The “Require That All Senders are Authenticated” Does Not Work As Expected in Exchange 2007

exchange 2007, hub transport

 

I recently ran across an issue where one company was setting the “Require that all senders are authenticated” checkbox on a particular mail distribution group in Exchange 2007.

01 Jul. 07 11.26

Most organizations will do this, to ensure that only users of the internal Exchange organization can email this group, effectively stopping external users from emailing it.  This is particularly useful if the group is an extremely broad group such as “ALLUSERS” or something similar.

The problem was that even with this checked, the group was still receiving emails from outside senders.  What gives?  Well, I started doing a little digging, and this is what I found.

The company had followed this article by Scott Landry of the Exchange Team.  The articles discusses two ways to allow application servers to relay through Exchange 2007, applications such as SharePoint. 

If you read Scott’s article, his tone indicates that these applications are really internal applications.  He also lists two method’s for doing so.  The first being to set the receive connector to externally secured, and the second with manually applying permissions using powershell.  The company who was having this issue, had used the first method, eternally secured, but was using it to allow a 3rd party SMTP server that was used for spam filtering on it’s DMZ, to relay into Exchange.  So what’s the problem?  Essentially the method they used, gave TOO much permission to the 3rd party server.  Let’s take a look.

Scott’s article states to create a new receive connector, and set this connector to allow the IP address of the 3rd party server.  So, assuming our third party server has an IP address of 192.168.1.5, the connector would look like the following:

02 Jul. 07 11.34

Next, the article states to edit the authentication and permissions tab’s, so that “Exchange Servers” are set on the Permission Groups tab:

04 Jul. 07 11.36

  and then “Externally Secured” is selected for authentication:

03 Jul. 07 11.35

After this, the 3rd party server would be allowed to relay.  So you ask, what’s the problem.  Well, by setting the above, most importantly the Exchange Servers on the Permission Groups, you are essentially telling Exchange 2007, that any email that comes in this connector, should be treated the exact same as if it originated from an Exchange 2007 server.  This means that the emails will bypass anti-spam settings, as well as appear as if they were sent from inside the organization.  Scott lays out exactly what permissions are set:

MS ExchangeExternally Secured Servers {ms-Exch-SMTP-Accept-Authoritative-Domain}
MS ExchangeExternally Secured Servers {ms-Exch-Bypass-Anti-Spam}
MS ExchangeExternally Secured Servers {ms-Exch-Bypass-Message-Size-Limit}
MS ExchangeExternally Secured Servers {ms-Exch-SMTP-Accept-Exch50}
MS ExchangeExternally Secured Servers {ms-Exch-Accept-Headers-Routing}
MS ExchangeExternally Secured Servers {ms-Exch-SMTP-Submit}
MS ExchangeExternally Secured Servers {ms-Exch-SMTP-Accept-Any-Recipient}
MS ExchangeExternally Secured Servers {ms-Exch-SMTP-Accept-Authentication-Flag}
MS ExchangeExternally Secured Servers {ms-Exch-SMTP-Accept-Any-Sender}

Now, any email from this connector, will bypass the “Require That All Senders are Authenticated” check box, because according to Exchange 2007, they are authenticated!

So, how do you fix it?  It couldn’t be easier, Scott’s article already tells us how.  He lists Option 2, grant the relay permission to Anonymous Users on the connector.

If we change the permission group, so that only “Anonymous” is checked, and remove “Externally Secured” from the authentication tab:

05 Jul. 07 11.42

06 Jul. 07 11.42

And then run one little powershell command:

Get-ReceiveConnector “3rd Party Relay” | Add-ADPermission –User “NT AuthorityAnonymous Logon” –ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”:

07 Jul. 07 11.45

That’s it.  Now, the third party server can send emails into the organization, but they are treated as outside emails.  This means they will be subject to size limit’s, anti-spam, as well as being rejected if they are sent to a group that has the “Require That All Senders Are Authenticated” setting checked.

Leave a Reply

Your email address will not be published. Required fields are marked *