I want to implement this but for Exchange 2007 SP1. I have a virus that has infected a few of my machines and since they are authenticated to my domain, they are relaying mail through my Exchange server to other internal users trying to infect them. I know I need to address this at my receive connectors, but I have to allow for specific addresses allowed for relay (copiers) and mail received from my Barracuda. Any thoughts?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Need to lock down smtp to stop users from sending spam. 2
- Thread starter cajuntank
- Start date
-
1
- #2
Grr...I just went to Exchange Management Console to check the exact names of everything and the flaming thing has hung on me.
In the receive connector, I think it is the middle tab and it is something like "Network", there's 2 sections and in one you can modify the IP addresses it will accept connections from. In there, put in your copiers range and the Barracuda IP as accept. Or if it is easier, put in the clients and have it as a deny.
You can do it in powershell too but that would be command line stuff and I prefer visual.
In the receive connector, I think it is the middle tab and it is something like "Network", there's 2 sections and in one you can modify the IP addresses it will accept connections from. In there, put in your copiers range and the Barracuda IP as accept. Or if it is easier, put in the clients and have it as a deny.
You can do it in powershell too but that would be command line stuff and I prefer visual.
-
1
- #3
Zelandakh's method is spot on. The only difference I use is that I create a separate receive connector for internal stuff, and configure accordingly. That way, the default connector doesn't get anonymous access enabled.
Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
- Thread starter
- #4
I have my Default receive connector and another connector I created called Internet. If I'm understanding this right, under the network tab in the first section, it's the IP address or addresses of the local server. The second section is the remote IP(s) that the server can receive mail from. The Default and Internet connectors are setup the same way in the Network tab, but in the Authentication the Internet connector is just TLS and in the Permission tab the only property checked is anonymous. The Default connector has everything in those tabs checked except for anonymous and partners in the Permission tab.
Since I have just the one server and I'm not doing pop3, imap, or smtp from my clients (OWA and MAPI if I understand correctly), then do I need the Default receive connector at all? Seems like I would make my network clarifications on my Internet connector for my Barracuda and copiers specifically like ya'll mention and then that's it. Am I missing something?
Since I have just the one server and I'm not doing pop3, imap, or smtp from my clients (OWA and MAPI if I understand correctly), then do I need the Default receive connector at all? Seems like I would make my network clarifications on my Internet connector for my Barracuda and copiers specifically like ya'll mention and then that's it. Am I missing something?
Two things have to happen for it to work:
1. You need a receive connector with anonymous access enabled on the "Permission Groups" tab.
2. You need the IP address of the copiers configured in the bottom section of the "Network" tab on that connector.
You could do that to the Default receive connector. That's up to you. I generally create a new connector for stuff like that. For instance, I have one for all infrastructure equipment (switches, servers, UPS, etc) for all email notifications. I have another for an application here that sends out mass mail via the client piece (it's a piece of crap - who designs the client piece to send the SMTP email?).
Each of those connectors ONLY has anonymous enabled. They also have their own FQDN configured (general tab) to make troubleshooting easier.
Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
1. You need a receive connector with anonymous access enabled on the "Permission Groups" tab.
2. You need the IP address of the copiers configured in the bottom section of the "Network" tab on that connector.
You could do that to the Default receive connector. That's up to you. I generally create a new connector for stuff like that. For instance, I have one for all infrastructure equipment (switches, servers, UPS, etc) for all email notifications. I have another for an application here that sends out mass mail via the client piece (it's a piece of crap - who designs the client piece to send the SMTP email?).
Each of those connectors ONLY has anonymous enabled. They also have their own FQDN configured (general tab) to make troubleshooting easier.
Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
- Thread starter
- #6
- Thread starter
- #8
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Helpful tip
- Locked
- Question