Using Telnet to connect to SMTP 25 port on an Exchange2016 server over the Internet to send mail anonymously is a security issue

Question

Environment introduction:

Exxchange Management Center

Mail Flow - Receive Connector - Default Frontend IT-MAIL-01

Permission groups under security: Anonymous users (on by default)

Test process:

Phenomenon 1:

My internal exchange mailbox can normally receive emails from external mailboxes (such as: QQ mailbox, etc.)

Phenomenon 2:

telnet mail.domain.com 25

EHLO mail.domain.com MAIL FROM:user1@domain.com 250 2.1.0 Sender OK RCPT TO:user2@domain.com 250 2.1.5 Recipient OK DATA 354 Start mail input; end with <CRLF>.<CRLF> Subject:test from telnet

This is .

At this time, I can receive this email through my Intranet exchange mailbox user2@domain.com

Test process:

At this point I turn off the permission group: Anonymous users

Phenomenon 1:

My internal exchange mailbox can not receive the mail from the outside mailbox (such as: QQ mailbox, etc.)

After sending an email to user2@domain.com by QQ mailbox, I will receive the failure email as follows:

the mta server of XXXXX.cc -- mail.XXXXX.cc(18.xx.xx.xx) reply:530 5.7.57 SMTP; Client was not authenticated to send anonymous mail during MAIL FROM at 2024-01-23 13:56:07

Phenomenon 2:

telnet mail.domain.com 25

EHLO mail.domain.com MAIL FROM:xiaomalu@domain.com After a few moments, it automatically disconnects with the following message

SMTP; Client was not authenticated to send anonymous mail during MAIL FROM

I don't think it is safe to send mail anonymously over the Internet directly through smtp port 25, is there any way to circumvent this problem?

In order to avoid this problem at the same time, other external mailbox mail should also be able to receive normal, such as: QQ mailbox, hotmail mailbox and so on

I don't think it is safe to send mail anonymously over the Internet by connecting to smtp port 25. Is there any way I can prevent this?

If I close the anonymous user directly, I will not be able to receive emails from external email addresses, so I am not sure how to solve the problem I am facing now

Answer 1

Hi @相 王,

Since this is a public forum, I have covered the personal information in your post for security.

Please do not forget to hide your personal information when posting.

---

According to your description, please note that it is the expected behavior that Anonymous users should be enabled on the Default Frontend <server_name> receive connector.

Because this connector (listens on port 25) is used to receive inbound messages sent from external senders (to Exchange these external senders are all Anonymous users).

If you disable Anonymous users on this connector, senders sending to your Exchange server will first need to authenticate (in other words only internal users can authenticate), which is not possible so the external messages will be rejected with the error Client was not authenticated to send anonymous mail.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".  Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

@Kael Yao-MSFT Thanks for your reply. I understand