Internal Users able to send emails using a script

Imthyas Mahammad 46 Reputation points
2020-11-25T11:25:27.303+00:00

I want to restrict internal users in lan , not to send emails using scripts. For external we have a relay connector, so unless we add the ip to it, email will not go to the external party.

We presently have Exchange 2013 servers, with 3 CAS servers running in NLD with a virutal IP.

4 MB servers in DAG.

So, any user can send email to Virtual IP and able to send.

My concern is , if i change the permissions and remove Anonymous on the Default Frontend connector, will it have impact for the External emails that we receive.

Need suggestion help.

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,434 questions
{count} votes

Accepted answer
  1. Andy David - MVP 143.8K Reputation points MVP
    2020-11-25T16:31:21.837+00:00

    If you used a true Load Balancer, you could scope the remote IPs on the Front End connector to the Load Balancer IPs and that would force end users to send through the Load Balancer and not directly to Exchange.

    If you were to set the remote IPs to just the Email gateway, then it would block ALL sending internally except for those allowed on the "relay connector".

    This could potentially work for you, but prevent any email submissions directly to the Exchange Servers other than what you allowed. Give it a try and test.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Imthyas Mahammad 46 Reputation points
    2020-11-25T13:25:57.877+00:00

    Its NLB( network load balancer) , which is a CAS array, the internal email is sent to VIP of CASArray. Local Servers/applications send email to this VIP on port 25 which is Default FrontEnd on the CAS servers.

    While the external incoming emails come to the Email gateway and then are accepted by the Exchange Mailbox servers on Port 25 on Default Connector.

    0 comments No comments

  2. Imthyas Mahammad 46 Reputation points
    2020-11-25T16:44:01.26+00:00

    Thanks for the suggestion, just to make sure i understood properly.

    1. I will create a New connector and add the IP's of servers/applications sending email internally , connector( internalrelay).
    2. Remove the values in scope of FrontEnd connector.

    Another problem for me is get the list of the ip's/servers which are sending email to internal users.