1

Masters,

Unfortunately we got some spam mail which seems to be coming from our own domain.

I found some article which all says to remove Anonymous login from internet receive connector

(http://exchangepedia.com/2008/09/how-to-prevent-annoying-spam-from-your-own-domain.html)

I think i something misunderstood about those articles, because if i remove the Anonymous connection e-mails did not receive from external address (like gmail - Diagnostic-Code: SMTP; 530 5.7.1 Client was not authenticated)

Some pictures about our configuration:

enter image description here enter image description here enter image description here enter image description here

holian
  • 227
  • 1
  • 8
  • 14

2 Answers2

1

Everyone on this question seems to have completely ignored the also good practice of enforcing SPF (you could also use DKIM).

Your zone file should have an SPF record and it should specify only the Public IP Address of your Exchange server is allowed to send email from your domain.

Enable SPF enforcement and you're done. You won't be receiving emails spoofing your domain.

If you don't know if you have an SPF record or don't know what's in it now is a good time to become familiar with mxtoolbox.com.

Yes make sure your Exchange server is not an open relay but only doing that will not solve your problem. For that, setup SPF.

user5870571
  • 2,900
  • 2
  • 11
  • 33
-1

How did you remove that permission? Did you use the PowerShell command (Exchange Management Shell) or the Exchange Management Console GUI?

As mentioned in the article you posted you have to use PowerShell to alter just one specific permission, but not all anonymous connections, or else you'll end up accepting no external mails at all.

So you can't do that with the Exchange Management Console (with unchecking "Anonymous users" in the "Permission Groups" tab) but instead use the PowerShell command to remove just Anonymous Logon from the ms-exch-smtp-accept-authoritative-domain-sender permission. That setting defines which senders are allowed to send from an authoritative domain of your Exchange server. So, if you remove Anonymous Logon from that permission, an unauthenticated user is not allowed to send a mail from your Exchange server's authoritative domain.

I don't have an Exchange Server here to test that right now, so I'll assume that the article on exchangepedia is accurate.

As always, check, test and double check your server settings after tampering with mail sending permissions, so you can be sure you don't have created an open relay. I.e. try connecting to the SMTP server with telnet from inside and outside your network to check if it accepts an unauthenticated mail.

Thomas
  • 129
  • 4
  • First i made a new test receive connector. Than i remove via powershell from that test connector. Than i check the permission group task. I saw that the box is unticked. I tought i can simply untick from the default connector too. I test via powershell as you suggest, but could you help how to add back the permission if something wrong? – holian May 27 '14 at 09:00
  • well, if you create a new connector you'll have to configure it to be the same as the "original" one. probably, exchange will prohibit that, saying that such a connector already exists. the easiest test would be to take screenshots of every tab in your original connector, change the permission via powershell and if something goes wrong, delete the connector and create a new one with the same settings. but if this is a production system, you could end up rejecting legitimate mail. if possible try it on a test machine or at night time. – Thomas May 27 '14 at 09:22
  • btw. to readd the permission, just change `Remove-ADPermission` to `Add-ADPermission`, i.e. `Get-ReceiveConnector "My Internet ReceiveConnector" | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Add-ADPermission` – Thomas May 27 '14 at 09:29
  • On the test connector (permission group tab ticked) i run the command without Remove-Adpermission and i got this for output: SBS\Devices NT AUTHORITY\ANON... False False. After that i run the command again with "Remove Permission" and than i checked the Permission Group tab. The Anonymous User unticked. But i will test on the default connector at night. Maybee that checkbox has not the same effect as the command. – holian May 27 '14 at 09:51
  • 1
    No, that PowerShell command just changes one specific permission for one specific user for one specific connector. The checkbox in the GUI affects all Anonymous users. So no, it's not the same. You must keep the checkbox checked or you reject all external mails. – Thomas May 27 '14 at 09:57
  • ok. but after i run the command the checkbox will be unticked! – holian May 27 '14 at 11:27
  • hmmm. I can't test that right now, because I haven't got an Exchange server. I'm not quite sure how the GUI determines the setting of the checkbox. It could also be that the ExtendedRights settings got changed in Exchange 2010. The article you were referring to is assuming Exchange 2007, you have 2010; and from what I see in an SBS environment. Though unlikely, the SBS version of Exchange could be slightly different, especially with active directory permissions. – Thomas May 27 '14 at 11:53
  • Could you suggest anything? – holian May 27 '14 at 12:16
  • hm, serverfault is starting to get angry because of our lengthy discussion ;) but to your problem: I haven't done that for a while now. I prefer to do such things on the network border/dmz or externally with a dedicated mailrelay (I use Postfix on Debian). There it'll do the spam, virus, spoof checking. In my opinion it's cleaner and easier to configure and doens't take that much resources. Sorry to not being able to help you more. But without an Exchange server to test that, it's very hard to give helpful advice. Perhaps some other IT gurus here can help you? – Thomas May 27 '14 at 12:29