Sunday, April 6, 2008

Anonymous submission and relay of SMTP messages in Exchange 2007

When organizations install Exchange 2007 they often get problems because they have applications and sometimes users sending SMTP mail to there’s mail server. In previous version of Exchange this was not a problem since it allowed receiving of mail without authentication, with Exchange 2007 this is no longer the case. Default setting on the “Default servername” receive connector is not to allow anonymous users.












The easiest thing to do is to check the “Anonymous users”, but are you really sure you want to do this? There is a good reason not to allow anonymous submission of SMTP mail and that’s getting rid of the anonymity on your network. If you really need to accept anonymous submission then I suggest that you create a new receive connector that allow anonymous users and only accept mail from certain IP (look on the network tab and ) that cannot send mail authenticated, this also makes the “Default servername” receive connector have its default settings.A common misunderstanding is that by allowing anonymous users also makes it possible to relay mail, this is not the case. To allow relaying users or the application must authenticate the SMTP session. If mail is destined to internal users then there is no need to allow relaying, it’s only needed when mail is destined to external recipients.Default settings on receive connectors is set to allow “Exchange users” to relay. Exchange users is all users that have a mailbox, so by creating a mailbox for the application and make the application authenticate it will also be allowed to relay. Type of authentication is specified on the “Authentication” tab.













The most common authentication method is “Basic Auth.”. Exchange 2007 settings is to only allow basic auth after that TLS has been started, and that is not so common that applications can do TLS. TLS is similar to SSL and it encrypts the transmission so it’s a good thing if it can be enabled in the application. Integrated Windows Authentication is good to use if your applications can use it.
Another good thing if you can make your application authenticate when sending SMTP mail is they bypass spam checks done by Exchange. You can see this if you run
Get-ADPermission "receive connector name" where {$_.User -like 'NT AUTHORITY\Authenticated Users' -and $_.isinherited -eq $False} ft User, ExtendedRights –autosize





Spam checks are only done if you have installed the antispamagents on your HubTransport server.

If you really want to allow relay without authentication (=anonymous relay) you should read http://msexchangeteam.com/archive/2006/12/28/432013.aspx