Forum Discussion

Gly's avatar
Gly
Brass Contributor
Feb 04, 2025
Solved

Limit unauthenticated mail

The standard configuration in Exchange is that anyone internally can connect to telnet and send unauthenticated e-mail to anyone inside the organization. We want to limit this so that only those app...
2016
exchange online
Exchange Server
hybrid
relay
  • Andres-Bohren's avatar
    Andres-Bohren
    Feb 05, 2025

    Hi Gly 

    >I could create a connector that contains the IP-ranges of our empoyee networks, but that seems a bit backwards
    What would be the diffrence?
    You probably have disabled Mailflow from the Internet to Exchange.
    So already today only Internal Applications can send unauthenticated Mails.

    What i would recommend:
    Analyze your SMTP Protocol Log. 
    Talk to the Appliation Owners to use SMTP Authentication

    For those Applications that do not support SMTP Authenication, use a special Relay Receive Connector and add only the IP's (Not IP Ranges)
    for example: relay.domain.com (and use a matching Certificate) so the Clients can use TLS.
    https://practical365.com/exchange-2019-smtp-relay-services/ 

    Last remove 'anonymous authentication' from the 'Default Frontend' Receive Connector.

    Kind Regards
    Andres

Gly's avatar
Gly
Brass Contributor
Feb 06, 2025

Many thanks for the replies, both of you. It confirms what I thought. I'm going to make a list of the applications that need to be allowed to send anonymously and do some testing.
Thanks again!

Resources