Have you changed any configuration of the Default receive connector? If not, then it also accepts Anonymous email addressed to anyone whose email address is in one of your "accepted domains".
To verify that, give me a "Get-ReceiveConnector Default | fl *" and post the output. Exchange 2003 and Exchange 2010 are connecting via a Routing Group Connector that was created for you magically when you installed the Exchange 2010 server. VERY LIKELY - based on default configurations - you don't need to change anything. What you want is the default configuration. If you want to do auth, then use the CLIENT connector to port 587. That will allow you to do outgoing relay. Again, it's already configured in the default configuration. Exchange 2010 and Exchange 2013 come configured ALMOST completely right out-of-the-box for most people. You've got to create a Send connector and install a certificate or two, and you are off to the races. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kurt Buff Sent: Thursday, March 6, 2014 5:27 PM To: [email protected] Subject: [Exchange] Securing Exchange 2010 for local delivery only, with no auth Looking for some validation - much appreciated if any of you point out errors, or a better way of doing things. As part of our transition away from Exchange 2003, I have a two-server Exchange 2010 setup. A CAS server and a Hub/DB server. It's fronted by a Barracuda spam filter, which is currently sending all emails to the Exchagne 2003 server, and mail is then delivered to Exchange 2010. That all works well. In addition, I have a large number of batchfiles on various machines that send email via blat, etc. I now need to swing over the Barracuda and the batch files to the CAS machine. I see two Receive Connectors, Default and Client, on the CAS machine. Both require auth, which the Barracuda doesn't seem to support - I've checked the config, but haven't cofirmed with Barracuda, and don't really care to at this point, as I also don't want to change all of my scripts, and worse, require the engineers to change all of their scripts, to use auth of any sort for email. I believe that the Default RC handles the email from our Exchange 2003 server. My thought is to narrow the range of accepted IP addresses for the Default RC (only if necessary!) to just the US Exchange 2003 server, and create another RC (perhaps called InternalSMTP) and set it to receive from my validated set of internal addresses without auth - the Barracuda, my machines running scripts, the engineers running scripts, etc. Is my assumption regarding the Default RC correct, and is this a reasonable approach, or is there a better way of doing this? I should also note that there is an Exchange 2003 server in each of the two overseas offices, and we're yet undecided as to whether to put Exchange 2010 servers there, or to centralize everything here - because of bandwidth issues. Also, we're at DFL/FFL 2003 Native, though the DCs here in the US are 2008R2 Don't know if any of that makes a difference, but wanted to make sure I don't leave anything out. Thanks, Kurt
