Exchange 2016 Transport Authentication

Ajit Terdalkar 96 Reputation points
2023-05-12T15:18:29.1966667+00:00

Hello,

Environment consists of Exchange 2016 CU23 and KB5024296 Security Update

We are noticing below events in the application logs which is causing alerts to trigger

Log Name:      Application
Source:        MSExchangeFrontEndTransport
Date:          12/05/2023 16:02:02
Event ID:      1035
Task Category: SmtpReceive
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:     ExchangeServer.domain.com
Description:
Inbound authentication failed with error LogonDenied for Receive connector Client Frontend ExchangeServer.domain.com. The authentication mechanism is Login. The source IP address of the client who tried to authenticate to Microsoft Exchange is [ip address].
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="MSExchangeFrontEndTransport" />
    <EventID Qualifiers="32772">1035</EventID>
    <Level>3</Level>
    <Task>1</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2023-05-12T15:02:02.000000000Z" />
    <EventRecordID>28859197</EventRecordID>
    <Channel>Application</Channel>
    <Computer>ExchangeServer.domain.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>LogonDenied</Data>
    <Data>Client Frontend ExchangeServer.domain.com</Data>
    <Data>Login</Data>
    <Data>ip address</Data>
  </EventData>

No emails are observed in queue and when we check the health of ip address it is blacklisted.

Any recommendations on how to avoid this events

We checked and all permission on the connector are appropriate.

Regards,

Ajit

Exchange Server
Exchange Server
A family of Microsoft client/server messaging and collaboration software.
1,134 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Dezhi Li-MSFT 780 Reputation points
    2023-05-15T06:50:02.41+00:00

    Hi Ajit Terdalkar,

    It may be someone who is trying to authenticate to attack or use your server as a relay.
    The authentication failure event was most likely triggered by an attempt by this blacklisted IP address to connect to the Exchange server. To avoid these incidents, you may want to consider blocking the IP addresses in the blacklist with the firewall. This will block any further connection attempts from that IP address.

    Best Regards,

    Dezhi


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 
    Note: Please follow the steps in our documentation](https://aka.ms/msftqanotifications)"https://aka.ms/msftqanotifications)") to enable e-mail notifications if you want to receive the related email notification for this thread.  


  2. Amit Singh 4,861 Reputation points
    2023-05-15T07:28:01.6133333+00:00

    Go to the Security section, and make sure that the only boxes checked off are:

    1. Transport Layer Security (TLS)
    2. Externally secured (for example, with IPsec)
    3. Exchange servers
    0 comments No comments