Forum Discussion
Limit unauthenticated mail
Hi Gly
>I could create a connector that contains the IP-ranges of our empoyee networks, but that seems a bit backwards
What would be the diffrence?
You probably have disabled Mailflow from the Internet to Exchange.
So already today only Internal Applications can send unauthenticated Mails.
What i would recommend:
Analyze your SMTP Protocol Log.
Talk to the Appliation Owners to use SMTP Authentication
For those Applications that do not support SMTP Authenication, use a special Relay Receive Connector and add only the IP's (Not IP Ranges)
for example: relay.domain.com (and use a matching Certificate) so the Clients can use TLS.
https://practical365.com/exchange-2019-smtp-relay-services/
Last remove 'anonymous authentication' from the 'Default Frontend' Receive Connector.
Kind Regards
Andres
Hi Gly
>I could create a connector that contains the IP-ranges of our empoyee networks, but that seems a bit backwards
What would be the diffrence?
You probably have disabled Mailflow from the Internet to Exchange.
So already today only Internal Applications can send unauthenticated Mails.
What i would recommend:
Analyze your SMTP Protocol Log.
Talk to the Appliation Owners to use SMTP Authentication
For those Applications that do not support SMTP Authenication, use a special Relay Receive Connector and add only the IP's (Not IP Ranges)
for example: relay.domain.com (and use a matching Certificate) so the Clients can use TLS.
https://practical365.com/exchange-2019-smtp-relay-services/
Last remove 'anonymous authentication' from the 'Default Frontend' Receive Connector.
Kind Regards
Andres
I see that sentence was a bit lacking. I meant to create a connector for the employee network that did not allow anonymous posting. Then it becomes a kind of block list instead of an allow list. What I meant was that it is allways better to only allow the spesific applications that should be allowed to send, and block everything else.
Thank you for the recommendation, Andres.