This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 7.000000000000001%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBI%3C/text%3E%3C/svg%3E)
Hello, I ran in a strange behavior while setting up a receive connector on Exchange 2013 to work as Anonymous Relay. I'm in the process of migrating from Exchange 2010, so I'm recreating the same Receive connectors that I have in XCH2010.
Permissions on both Exchange servers RCs are the same:
User ExtendedRights
NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-SMTP-Accept-Any-Recipient}
NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-Accept-Headers-Routing}
NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-SMTP-Submit}
NT AUTHORITY\ANONYMOUS LOGON {ms-Exch-SMTP-Accept-Authoritative-Domain-Sender}
As you can see, "ms-Exch-SMTP-Accept-Any-Sender" permission has been removed from the default set of permissions that are applied when ticking "Anonymous Users" in the GUI to setup anonymous relay connector. That is, I set up the connector ticking "anonymous user" and after saving I manually removed in EMS "ms-Exch-SMTP-Accept-Any-Sender" permission.
The goal is to allow anonymous relay to any recipients (@anydomain.any) from a small subset of internal IPs, but only using @mydomain.xx smtp domain as sender address (mail from:).
This works and has always worked for Exchange 2010: when issuing the <crlf>.<crlf> sequence (using a non local smtp domain in mail from:), the hub transport tells me:
550 5.7.1 Anonymous client does not have permissions to send as this sender
Setting up the same connector in Exchange 2013 (latest CU), ignores the absence of the extended right, letting me to use any domain in the sender address. Connector has been set as frontend connector, as it's the recommended method on Microsoft documentation to create receive connectors that act as anonymous relays.
I read around that someone has workarounded the problem by setting up a connector as a TransportHub connector instead of Frontend.
Can someone explain this behavior change and how can I achieve the above said goal in a supported/clean way?
Thank you,
Francesco B. B.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYS%3C/text%3E%3C/svg%3E)
Hi @BK IT Staff ,
I just came across the thread below which discusses the removal of the "ms-Exch-SMTP-Accept-Authoritative-Domain-Sender" permission on a frontend receive connector:
ms-Exch-SMTP-Accept-Authoritative-Domain-Sender deny seems not to work on FrontendTransport connector
According to the information shared by Andy(Microsoft MVP), "things and perms have changed a bit since Exch 2013 in that regard". So I am assuming that it's likely this applies to "ms-Exch-SMTP-Accept-Any-Sender" permission as well.
Given this, personally I would suggest giving it a try by creating a Hub receive connector and test to see if it can meet your requirement. Here's a blog I found which could be of some help:
Remove the Ms-Exch-SMTP-Accept-Any-Sender permission doesn’t work
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hello, which permissions/authentication mechanisms must be enabled on RCs to allow their use only by providing AD account username and password (e.g.: mydomain\smtpuser)? Authentication mechanism must be widley configurable on the most number of device types (basic smtp clients, printers, monitor apps, networking devices, etc...).
Thank you,
Francesco B. B.
Hi @BK IT Staff ,
By this, do you mean you are concerned about internal spoofing? From what I read, this could be realized by removing the "ms-Exch-SMTP-Accept-Authoritative-Domain-Sender" permission of an anonymous relay receive connector. So if you want the receive connector to be used by authenticated users only, basically you can choose the "Exchange users" permission group. See Receive connector permission groups.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hello @Yuki Sun-MSFT ,
You got it. That's exactly the point. Exchange 2010 in my evironment is configured just as you say, without the "ms-Exch-SMTP-Accept-Any-Sender" permission on the receive connector dedicated to my internal smtp clients/devices. In Exchange 2013 and later, things (regarding connector permissions) have changed: on FrontEnd Receive Connectors permissions like "ms-Exch-SMTP-Accept-Any-Sender", "ms-Exch-SMTP-Accept-Authoritative-Domain-Sender", etc., seem to simply be ignored (not applied). As stated here, for example, you should create a HubTransport Receive Connector to accomplish the task. The contraddiction is that on Microsoft Learn it is clearly stated that clients shouldn't connect directly to HubTransport Receive connectors: "[..]Clients don't directly connect to these connectors.".
However, I'm trying to configure a custom Receive Connector (HubTransport) as per the instructions in the above linked blog.
Hi @Yuki Sun-MSFT ,
I have two choices that I know here, provided the information you kindly gave me:
1) Configure a HubTransport Receive Connector on the 2525 port, since two receive connectors with same bindings on different transport roles (FrontEnd or HubTransport) cannot listen on the same port. So, it will theorically honorate the "ms-Exch-SMTP-Accept-Any-Sender" permission.
2) Configure a FrontEnd or HubTransport Receive Connector that requires authentication (https://www.codetwo.com/admins-blog/how-to-prevent-internal-email-spoofing-in-exchange/).
The main problem for us by implementing either 1) or the 2) method, is that I will have to change all smtp clients (printers, monitoring applications, etc.) to either use a different smtp port or to provide credentials.
The third (not appreciated) method is to leave things as they currently are accordingly to Exchange 2013 and later behavior change, that is, accept the risk of internal email spoofing.
If you have any other idea, that has less admin activity overhead, it would be really appreciated.
Thank you very much for help.
Francesco B. B.
Hi @BK IT Staff ,
I tried doing further research on this using my internal resource. and what I found is the same as mentioned earlier, that is, it has been confirmed in Exchange 2013 - 2019 (in all Exchange On-Prem Versions that differentiate between the "HubTransport" and the "FrontendTransport" Role), that the removal of the permissions "ms-Exch-SMTP-Accept-Any-Sender" and "ms-Exch-SMTP-Accept-Authoritative-Domain-Sender" from relevant Security Groups like "NT AUTHORITY\ANONYMOUS LOGON" or "MS Exchange\Externally Secured Servers" only comes into effect for Receive Connectors that are bound to the "HubTransport" rather than to the "FrontendTransport" Role.
Given this, personally I'd choose the 1) method: configure a HubTransport receive connector on a different port and set the permissions, then change the smtp clients to use the new port.
Thank you @Yuki Sun-MSFT , I'll go with the 1) option as you suggest.
I take advantage of your kindness for another question related to this topic.
Just for the sake of improving my skills and learning... The option 2), where it tells to create a Receive Connector that requires authentication: I don't understand two things. The article says that you prevent internal email spoofing by creating a connector this way:
New-ReceiveConnector –Name ”Internal Client SMTP” –TransportRole FrontendTransport –Usage Custom –Bindings 0.0.0.0:25 –RemoteIPRanges 192.168.23.0/24,192.168.170.0/24 –AuthMechanism TLS,Integrated –PermissionGroups ExchangeUsers
Now:
Thank you very much.
Hi @BK IT Staff ,
Regarding your concern about the authentication mechanism, Sorry that personally I am not familiar with this either. But per my understanding, you should be able to configure the combination of authentication mechanisms based on the requirement of the service or devices.
For the second thing you stated, yes, the receive connector just needs you to authenticate with an authenticated user's credential. As regards to your concern about "who prevents you to use '@anydomain' as the domain portion of smtp address", my understanding is that this receive connector is using the "ExchangeUsers" permission group, which doesn't include the "ms-Exch-SMTP-Accept-Any-Sender" permission.
Thank you very much @Yuki Sun-MSFT .