7,924 questions
See my previous answer:
https://learn.microsoft.com/en-us/answers/questions/203616/ms-exch-smtp-accept-authoritative-domain-sender-de.html
The ms-Exch-SMTP-Accept-Authoritative-Domain-Sender removal does not work
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 60%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Андрей Михалевский
3,451
Reputation points
Hi. I found that by default from my server (
Edge - 15.02.0721.002, Exchange Server 2019 CU7 ) I can send anonymous messages from any domain.
I found information that you can remove the permissions from the receive connector: ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
Get-ReceiveConnector "Default internal receive connector RL-EDGE" | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Remove-ADPermission
But I can still put any domain in the from field and send myself an email.
Exchange | Exchange Server | Management
{count} votes
-
Андрей Михалевский 3,451 Reputation points
2021-12-23T11:11:04.907+00:00 The default connector is the Hub. Or is it not ?
Sign in to comment
4 answers
Sort by: Most helpful
-
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator2021-12-20T14:24:21.133+00:00 -
Андрей Михалевский 3,451 Reputation points
2021-12-21T08:38:27.757+00:00 The default connector is the Hub. Or is it not ?
Sign in to comment -
-
Manu Philip 20,206 Reputation points MVP Volunteer Moderator2021-12-20T13:00:03.1+00:00 In latest Exchange versions, Receive Connector should be created as a 'Transport Service Role' to stop anonymous senders. As the port 25 is already bound to Frontend Transport role, a new Transport Service to be created with a different port binding as well. In general, the following approach will help:
- Create a new Receive Connector:
New-ReceiveConnector -Name <name> -TransportRole HubTransport -Custom -Bindings <LocalIPV4>: 2525 -RemoteIpRanges <RemoteIPV4>
2- Grant anonymous permission to the new connector:Get-ReceiveConnector <name> | Add-ADPermission -User "NT AUTHORITY \ ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
3- Deny access to non-accepted domains:Get-ReceiveConnector <name> | Remove-ADPermission -User "NT AUTHORITY \ ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Sender"
-
Андрей Михалевский 3,451 Reputation points
2021-12-20T13:32:01.64+00:00 Why can't I do this on the default connector?
Sign in to comment - Create a new Receive Connector:
-
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator
2021-12-23T13:02:04.407+00:00 The default <server name> receive connector has bindings on 2525, not port 25, nor would it have the TLSDomainCapabilities populated. That doesnt look right. Did you create that custom or change something?
A custom receive connector would be transport type "FrontEndTransport'
The default FrontEnd <Server> connector is type FrontEndTransport and listens on port 25.
-
Андрей Михалевский 3,451 Reputation points
2021-12-23T19:02:32.137+00:00 Are we talking about Microsoft Exchange Edge ? It has one default connector and its role is HubTransport. TLSDomainCapabilities and changed it when I set up the hybrid configuration.
Sign in to comment -
-
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator
2021-12-23T19:13:39.937+00:00 Ok, I didnt see the original question was about Edge.
Wouldnt a rule make more sense here?-
Андрей Михалевский 3,451 Reputation points
2021-12-23T19:16:41.99+00:00 This rule works when emails are forwarded to other domains. This rule is not correct.
-
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator
2021-12-23T19:31:52.443+00:00 Not sure what you mean, but if you have DMARC and SPF setup, you can create a transport rule that blocks any message sent from external to your domain as your domain.
Example:Note that the same rule can created on the Edge with Powershell
-
Андрей Михалевский 3,451 Reputation points
2021-12-24T08:07:28.66+00:00 This rule works when I forward the email to another domain. As a result, the message is blocked.
Sign in to comment -