I have been reviewing the SMTP relay in my organisation. What we refer to as the SMTP relay is a receive connector on the front end transport service in exchange 2016 that has ExternalAuthoratative authentication mechanism enabled on it and a large list of RemoteIPRanges associated with it. From a review it seems that any system with an IP address in that range can:
Send mail with any from address including address from exchange mailboxes but also from internet domains
This seems bonkers to me as I easily created a dummy mail that appeared to come from an internal staff member but simply came from some python code running on one of those 'whitelisted' systems. I'm wondering how to harden this?
For starters, many modern devices like printers, back end applications etc. support basic auth for mail sending so I'm thinking:
Create a new connector for systems that simply cannot do authentication with and add those IP address. This will have the authentication mechanism of ExternalAuthoratative
For all systems that do support authentication create a new connector and remove the ExternalAuthoratative authentication mechanism and add in basic authentication and enforce TLS as a transport
For 2, can I also restrict the IP ranges that can use this? Also, how to prevent these devices sending with any sender address?