Forum Discussion
Limit unauthenticated mail
Hi Gly
>I could create a connector that contains the IP-ranges of our empoyee networks, but that seems a bit backwards
What would be the diffrence?
You probably have disabled Mailflow from the Internet to Exchange.
So already today only Internal Applications can send unauthenticated Mails.
What i would recommend:
Analyze your SMTP Protocol Log.
Talk to the Appliation Owners to use SMTP Authentication
For those Applications that do not support SMTP Authenication, use a special Relay Receive Connector and add only the IP's (Not IP Ranges)
for example: relay.domain.com (and use a matching Certificate) so the Clients can use TLS.
https://practical365.com/exchange-2019-smtp-relay-services/
Last remove 'anonymous authentication' from the 'Default Frontend' Receive Connector.
Kind Regards
Andres
hello Gly ,
Using Exchange 2016 (on-premises)
1-> Remove Anonymous Authentication from the Default Frontend Connector
- Open Exchange Admin Center (EAC)
- Go to Mail Flow > Receive Connectors
- Select Default Frontend Connector and disable Anonymous Authentication
2-> Create a New Receive Connector for Allowed Applications
- In EAC, create a new connector named Allowed Applications Relay
- Add the IP addresses of the applications that need to send mail
- Enable Anonymous Users in security settings
3-> Test and Ensure Mail Flow is Not Disrupted
- Verify that normal user emails are not affected
- Send a test email from authorized applications to confirm functionality