Qualys is reporting that our Exchange servers are accepting unencrypted SMTP connections

Kenny Stern 141 Reputation points
2023-12-04T20:47:45.2533333+00:00

Our company uses Qualys to detect vulnerabilities on servers. It recently found one for SMTP on our Exchange 2019 servers that says:

"Remote Management Service Accepting Unencrypted Credentials Detected (SMTP) detected on port 25 over TCP.Remote Management Service Accepting Unencrypted Credentials Detected (SMTP) detected on port 587 over TCP.Remote Management Service Accepting Unencrypted Credentials Detected (SMTP) detected on port 477 over TCP.Remote Management Service Accepting Unencrypted Credentials Detected (SMTP) detected on port 465 over TCP.Remote Management Service Accepting Unencrypted Credentials Detected (SMTP) detected on port 475 over TCP.Remote Management Service Accepting Unencrypted Credentials Detected (SMTP) detected on port 476 over TCP."

These all look like receive connector ports although I can't find any connectors that use ports 476 or 477.

Does anyone know if there is something I can change that would stop these connectors from receiving unencrypted credentials without impacting SMTP? I should also add that we are in hybrid mode and have no mailboxes on-prem.

Also, does anyone know what is using ports 476 and 477?

Thanks

Exchange Server
Exchange Server
A family of Microsoft client/server messaging and collaboration software.
1,184 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,485 questions
Microsoft Exchange
Microsoft Exchange
Microsoft messaging and collaboration software.
454 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andy David - MVP 145K Reputation points MVP
    2023-12-04T21:49:53.3866667+00:00

    Disable Basic Auth on the receive connectors.

    As for those other ports, I am not familiar with those for Exchange.

    You could simply disable all the connectors you dont need as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful