Exchange 2016 accepted domain type:internal relay

Pero 66

Hello all,

In exchange 2016 we have setup "accepted domains". But later we created Accepted domain with "*" under domain type this one is "Internal relay".

As far as I know having "accepted domain" with "*" makes exchange an "open relay" what is everything we don't want.

Does "accepted domain" with "*" Domain type "internal relay" makes exchange an open relay ?

Thank you,
Pero

Accepted answer

Eric Yin-MSFT 4,386 Reputation points

2021-01-15T07:47:54.61+00:00

If you have created a connector accepts all IPs on port 25 with "ms-Exch-SMTP-Accept-Any-Recipient" permission, then it becomes open relay.
You should get the following warning when you set internal relay for "*" , why you still insist on it?

If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.

1 person found this answer helpful.
Pero 66 Reputation points

2021-01-15T14:08:47.983+00:00

It is true, it really turns our server to open relay. Tested and confirmed with telnet test.
We are already working on it to remove "". this "" is there because we have one application that won't work if anything else is there but this is about to change.

But as it was "internal relay" we though it won't make problems.

Thank you for help, can I ask you how can I check this .... "If you have created a connector accepts all IPs on port 25 with "ms-Exch-SMTP-Accept-Any-Recipient" permission, then it becomes open relay." ??

Andy David - MVP 147.7K Reputation points MVP

2021-01-15T14:28:57.4+00:00

Check to see if the receive connector is setup like this, substituting the name of your receive connector

https://learn.microsoft.com/en-us/exchange/mail-flow/connectors/allow-anonymous-relay?view=exchserver-2019#how-do-you-know-this-worked

Get-ADPermission "Anonymous Relay" -User "NT AUTHORITY\ANONYMOUS LOGON" | where {($_.Deny -eq $false) -and ($_.IsInherited -eq $false)} | Format-Table User,ExtendedRights

As I mentioned before, you need to remove that * accepted domain entry. Thinking about this, it makes sense doesnt it? a * accepted domain set for internal relay is telling Exchange to route anything its not authoritative for and if cant find any matching recipient.

Why not simply remove that * accepted domain and test to see if its an open relay? If not then you know a receive connector is not set up as an open relay either.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

1 additional answer

Andy David - MVP 147.7K Reputation points MVP

2021-01-14T14:31:26.597+00:00

What it tells Exchange is that if the recipient can't be found, then send the message to another shared mail system that matches.

HOWEVER, you should not have an accepted domain with a wildcard unless its set for a subdomain like *.contoso.com
You should only have accepted domains that represent the actual SMTP domains you accept for and if you are authoritative, then they should be set that way

Why was one created for * ?

https://learn.microsoft.com/en-us/exchange/mail-flow/accepted-domains/accepted-domains?view=exchserver-2019
Please sign in to rate this answer.

1 person found this answer helpful.
Pero 66 Reputation points

2021-01-15T10:50:18.9+00:00

Thank you for reply,

This was setup long time ago by someone who most likely took easy way out. Now I want to fix this security holes but I'm not so great exchange expert xD and I don't want easy way out.

This "" was put there to make some internal ticket system working. Some Linux machine is doing this job. Now I'm in process of finding out how it works and what should I put instead "".

Is it possible that this value is "*machine_name.domain_name" ? And what do you mean by "unless your receive connectors are also configured to allow that." ?

Andy David - MVP 147.7K Reputation points MVP

2021-01-15T12:51:52.897+00:00

As far as the accepted domain, don't you already have ones setup for your domains? You probably do otherwise no one would be receiving mail.
What domain is the Linux Machine sending to? There would also need to be matching SMTP domain suffixes on mailboxes and accounts within Exchange.

If you remove that accepted domain, does it break anything?
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Exchange 2016 accepted domain type:internal relay

1 additional answer

Your answer