Prevent exchange 2010 spoofing authoritative domains
Hello
I have been trying on a new exchange 2010 installation to prevent the receive connector to accept senders from authoritative domains
Get-ReceiveConnector "Internet" | remove-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON"
-ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
While this works perfectly fine in exchange 2007..
it has no effect in exchange 2010
Any ideas
Thanks
April 20th, 2012 10:28am
I would implement an SPF record, and then enable the anti-spam agents on your servers.
Mike Crowley | MVP
My Blog --
Planet Technologies
Free Windows Admin Tool Kit Click here and download it now
April 20th, 2012 10:34am
thanks for the answer Mike, I know we can implement spf and anti-spam agents. we are protected by an external antispam service and the traffic is accepted only from this gateway..
but for my knowledge ....the question was why this works in 2007 and not in 2010.. what is different?? or what got changed ?
I have a coexistence env with 4 HT exchange 2007 and 3 HT exchange 2010 .. on all 2007 it works but not on 2010..
i also tested this in our test lab
that attribute ms-Exch-SMTP-Accept-Authoritative-Domain-Sender has
no effect over the connector (for 2010)
removed or not from the connector it does not matter
April 20th, 2012 11:25am
Let me look and get back to you. This should still apply in 2010 AFAIK.
Mike Crowley | MVP
My Blog --
Planet Technologies
Free Windows Admin Tool Kit Click here and download it now
April 20th, 2012 11:43am
Seems to work for me... (sorry!)
Before:
220 EXCH-A.demolab.local Microsoft ESMTP MAIL Service ready at Fri, 20 Apr 2012
11:44:56 -0400
ehlo
250-EXCH-A.demolab.local Hello [127.0.0.1]
250-SIZE 10485760
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH
250-8BITMIME
250-BINARYMIME
250 CHUNKING
mail from:mike@demolab.local
250 2.1.0 Sender OK
rcpt to:mike@demolab.local
250 2.1.5 Recipient OK
data
354 Start mail input; end with <CRLF>.<CRLF>
hi
.
250 2.6.0 <96de8dc3-c264-41bc-9475-e9f3daf9ffcb@EXCH-A.demolab.local> [InternalI
d=3] Queued mail for delivery
Run:
Get-ReceiveConnector foo | Remove-ADPermission -user "NT AUTHORITY\Anonymous Logon" -ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
After:
220 EXCH-A.demolab.local Microsoft ESMTP MAIL Service ready at Fri, 20 Apr 2012
11:49:18 -0400
ehlo
250-EXCH-A.demolab.local Hello [127.0.0.1]
250-SIZE 10485760
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH
250-8BITMIME
250-BINARYMIME
250 CHUNKING
mail from:mike@demolab.local
250 2.1.0 Sender OK
rcpt to:mike@demolab.local
250 2.1.5 Recipient OK
data
354 Start mail input; end with <CRLF>.<CRLF>
hi2
.
550 5.7.1 Client does not have permissions to send as this sender
April 20th, 2012 11:52am
thanks ..
hmmm..it seems I have to look somewhere else :-(
do you have one server? all roles on it? did you enable anonymous permissions on the foo connector..?
what i have is an NLB in both cases.. testlab and production both of them do not work
Free Windows Admin Tool Kit Click here and download it now
April 20th, 2012 1:41pm
yes you are right it works...but the difference is in 2007
the error comes right after the statement mail from: (so it does not accept data)
in 2010 the error message 550 5.7.1 comes when you try to submit the message
2010
2007
April 20th, 2012 2:04pm
and to add more.. I think 2007 behavior is right
reading
http://technet.microsoft.com/en-us/library/aa996395.aspx
ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
This permission allows senders that have e-mail addresses in authoritative domains to establish a session to this Receive connector.
I understand ALLOWS senders .. TO ESTABLISH a session
2007 does that, but 2010 allows to establish the session.. does not reject it .. it does not accept the message but allows to establish the session
Do I understand wrong???
Free Windows Admin Tool Kit Click here and download it now
April 20th, 2012 2:23pm
Technically a "session" is established as soon as you got a reply. All relative I guess. I don't have a 2007 box to mess with, but it'd appear you are correct. Not really worth worrying about though. The message is never
queued.
Mike Crowley | MVP
My Blog --
Planet Technologies
April 20th, 2012 2:46pm
thank you very much for assisting
Free Windows Admin Tool Kit Click here and download it now
April 20th, 2012 3:27pm