Hello, Team!

I think Ive found a serious issue in last CU releases. This is the case:

1 Multirole server Exchange 2013 SP1 (and older) , one creceive connector from internet to this server, no edge, nothing.

I care about preventing spoofing my companys email addresses, and remove remove the ms-Exch-SMTP-Accept-Authoritative-Domain-Sender transport permission from anonymous senders.

To do this, we usually simple run powershell command

Remove-ADPermission <ReceiveConnector Name> user NT AUTHORITY\Anonymous Logon ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

This command works on Exchange SP1, the client (telnet session, f.e.) which try spoof address of company will be refused. (see screenshot below)

But in Exchange 2013 CU5, CU6 and even CU7 release this revoke permissions DOESNT WORKS without any errors, softly. I've try Powershell and ADSI but unsuccessfully.

Then we take off permission on connector above, we keep 3 default permissions:

Accept-any-sender

Accept-Routing-Headers

Submit-Message to Server

It is wonderful works only on server SP1, but not on servers with older versions, which have right settings.

The saddest thing is I have information about Office 365 this behavior reproduced too. And I also think what in your lab you could take 15 minutes and play this simply thing....

I found only that information on connector side is diffenent on SP1 and CU5,6,7.

This is normal connection on SP1, when somebody try spoofed address. We can see a 250 AUTH Response on server side, and server refuse fake connection, all right.

And on CU5 and newest versions we doesnt see this code. Maybe auth mechanism miss something?

Any suggestions? On MS connect site a didn't found exchange bugs topic :)

• Edited by Dmitriy RazbornovMVP Friday, January 09, 2015 5:09 PM

So if someone wants to reproduce the issue, take one SP1 server, and one CU7 or 6 or 5.

Take receive connector and remove permissions to anonymous users:

Remove-ADPermission <ReceiveConnector Name> user NT AUTHORITY\Anonymous Logon ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

Result on SP1:

if message come from Internet to expect connector we change, it will be refused.

Result on CU6,7:

if message come from Internet to expect connector we change, it will be received!

Hi Dmitriy,

Thank you for your point. This is a quick note to let you know that I am trying to involve someone familiar with this topic to further look at this issue.

Regards,

Hi Dmitriy,

Do you compare the AD permission of the Internet connectors between SP1 and CU7?

Meanwhile, if there is no 250-auth in the telnet, what is the authentication setting of the Internet receive connector?

Thanks.

Hi, Richard!

Of course, I compared these permissions, and it match.

In default installation we have four AD permission for anon users, these are:

Accept-any-sender, Accept-Routing-Headers, Submit-Message to Server and

ms-Exch-SMTP-Accept-Authoritative-Domain-Sender. The powershell command remove last permission on connector, and only three remain.

These settings are identical on both servers, but only SP1 server rejects connections, not both.

You can check this as quickly as I had, and go to test the situation in the lab.

Hi Dmitriy,

Thanks for your update.

Then how about the receive connector configuration? Are they using the same authentication settings?

Thanks.

Hi Dmitriy,

Seems like as a bug .I have found a similar issue like you are facing .

Please check this link.

https://social.technet.microsoft.com/Forums/office/en-US/0fdf213c-02e3-4ea1-9e6d-242abf9559b8/prevent-own-domain-spoofed-spam?forum=exchangesvrsecuremessaging

Hi Dmitriy,

Thanks for your update.

Then how about the receive connector configuration? Are they using the same authentication settings?

Thanks.

I would like to clarify the situation a little for you.
I carried out a large migration project environment from EX2010 to 2013.
When I support this environment for 2013 more than two years.
And setting worked well in 2010,CU1,CU2,CU3,and finally in SP1 over from my upgrades.
Understand that it does not work in versions of the above, and I'd really like to know why.

I repeat that I would like to know in the first place, why it does not work anymore?
Why it is not documented?

As You can see, if you approach with the existing and available information on the problem, not you will immediately understand that there are serious problems caused serious changes.

I want to attract the attention of the  Exchange team  and other peoples to the problem and find out why this is happening.

Hi Dmitriy,

Seems like as a bug .I have found a similar issue like you are facing .

Please check this link.

https://social.technet.microsoft.com/Forums/office/en-US/0fdf213c-02e3-4ea1-9e6d-242abf9559b8/prevent-own-domain-spoofed-spam?forum=exchangesvrsecuremes

Currently having this issue, does anyone know if it was fixed in CU9?

If not, Dmitriy, have you come up with another way to accomplish similar results? 

Unfortunatly, I didn't check issue in CU9, but I think it's in the same place.

From my perspective, I've decided to use small postfix server, which really helps me resolve problem. ^^