disturbedone
Vendor
I have always been able to use telnet to send unauthenticated email to internal users for testing purposes and thought that's been great. But that ability has just caused a problem where one student has found the ability maliciously used it to send an email from another user to a third. So I need to look at the security of the Receive Connectors.
Here's the scenario:
[ul]
[li]Ubuntu server runniong SpamSnake/MailScanner receives email from the Internet and passes it to Exchange[/li]
[li]2x Exchange 2010 servers (EXCA1 & EXCA2) with CA & HT roles[/li]
[li]2x Exchange 2010 servers (EXMS1 & EXMS2) with MX role[/li]
[li]Many servers on VLAN10 (10.10.0.0/16) and VLAN11 (10.11.0.0/16) should be able to send unauthenticated internally[/li]
[li]Clients using Outlook 2010 are on several VLANs (10.20.0.0/16, 10.21.0.016 etc)[/li]
[/ul]
There is a connector labelled Default EXCA1 with the following settings:
[ul]
[li]Network/Use these local IP addresses to receive mail - all/25[/li]
[li]Network/Receive mail from remote servers that have these IP addresses - 0.0.0.0-255.255.255.255[/li]
[li]Authentication - TLS, Basic Auth, Exchange Server, Integrated Windows are enabled[/li]
[li]Permission Groups - Anonymous, Exchange users, Exchange servers, Legacy Exchange servers are enabled[/li]
[/ul]
There's another connector that has the IP addresses of the server VLAN to allow unauthenticated sending.
Is it as simple as removing the Anonymous permission from that connector? I tried that and I could still send but I suspect I may need to restart the Microsoft Exchange Transport service for it to take effect. Is that correct?
Does a connector need to be set up to allow the SpamSnake/MailScanner server to send unauthenticated mail to Exchange? Would this just specify it's IP address and allow Anonymous permission?
Thoughts?
Here's the scenario:
[ul]
[li]Ubuntu server runniong SpamSnake/MailScanner receives email from the Internet and passes it to Exchange[/li]
[li]2x Exchange 2010 servers (EXCA1 & EXCA2) with CA & HT roles[/li]
[li]2x Exchange 2010 servers (EXMS1 & EXMS2) with MX role[/li]
[li]Many servers on VLAN10 (10.10.0.0/16) and VLAN11 (10.11.0.0/16) should be able to send unauthenticated internally[/li]
[li]Clients using Outlook 2010 are on several VLANs (10.20.0.0/16, 10.21.0.016 etc)[/li]
[/ul]
There is a connector labelled Default EXCA1 with the following settings:
[ul]
[li]Network/Use these local IP addresses to receive mail - all/25[/li]
[li]Network/Receive mail from remote servers that have these IP addresses - 0.0.0.0-255.255.255.255[/li]
[li]Authentication - TLS, Basic Auth, Exchange Server, Integrated Windows are enabled[/li]
[li]Permission Groups - Anonymous, Exchange users, Exchange servers, Legacy Exchange servers are enabled[/li]
[/ul]
There's another connector that has the IP addresses of the server VLAN to allow unauthenticated sending.
Is it as simple as removing the Anonymous permission from that connector? I tried that and I could still send but I suspect I may need to restart the Microsoft Exchange Transport service for it to take effect. Is that correct?
Does a connector need to be set up to allow the SpamSnake/MailScanner server to send unauthenticated mail to Exchange? Would this just specify it's IP address and allow Anonymous permission?
Thoughts?
