Hello I have been trying on a new exchange 2010 installation to prevent the receive connector to accept senders from authoritative domains Get-ReceiveConnector "Internet" | remove-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender While this works perfectly fine in exchange 2007.. it has no effect in exchange 2010 Any ideas Thanks

I would implement an SPF record, and then enable the anti-spam agents on your servers. Mike Crowley | MVP My Blog -- Planet Technologies

thanks for the answer Mike, I know we can implement spf and anti-spam agents. we are protected by an external antispam service and the traffic is accepted only from this gateway.. but for my knowledge ....the question was why this works in 2007 and not in 2010.. what is different?? or what got changed ? I have a coexistence env with 4 HT exchange 2007 and 3 HT exchange 2010 .. on all 2007 it works but not on 2010.. i also tested this in our test lab that attribute ms-Exch-SMTP-Accept-Authoritative-Domain-Sender has no effect over the connector (for 2010) removed or not from the connector it does not matter

Let me look and get back to you. This should still apply in 2010 AFAIK. Mike Crowley | MVP My Blog -- Planet Technologies

Seems to work for me... (sorry!) Before: 220 EXCH-A.demolab.local Microsoft ESMTP MAIL Service ready at Fri, 20 Apr 2012 11:44:56 -0400 ehlo 250-EXCH-A.demolab.local Hello [127.0.0.1] 250-SIZE 10485760 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-STARTTLS 250-AUTH 250-8BITMIME 250-BINARYMIME 250 CHUNKING mail from:mike@demolab.local 250 2.1.0 Sender OK rcpt to:mike@demolab.local 250 2.1.5 Recipient OK data 354 Start mail input; end with <CRLF>.<CRLF> hi . 250 2.6.0 <96de8dc3-c264-41bc-9475-e9f3daf9ffcb@EXCH-A.demolab.local> [InternalI d=3] Queued mail for delivery Run: Get-ReceiveConnector foo | Remove-ADPermission -user "NT AUTHORITY\Anonymous Logon" -ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender After: 220 EXCH-A.demolab.local Microsoft ESMTP MAIL Service ready at Fri, 20 Apr 2012 11:49:18 -0400 ehlo 250-EXCH-A.demolab.local Hello [127.0.0.1] 250-SIZE 10485760 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-STARTTLS 250-AUTH 250-8BITMIME 250-BINARYMIME 250 CHUNKING mail from:mike@demolab.local 250 2.1.0 Sender OK rcpt to:mike@demolab.local 250 2.1.5 Recipient OK data 354 Start mail input; end with <CRLF>.<CRLF> hi2 . 550 5.7.1 Client does not have permissions to send as this sender

thanks .. hmmm..it seems I have to look somewhere else :-( do you have one server? all roles on it? did you enable anonymous permissions on the foo connector..? what i have is an NLB in both cases.. testlab and production both of them do not work

yes you are right it works...but the difference is in 2007 the error comes right after the statement mail from: (so it does not accept data) in 2010 the error message 550 5.7.1 comes when you try to submit the message 2010 2007

and to add more.. I think 2007 behavior is right reading http://technet.microsoft.com/en-us/library/aa996395.aspx ms-Exch-SMTP-Accept-Authoritative-Domain-Sender This permission allows senders that have e-mail addresses in authoritative domains to establish a session to this Receive connector. I understand ALLOWS senders .. TO ESTABLISH a session 2007 does that, but 2010 allows to establish the session.. does not reject it .. it does not accept the message but allows to establish the session Do I understand wrong???

Technically a "session" is established as soon as you got a reply. All relative I guess. I don't have a 2007 box to mess with, but it'd appear you are correct. Not really worth worrying about though. The message is never queued. Mike Crowley | MVP My Blog -- Planet Technologies

thank you very much for assisting