Receive Connector Security Permissions

kubilay — Thu, 06 Nov 2008 10:40:00 GMT

In Exchange 2007 SMTP Virtual Servers are replaced with Send and Receive Connectors that makes it easier to manage the mail flow. Setting a receive connector to your Hub server is pretty easy and after making a few decisions (name of the connector, bindings, remote IP range, allowed authentication mechanism etc) your Exchange environment becomes ready to allow SMTP traffic in. There are also permission groups that are pre-defined so that you can configure who can use this connector. Most of times Exchange Management Console will make you forget about Security tab that you had at SMTP Virtual Servers of Exchange 2003; unless you are in need of doing something more granular. In such a moment calmly right click on your Receive Connector and search for a Security tab; but don’t push too hard because there isn’t any.

Don’t Panic!!

Instead just open your Exchange Management Shell and write down the following command:

[PS] C:\>Get-ReceiveConnector Default* | Get-ADPermission

Too much output for just one command? OK, let’s look for something more granular. By default Anonymous Users are not enabled for Default Receive Connector as may be seen from the picture above. Let’s look at what are the “Anonymous Logon” group’s Security permissions on this Receive Connector object:

So one must be authenticated before starting to submit messages to this connector; as Anonymous Logon group does not have any permission related with SMTP usage. Below you can find a list of SMTP permissions that you can set on your receive connectors:

1. ms-Exch-SMTP-Submit

If SMTP Receive Session does not have this permission, remote side will fail to submit messages to this connector.

So let’s make Anonymous Logon group to have this permission

And then try to telnet this receive connector again

2. ms-Exch-SMTP-Accept-Any-Sender

Above I was again unsuccessful, because Anonymous Logon doesnt have ms-Exch-SMTP-Accept-Any-Sender permission that SMTP session needs to allow sender to use any domain name.

So again let’s make Anonymous Logon group to have this permission

And then try to telnet this receive connector again

So now I was successful as a Sender using a domain name “a.com”; but then I changed my mind and wanted to send from “bb.dmn” domain which again turn into a failure message;

But WHY??

Exchange Receive Connectors have two different permission to accept domains at MAIL FROM verb. They are the domains

i. that are configured as authoritative and internal relay (this Exchange organization has been configured and is responsible to deliver messages)

ii. and they are other domains that are configured as External Relay or does not configured at all

So let’s find out which domains has been configured for this Exchange organization as authoritative

As it may be seen from the output “bb.dmn” is authoritative domain; and this is WHY we cannot send mail from a sender that is using this domain. To make receive connector accepts this kind of senders SMTP session must have ms-Exch-SMTP-Accept-Authoritative-Domain-Sender permission

3. ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

So let’s make Anonymous Logon group to have this permission

And then try to telnet this receive connector again

So almost everything is OK. SMTP session accepts any MAIL FROM verb; as a sender using any domain and as a sender using authoritative domain. SMTP session accepts a recipient that is internal to Exchange Organization (authoritative domain) but refused to deliver message to outside of the organization which means we are secure and not making open relaying. So what permission is missing from SMTP session so that we couldn’t relay message to outside. Check out the next one please!!

4. ms-Exch-SMTP-Accept-Any-Recipient

This is an IMPORTANT permission and must be clearly identified which groups have this permission; as an SMTP session with this permission can deliver messages to outside of the Exchange organization. If you have an internet-faced receive connector configured with Anonymous Logon group with this permission; this means you have an OPEN-RELAY server!!

So just for educational purposes let’s give this permission to Anonymous Logon group:

And then telnet 25 and try to relay message to a domain that is external to Exchange Organization such as “b.com”

Voola!! We have an OPEN RELAY SMTP server

5. ms-Exch-SMTP-Accept-Authentication-Flag

This permission allows Exchange servers that are running earlier versions of Exchange Server to submit messages from internal senders. Exchange 2007 servers recognize the message as internal. The sender can declare the message as "trusted".

6. ms-Exch-Accept-Headers-Routing

If you ever had a look at the headers of an incoming mail you would noticed that you can see all bypassing SMTP server information from sender to recipient. By using Outlook you can see those headers from Message Options (below you can see an example). As a message flows from SMTP server to server, each receiving server signs its signature inside the message (Received: header). So if a message flows over (let’s say) 3 SMTP servers before leaving the organization recipient of your messages can identify the names and IPs of your internal mail servers.

If you want to avoid this simply Deny this permission from your Send Connector for Anonymous Logon user

7. ms-Exch-Accept-Headers-Organization

This permission allows the session to submit a message that has all organization
headers intact. Organization headers all start with “X-MS-Exchange-Organization-“.
If this permission isn't granted, the receiving server strips all organization
headers.

8. ms-Exch-Accept-Headers-Forest

This permission allows the session to submit a message that has all forest headers intact. Forest headers all start with “X-MS-Exchange-Forest-“. If this permission isn't granted, the receiving server strips all forest headers.

9. ms-Exch-SMTP-Accept-Exch50

This permission allows the session to submit a message that contains the XEXCH50 command. This command is required for interoperability with Exchange 2000 Server and Exchange 2003. The XEXCH50 command provides data, such as the spam confidence level (SCL) for the message.

Can Dedeoğlu

Microsoft Türkiye Exchange Server Destek Mühendisleri... : transport permissions exchange 2007

Receive Connector Security Permissions