1,461 questions
Disable Basic Auth on the receive connectors.
As for those other ports, I am not familiar with those for Exchange.
You could simply disable all the connectors you dont need as well.
Qualys is reporting that our Exchange servers are accepting unencrypted SMTP connections
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 79%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKS%3C/text%3E%3C/svg%3E)
Kenny Stern
141
Reputation points
Our company uses Qualys to detect vulnerabilities on servers. It recently found one for SMTP on our Exchange 2019 servers that says:
"Remote Management Service Accepting Unencrypted Credentials Detected (SMTP) detected on port 25 over TCP.Remote Management Service Accepting Unencrypted Credentials Detected (SMTP) detected on port 587 over TCP.Remote Management Service Accepting Unencrypted Credentials Detected (SMTP) detected on port 477 over TCP.Remote Management Service Accepting Unencrypted Credentials Detected (SMTP) detected on port 465 over TCP.Remote Management Service Accepting Unencrypted Credentials Detected (SMTP) detected on port 475 over TCP.Remote Management Service Accepting Unencrypted Credentials Detected (SMTP) detected on port 476 over TCP."
These all look like receive connector ports although I can't find any connectors that use ports 476 or 477.
Does anyone know if there is something I can change that would stop these connectors from receiving unencrypted credentials without impacting SMTP? I should also add that we are in hybrid mode and have no mailboxes on-prem.
Also, does anyone know what is using ports 476 and 477?
Thanks
Exchange | Exchange Server | Other
Exchange | Exchange Server | Management
7,925 questions
Exchange | Other
701 questions
Accepted answer
-
Andy David - MVP 157.9K Reputation points MVP Volunteer Moderator2023-12-04T21:49:53.3866667+00:00 -
Kenny Stern 141 Reputation points
2023-12-04T21:54:36.7533333+00:00 Is there risk associated with disabling basic auth? Main concern is the relay connectors we use for internal applications that need to send email and those connectors are configured to allow anonymous and are externally secured. Thanks
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2023-12-05T08:12:20.29+00:00 Hi, according to the research findings, you can disable basic authentication as Andy suggested. To avoid misunderstanding, I would like to ask, your main concern is that the security of the relay connector will be affected after doing this? It is understood that disabling basic authentication normally should have no impact on the original relay connector. You could refer to the steps in the post to set it up. (Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.)
In addition, as for ports 477 and 476, these ports are not recorded in the official Exchange documentation and there is a related discussion in this thread. These may be used by some third-party applications or services. You could use the netstat command to check which process is listen to these ports. For connectors that are not needed, it is recommended that you choose to disable them.
-
Kenny Stern 141 Reputation points
2023-12-07T14:48:51.8633333+00:00 So I checked and Basic authentication is not enabled on the relay connector but Qualys still reports a vulnerability for unencrypted connections. Is there something else that needs to be done? My main concern is to address the vulnerabilities without impacting mail flow.
-
Anonymous
2023-12-11T08:11:31.4833333+00:00 Hello,
So I checked and Basic authentication is not enabled on the relay connector but Qualys still reports a vulnerability for unencrypted connections. Is there something else that needs to be done?
If Basic Auth has been turned off, from the perspective of the Exchange server, there is generally no need to do any other processing. You only need to follow official recommendations to ensure that security patches are applied in a timely manner. Released: November 2023 Exchange Server Security Updates - Microsoft Community Hub.
In addition, considering that these error prompts come from this third-party product, if you still have concerns, it is recommended to contact the technical support of the third-party product for further confirmation.
-
Kenny Stern 141 Reputation points
2023-12-11T21:12:56.31+00:00 OK, great. Thank you very much.
Sign in to comment -