question

Pero-7573 avatar image
0 Votes"
Pero-7573 asked AndyDavid edited

Exchange 2016 accepted domain type:internal relay

Hello all,

In exchange 2016 we have setup "accepted domains". But later we created Accepted domain with "*" under domain type this one is "Internal relay".

As far as I know having "accepted domain" with "*" makes exchange an "open relay" what is everything we don't want.

Does "accepted domain" with "*" Domain type "internal relay" makes exchange an open relay ?


Thank you,
Pero

windows-server-2016office-exchange-server-mailflow
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EricYin-MSFT avatar image
1 Vote"
EricYin-MSFT answered AndyDavid edited

If you have created a connector accepts all IPs on port 25 with "ms-Exch-SMTP-Accept-Any-Recipient" permission, then it becomes open relay.
You should get the following warning when you set internal relay for "" , why you still insist on it?
57008-3.png

If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.




3.png (25.2 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

It is true, it really turns our server to open relay. Tested and confirmed with telnet test.
We are already working on it to remove "". this "" is there because we have one application that won't work if anything else is there but this is about to change.

But as it was "internal relay" we though it won't make problems.


Thank you for help, can I ask you how can I check this .... "If you have created a connector accepts all IPs on port 25 with "ms-Exch-SMTP-Accept-Any-Recipient" permission, then it becomes open relay." ??

0 Votes 0 ·

Check to see if the receive connector is setup like this, substituting the name of your receive connector


https://docs.microsoft.com/en-us/exchange/mail-flow/connectors/allow-anonymous-relay?view=exchserver-2019#how-do-you-know-this-worked

 Get-ADPermission "Anonymous Relay" -User "NT AUTHORITY\ANONYMOUS LOGON" | where {($_.Deny -eq $false) -and ($_.IsInherited -eq $false)} | Format-Table 
 User,ExtendedRights

As I mentioned before, you need to remove that accepted domain entry. Thinking about this, it makes sense doesnt it? a accepted domain set for internal relay is telling Exchange to route anything its not authoritative for and if cant find any matching recipient.

Why not simply remove that * accepted domain and test to see if its an open relay? If not then you know a receive connector is not set up as an open relay either.


0 Votes 0 ·
AndyDavid avatar image
1 Vote"
AndyDavid answered AndyDavid edited

What it tells Exchange is that if the recipient can't be found, then send the message to another shared mail system that matches.

HOWEVER, you should not have an accepted domain with a wildcard unless its set for a subdomain like *.contoso.com
You should only have accepted domains that represent the actual SMTP domains you accept for and if you are authoritative, then they should be set that way

Why was one created for * ?

https://docs.microsoft.com/en-us/exchange/mail-flow/accepted-domains/accepted-domains?view=exchserver-2019

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for reply,

This was setup long time ago by someone who most likely took easy way out. Now I want to fix this security holes but I'm not so great exchange expert xD and I don't want easy way out.

This "" was put there to make some internal ticket system working. Some Linux machine is doing this job. Now I'm in process of finding out how it works and what should I put instead "".

Is it possible that this value is "*machine_name.domain_name" ? And what do you mean by "unless your receive connectors are also configured to allow that." ?


0 Votes 0 ·

As far as the accepted domain, don't you already have ones setup for your domains? You probably do otherwise no one would be receiving mail.
What domain is the Linux Machine sending to? There would also need to be matching SMTP domain suffixes on mailboxes and accounts within Exchange.

If you remove that accepted domain, does it break anything?

0 Votes 0 ·