×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Receive Connector security configuration

Receive Connector security configuration

Receive Connector security configuration

(OP)
I have always been able to use telnet to send unauthenticated email to internal users for testing purposes and thought that's been great. But that ability has just caused a problem where one student has found the ability maliciously used it to send an email from another user to a third. So I need to look at the security of the Receive Connectors.

Here's the scenario:
  • Ubuntu server runniong SpamSnake/MailScanner receives email from the Internet and passes it to Exchange
  • 2x Exchange 2010 servers (EXCA1 & EXCA2) with CA & HT roles
  • 2x Exchange 2010 servers (EXMS1 & EXMS2) with MX role
  • Many servers on VLAN10 (10.10.0.0/16) and VLAN11 (10.11.0.0/16) should be able to send unauthenticated internally
  • Clients using Outlook 2010 are on several VLANs (10.20.0.0/16, 10.21.0.016 etc)
There is a connector labelled Default EXCA1 with the following settings:
  • Network/Use these local IP addresses to receive mail - all/25
  • Network/Receive mail from remote servers that have these IP addresses - 0.0.0.0-255.255.255.255
  • Authentication - TLS, Basic Auth, Exchange Server, Integrated Windows are enabled
  • Permission Groups - Anonymous, Exchange users, Exchange servers, Legacy Exchange servers are enabled
There's another connector that has the IP addresses of the server VLAN to allow unauthenticated sending.

Is it as simple as removing the Anonymous permission from that connector? I tried that and I could still send but I suspect I may need to restart the Microsoft Exchange Transport service for it to take effect. Is that correct?

Does a connector need to be set up to allow the SpamSnake/MailScanner server to send unauthenticated mail to Exchange? Would this just specify it's IP address and allow Anonymous permission?

Thoughts?

RE: Receive Connector security configuration

On the default connector, you want to change this:

"Network/Receive mail from remote servers that have these IP addresses - 0.0.0.0-255.255.255.255"

Assuming your internal subnet is 192.168.5.0, and your mail server is 192.168.5.5--It should instead be broken into three ranges:

0.0.0.0-192.168.5.1
192.168.5.5
192.168.5.254-255.255.255.255

That way only mail server itself and the rest of the world is allowed to send via SMTP through your server, but the hosts on the network are excluded--they can only send via RPC/MAPI via an Outlook client or via OWA.

The problem with removing Anonymous is that the user is probably authenticated already, merely by dint of being logged on to a domain-joined computer.

Dave Shackelford
ThirdTier.net
TrainSignal.com

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close