none
Enforce SMTP Authentication With Organization RRS feed

  • Question

  • Hi:

    I have Exchange 2010 for our company, and the accepted domain is xxx.com. It looks like sending emails within our organization does not require authentication. For example, I can send an email from ghost@xxx.com to someone@xxx.com, without being asked to enter a user name and password, and the from email, ghost@xxx.com does not even exist. How can I enforce our Exchange server to require authentication when sending emails within our organization?

    Wednesday, June 11, 2014 5:52 AM

Answers

  • I got it and it is expected. If you have no spam gateway to accept emails before Exchange while coming from internet, your Exchange needs to listen on all the IP addresses from internet else you will break inbound emails from internet.

    You will have to go ahead and setup Antispam agents and in IP Block listing, You will need to block all your internal IP ranges. They will not be allowed to submit emails though SMTP.

    If there are POP3/IMAP users, anyway their emails are authenticating before coming to Exchange and authenticated submissions have bypassantispam permissions given on them which makes the emails to come in.

    This Antispam agents would only work on Anonymous SMTP connections submitting emails. (like the script that you have/any user submitting through Telnet/pelnet etc)

    • Marked as answer by Colin Z Lin Thursday, June 12, 2014 5:19 PM
    Thursday, June 12, 2014 2:07 PM

All replies

  • I am assuming you are talking about either submitting an email through telnet or some SMTP application (putty or something like this)

    It is simulating an email coming from internet.

    You can harden this by making sure only Exchange servers can submit emails to each other and only your spam gateway which is accepting emails from internet on your behalf is allowed to submit emails to Exchange server anonymously by working on your receive connectors.

    If you don't have a spam gateway which accepts emails before it hits Exchange server, then it is difficult to get this accomplished.

    Wednesday, June 11, 2014 11:55 AM
  • Hi Akshay:

    Thank you for the reply! Yes, so right now, I can write a C# program myself like below to send an email from a non-existing email account to our users. I need to prevent this happening.

    System.Net.Mail.MailMessage message = new System.Net.Mail.MailMessage();
    message.To.Add("john@mycompany.com");
    message.Subject = "Test";
    message.From = new System.Net.Mail.MailAddress("ghost@mycompany.com");
    message.Body = "This is the message body";
    System.Net.Mail.SmtpClient smtp = new System.Net.Mail.SmtpClient("mail.mycompany.com");
    smtp.Send(message);


    We don't have a spam gateway, just have a Symantec Exchange Security installed on the Exchange server, which has a limited functionality.

    How can I make it only Exchange server can submit emails? Sorry I am unable to attach images, but my receive connectors have below checked for Authentication tab:

    • Transport Layer Security (TLS)
    • Basic Authentication
    • Offer Basic authentication only after starting TLS
    • Exchange Server authentication
    • Integrated Windows authentication

    And below checked for Permission Groups tab:

    • Anonymous users
    • Exchange users
    • Exchange servers
    • Lagacy Exchange Servers
    Wednesday, June 11, 2014 11:55 PM
  • I got it and it is expected. If you have no spam gateway to accept emails before Exchange while coming from internet, your Exchange needs to listen on all the IP addresses from internet else you will break inbound emails from internet.

    You will have to go ahead and setup Antispam agents and in IP Block listing, You will need to block all your internal IP ranges. They will not be allowed to submit emails though SMTP.

    If there are POP3/IMAP users, anyway their emails are authenticating before coming to Exchange and authenticated submissions have bypassantispam permissions given on them which makes the emails to come in.

    This Antispam agents would only work on Anonymous SMTP connections submitting emails. (like the script that you have/any user submitting through Telnet/pelnet etc)

    • Marked as answer by Colin Z Lin Thursday, June 12, 2014 5:19 PM
    Thursday, June 12, 2014 2:07 PM