Forum Discussion
Solved
Limit unauthenticated mail
The standard configuration in Exchange is that anyone internally can connect to telnet and send unauthenticated e-mail to anyone inside the organization.
We want to limit this so that only those applications that need to send unauthenticated mail are allowed to do this. We have Exchange 2016 hybrid and the mail flow is routed via Exchange online. The local Exchange server is only used for administration and relay.
With that setup, can we just remove 'anonymous authentication' from the 'Default Frontend' connector and add a connector with the ip addresses of the applications that will be allowed to send? Or will it break the mail flow?
Anyone have any tips on how to achieve this? I could create a connector that contains the IP-ranges of our empoyee networks, but that seems a bit backwards.
Hi Gly
>I could create a connector that contains the IP-ranges of our empoyee networks, but that seems a bit backwards
What would be the diffrence?
You probably have disabled Mailflow from the Internet to Exchange.
So already today only Internal Applications can send unauthenticated Mails.
What i would recommend:
Analyze your SMTP Protocol Log.
Talk to the Appliation Owners to use SMTP Authentication
For those Applications that do not support SMTP Authenication, use a special Relay Receive Connector and add only the IP's (Not IP Ranges)
for example: relay.domain.com (and use a matching Certificate) so the Clients can use TLS.
https://practical365.com/exchange-2019-smtp-relay-services/
Last remove 'anonymous authentication' from the 'Default Frontend' Receive Connector.
Kind Regards
Andres
Many thanks for the replies, both of you. It confirms what I thought. I'm going to make a list of the applications that need to be allowed to send anonymously and do some testing.
Thanks again!hello Gly ,
Using Exchange 2016 (on-premises)
1-> Remove Anonymous Authentication from the Default Frontend Connector
- Open Exchange Admin Center (EAC)
- Go to Mail Flow > Receive Connectors
- Select Default Frontend Connector and disable Anonymous Authentication
2-> Create a New Receive Connector for Allowed Applications
- In EAC, create a new connector named Allowed Applications Relay
- Add the IP addresses of the applications that need to send mail
- Enable Anonymous Users in security settings
3-> Test and Ensure Mail Flow is Not Disrupted
- Verify that normal user emails are not affected
- Send a test email from authorized applications to confirm functionality
Hi Gly
>I could create a connector that contains the IP-ranges of our empoyee networks, but that seems a bit backwards
What would be the diffrence?
You probably have disabled Mailflow from the Internet to Exchange.
So already today only Internal Applications can send unauthenticated Mails.
What i would recommend:
Analyze your SMTP Protocol Log.
Talk to the Appliation Owners to use SMTP Authentication
For those Applications that do not support SMTP Authenication, use a special Relay Receive Connector and add only the IP's (Not IP Ranges)
for example: relay.domain.com (and use a matching Certificate) so the Clients can use TLS.
https://practical365.com/exchange-2019-smtp-relay-services/
Last remove 'anonymous authentication' from the 'Default Frontend' Receive Connector.
Kind Regards
AndresI see that sentence was a bit lacking. I meant to create a connector for the employee network that did not allow anonymous posting. Then it becomes a kind of block list instead of an allow list. What I meant was that it is allways better to only allow the spesific applications that should be allowed to send, and block everything else.
Thank you for the recommendation, Andres.
