This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi,
One of the clients uses Exchange hybrid with Exchange Server 2016. All mailboxes are in the cloud. Exchange Server 2016 basically runs in the default configuration. Only an additional anonymous relay has been created to allow a couple of local and few external IP addresses to send anonymous mail.
But recently we found out that anyone from the internet can connect to port 25 via telnet and send anonymous mail to our only accepted domain. Mail cannot be sent to unaccepted domain. We have SPF, DKIM, and DMARC configured for our domain, but these anonymous emails still gets through. After examining one of the mails we received, we found that the client_hostname shows the name of our Exchange server, but the original_client_ip shows the original IP address from which the connection to port 25 was made.
How can we deny these anonymous connections from the internet to port 25, but continue to allow from those IP addresses specified in the anonymous relay connector? Our domain MX records points to Microsoft servers.
Thanks!
Use a transport rule and drop all messages from external users unless they come from the External IPs you allow
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 55.00000000000001%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I have similar issue our users are 50% o365 and 50% on-prem in hybrid setup with exchange 2016+edge server. pentesting guys found out that they can send emails via telnet our public ip. Shall i follow same steps to block it?
Yes, if your organization's MX records are pointed to Microsoft, you can create a rule shown in the picture above. In my case, the rule works perfectly.