This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 62%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELB%3C/text%3E%3C/svg%3E)
Hello,
Our mail infrastructure is composed of two Exchange servers version 2016 in a DAG, that were in CU15.
Where receive connectors did not accept anonymous connections without configuring per ip address permissions!
Today, we discovered that after upgrading to CU19 and installing security patch KB5000871 , using any simple tool or any script, would permit sending emails using any identity from our network... which would cause a huge security breach if discovered..!
I would like to know, if anyone had this problem? and if resolved, what was the solution for it?
Thanks in advance
Can you give a specific example of what its doing and how you tested this?
You have to have at least one receive connector that handles anonymous connections of you wont be able to receive mail from the internet.
Hello anonymous userDavid
We tested using a PS script from a desktop device, and as sender, we set a colleague's email and receipient my address.
This test is made by a simple powershell script which uses sendmail function.
This receive connector's name is Internal SMTP relay ## (# because we have a dag).
and it has anonymous users checked.
And in Scope, we do have 3 or 4 ip addresses. (because, by default we do not accept port 25 traffic from any machine, we've set another smtp relay server to handle printers, scanner...)
I'd like to know, too, if possible, for a received email, can we know which connector was used to deliver it?
Thank you in advance
Yes, you can tell that by enabling SMTP protocol logging on the Receive Connectors.
The one used will be listed for that connection in the protocol logs
https://learn.microsoft.com/en-us/exchange/mail-flow/connectors/configure-protocol-logging?view=exchserver-2019
Thank you,
The settings seem to be fine correct but it's not working... i don't know, if it's could be caused by the last upgrade and patch management?
I'm Still not cleat what is not working however :)
everything is working.. but we discovered a security issue, which is:
if a bad user in LAN, uses any tool or script (for ex. sendmail of powershell) he can put any sender email, and he can connect to the internal smtp connector without any form of authentication
this is our problem...
Ok, which connector is allowing this?
If the recipient is internal, then that is expected.
You can fix this by setting an allowed IP range on the "Default FrontEnd <Server>" Receive Connector . Note if the server accepts messages directly from the internet, you can not scope to an allowed range of IPs, otherwise you wont get any email!
If the sender is anyone and its allowed to send to anyone externally, then someone messed with the connectors and allowed one of them to be an open relay.
You fix that by reversing that and removing the permissions on that connector that is allowing that:
Hi @LotfiBOUCHERIT-4930 ,
Have you tried to uncheck the Anonymous users of the Internal SMTP Relay connector?
I would think it's expected if you allow the anonymous relay on that receive connector and the Senders & Recipients are internal guys.
Also please check the permission of the other receive connectors.
As Andy said, you could try to change the scoping of IP addresses to allow specific users to access.
I'd like to know, too, if possible, for a received email, can we know which connector was used to deliver it?
Well if you have created a send connector, you can judge by the scoping Domain and Cost. But it could also use the default Send Connector to do that if you didn't create one.
Regards,
Lou
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
thank you for your help,
for the receive connectors, i believe that those ip addresses are set...
for the available connectors we have:
for the configuration of the internal smtp relay ## :
security:
scope:
for the default #SERVER security:
and the scope:
as you said, @Xzsssss for the send connectors:
and the last one, has only the antispam device to send emails to internet.
And i believe, that nothing was changed lately...
Could anyone please, tell what should be done?
Regards
Hi @LotfiBOUCHERIT-4930 ,
Thanks for sharing these info.
If only the internal users could use the connectors anonymously, I think you can try to uncheck this
to test if that's the point.
Regards,
Lou
Hi @LotfiBOUCHERIT-4930 ,
Do the suggestions above help? If the issue has been resolved, please click “Accept as answer” to mark helpful reply as an answer, this will make answer searching in the forum easier and be beneficial to other community members as well.
Regards,
Lou
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.