Restrict Exchange 2007 SMTP
I have configured smtp on my exchange server and I only accept authenticated users. The problem is that once authenticated they can specify any email address of the organization on the from address. is there a way to restrict that once the user has been
authenticated ?, he is only allowed to send a email with is personal email id. I want to avoid users sending mail using other email ids.
My receive connectors allow to send emails from any authenticated user, but as far as I understand it does not check that the authenticated user is sending with its asociated email address.
the problem of this is that users can send mails in the name of other users using smtp.
is it posible to resolve this problem using transport rules ? how can I prevent this ?
Thanks in advance!
Albert
March 27th, 2012 4:18am
On Tue, 27 Mar 2012 08:11:40 +0000, AlbertoGML wrote:
>
>
>I have configured smtp on my exchange server and I only accept authenticated users. The problem is that once authenticated they can specify any email address of the organization on the from address. is there a way to restrict that once the user has been
authenticated ?, he is only allowed to send a email with is personal email id. I want to avoid users sending mail using other email ids.
Are you sure that those user's don't have "Send As" permission on
other AD User objects?
>
>My receive connectors allow to send emails from any authenticated user, but as far as I understand it does not check that the authenticated user is sending with its asociated email address.
>
>the problem of this is that users can send mails in the name of other users using smtp.
>
>is it posible to resolve this problem using transport rules ? how can I prevent this ?
>
>Thanks in advance!
>
>Albert
>
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
March 27th, 2012 5:40pm
Hi rich,
I am completely sure, nevertheless I thought this permission does not apply to smtp protocol under exchange...
If you try to send an email using other credentials from outlook connecting directly to exchange it is not posible, but you can do it using smtp...
Do you know how to restrict this under this protocol ?
Thanks in advance!
March 28th, 2012 5:05am
hi,
Sorry, i don't know what' your meaning about using smtp. Please tell me more about it.
hope can help you
thanks,
CastinLu
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
March 28th, 2012 11:07pm
Hi Castinlu,
We have configured pop3 and smtp service in Exchange 2007 so external users can use that protocol to send emails and receive emails.
As far as I know these protocols are configured using a receive connector that allows authenticated users to send emails.
In this way you can avoid relay in our server because you force every user to authenticate in the smtp server before sending any email.
The problem is that once the user has been authenticated he is allowed to specify any email of the organization on the from field
So I do not know how to restrict that the authenticated user can only send using his associated email.
At the moment any authenticated user can sen emails using other from emails and I would like to prevent this.
I hope I have been able to explain correctly, nevertheless if you have any doubts please do not hesitate to ask me again.
Thank you very much for your help!
Albert
March 29th, 2012 5:30am
Client SMTP receive, if configured properly, does not allow impersonation. In fact, the default client SMTP receive connector is configured out of the box to not allow this. There is a way to test it with telnet SMTP commands.
Telnet <HUB/ReceiveConnector> 25
HELO or EHLO
AUTH LOGIN
<At this point, you will need to BASE64 encode your email address/login, paste that in, then BASE64 encode your password, and paste that in, you should get a 235 Authenticated>
At this point you are connected and authenticated, now you can try
MAIL FROM: <youremailaddress>
It should respond Sender OK.
Now try
MAIL FROM: <Someoneelsesemailaddress>
You should get 5.7.1 Client does not have permission to send as this sender
If this is what you receive, the users cannot send as other users, just themselves. If they can send as other users, I would check the receive connector and ensure that the following are checked under Authentication:
TLS
Basic Authentication
Offer Basic authentication only after starting TLS
Integrated Windows Authentication
And under the Permission Groups:
Exchange Users
Have you granted any special Mailbox or AD permissions to anyone?
Free Windows Admin Tool Kit Click here and download it now
March 29th, 2012 4:36pm
Client SMTP receive, if configured properly, does not allow impersonation. In fact, the default client SMTP receive connector is configured out of the box to not allow this. There is a way to test it with telnet SMTP commands.
Telnet <HUB/ReceiveConnector> 25
HELO or EHLO
AUTH LOGIN
<At this point, you will need to BASE64 encode your email address/login, paste that in, then BASE64 encode your password, and paste that in, you should get a 235 Authenticated>
At this point you are connected and authenticated, now you can try
MAIL FROM: <youremailaddress>
It should respond Sender OK.
Now try
MAIL FROM: <Someoneelsesemailaddress>
You should get 5.7.1 Client does not have permission to send as this sender
If this is what you receive, the users cannot send as other users, just themselves. If they can send as other users, I would check the receive connector and ensure that the following are checked under Authentication:
TLS
Basic Authentication
Offer Basic authentication only after starting TLS
Integrated Windows Authentication
And under the Permission Groups:
Exchange Users
Have you granted any special Mailbox or AD permissions to anyone?
March 29th, 2012 11:28pm
Than you Russ, I think that is our problem as I have anonymous users enabled on default receive connector.
Nevertheless I am not sure if I can remove it as our provider uses this connector to deliver the email to us.
I will check and let you Know.
Thanks for your help
Free Windows Admin Tool Kit Click here and download it now
April 3rd, 2012 7:52am
Than you Russ, I think that is our problem as I have anonymous users enabled on default receive connector.
Nevertheless I am not sure if I can remove it as our provider uses this connector to deliver the email to us.
I will check and let you Know.
Thanks for your help
You can create a new receive connector for that specific purpose and only allow your providers ip addresses access to that connector. By default, there are two connectors
Client <SERVER>
Default <SERVER>
The Client RC is for clients and by default is setup for authentication.
The Default RC is setup to allow remote systems to send email through with less restriction (anonymous is enabled). This one would be the ideal one to use for your provider as I cannot think of a case where you would want your provider to impersonate
your users. It still sounds like you have some permissions out of whack since the anonymous user does not allow impersonation, it allows a sender to send as a user that does not exist, but not as another user that exists on the system.
April 3rd, 2012 1:19pm
Hi Russ,
Thanks again for your reply.
Do you know if any configuration setting on the receiver allows impersonation ?
I also have Exchange Servers, Legacy Exchange Servers and Exchange users.
Maybe the problem is that I allow any exchange user to send mail on behalf or other user...
On remote ip address I have all addreses, could be that the problem ?
Thanks again
Free Windows Admin Tool Kit Click here and download it now
April 10th, 2012 9:00am