is not enable on POP IMAP and which applied on telnet as well that open relay for anyone is available for external user

Please guide

April 21st, 2015 10:51am

Hi ,

Exchange servers by default ,it will not be on open relay unless the permissions on the receive connectors is changed manually.

Commmand to check open relay on exchange servers: 

Get-ReceiveConnector | Get-ADPermission -User NT Authority\Anonymous Logon | Where-Object {$_.ExtendedRights -like ms-Exch-SMTP-Accept-Any-Recipient} | Format-List Identity,ExtendedRights

option to check open relay from external world :  

MXtoolbox 

If in case you have found that the user "NT Authority\Anonymous Logon" is having the permission "ms-Exch-SMTP-Accept-Any-Recipient" on the receive connector which is used to receive emails from interenet then we need to remove that permission for that account on that particular receive connector.

Moreover i need to know where your MX records are pointed ? Is it pointed directly to exchange servers /edge  or else to some other device before it reaches exchange ?

Free Windows Admin Tool Kit Click here and download it now
April 21st, 2015 11:58am

Hi Nithyanandham,

Thanks for your reply. I ran the CMD on Exchange PowerShell and get extended permission on all the connectors. Yes you are right we have allowed the NT Authority\Anonymous Logon manually for POP IMAP and that might be the issue for telnet external access.  In Mxtoolbox checked the domain name and tested SMTP Test and found that below result. Please guide how to remove the NT authority anonmyour login permission to secure our telnet from external access and POP IMAP for authentication. Your prompt action would be highly appreciated 

SMTP TLS Warning - Does not support TLS.  More Info
SMTP Server Disconncted SMTP Server Disconnected

May be an open relay.

April 21st, 2015 12:22pm

Hi ,

Below is the command to remove the open relay permissions for the specific receive connector.

Get-ReceiveConnector "receive connector name" | remove-ADPermission -User NT Authority\Anonymous Logon -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient

Note : Make sure that you are removing the permission from the connector that you would like to do by mentioning the correct name of the connector in the above mentioned command.

Please reply me if you have any queries.

Free Windows Admin Tool Kit Click here and download it now
April 21st, 2015 12:50pm

Quick question, I have CAS and Mailbox and I am trying to run this command on CAS machine Client frontend server connector because it is on Port 587 which I want to block access from internet. I am getting an error on Mailbox server name\Client frontend server couldn't be found. Please guide
April 21st, 2015 12:56pm

Hi ,

In your case we need to use the name of the cas server along with the connector name and also i assume that mailbox and cas role is installed on a separate box.So Please find the below mentioned command .

Get-ReceiveConnector "server1\Client Frontend server1" | remove-ADPermission -User NT Authority\Anonymous Logon -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient

On the above command i have assumed that the server "server1" is holding the cas server role .

Free Windows Admin Tool Kit Click here and download it now
April 21st, 2015 1:21pm

Hi,

I executed the above command on Client frontend server but it is generating the warning "Can't remove the access control entry on the object and because ACE is not present". I tried the telnet from external site and access the server and sent test email from external domain. Please help to resolve this issue.

April 21st, 2015 1:30pm

I executed the below command and found that the servers which I wanted to remove is not showing in the list.

Get-ReceiveConnector | Get-ADPermission -User NT Authority\Anonymous Logon | Where-Object {$_.ExtendedRights -like ms-Exch-SMTP-Accept-Any-Recipient} | Format-List Identity,ExtendedRights

One changed that on telnet the external domain to external domain which was relaying has been blocked but from external domain to local domain user email address is still connecting and receiving email. How to prevent this from telnet and want the POP and IMAP use also server require authentication enable for secure communication.

Please guide

Free Windows Admin Tool Kit Click here and download it now
April 21st, 2015 2:50pm

Hi 

You can help prevent external senders from *spoofing* your domain with SPF/Sender ID checking as well with anti-spam/anti-malware on the SMTP gateway.

Better implement a tight SMTP security on the gateway 

April 21st, 2015 4:01pm

We don't have any gateway in place to implement but yes we have firewall in place. Kindly suggest the way to block external access on telnet and allow POP and IMAP user to use secure authentication while configuring the outlook.

Thanks

Free Windows Admin Tool Kit Click here and download it now
April 21st, 2015 5:15pm

Can some one suggest what other should do.
April 22nd, 2015 5:08am

Hi Lucky-Hamu ,

As sathish said we can make use of the SPF/Sender ID check to avoid your own domain spoofing.

Alright on your reply you have mentioned like "external domain to local domain user email address is still connecting and receiving email"

Above mentioned behaviour is normal and that is the way that the exchange servers will receive the emails from outside world.In case if you don't want the external users to send emails to invalid email address in your organisation then we can make use of recipient filetring in exchange.

On the recipient filtering please make use of the option "Block messages set to recipients that do not exist in the directory"

To achieve the above scenario  we need to have our MX records pointed to edge or directly to exchange.

In addtion to all the above , on your smarthost just enable the reverse DNS lookup for all the external connections coming from external world and also just try to have a good anti spamming solution installed in your smarthost. (i.e gateway product).

Please reply me if you have any queries.

Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2015 7:26am

Hey Lucy

I think enough suggestions has been provided from everyone in this thread.

Apart from  the above suggestions i really don't think there is a some other options.

For your Case Better i would suggest since there is no gateway in place 

Enable Exchange Antispam feature 

Enable recipient filtering feature on the Antispam feature 

Enable SPF/SenderID so that your domain will not be spoofed 

April 22nd, 2015 8:26am

I have last query that might be more clear on the issue. In Exchange 2010 there was I think not sure by default setting that when some one telnet from external site and after HELO type mail from: abc@Hotmail.com and get message 530.5.7.1 Client was not authenticated. I want that setting in my Exchange 2013 to prevent from external when some one telnet on my server.

Hope this will more clarify what was my requirement at the time opened that thread.

Thanks

Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2015 6:16pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics