Create a new receive connector, lock it down to the internal IP's that it will accept anonymous connections from, and allow anonymous connections, this will work.
We do this all the time to allow scanners and such like to email. Gavin Wilby IT Support Engineer SMP Partners Ltd Clinch’s House, Lord Street, Douglas, Isle of Man IM99 1RZ Tel +44 1624 682214 Mob +44 7624 480575 [email protected] www.smppartners.com A member of the SMP Partners Group of Companies -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kurt Buff Sent: 07 March 2014 01:40 To: [email protected] Subject: Re: [Exchange] Securing Exchange 2010 for local delivery only, with no auth On the CAS, and in the EMC, I looked at Server Configuration\Hub Transport, and see two RCs: "Client usmaildb01p" and "Default usmaildb01p" The new manager, who is doing much of the work for this migration, has changed a few of the names of things, so fulfilling your request stumped me for a few minutes. It looks as if he also changed some of the defaults, which is why I'm having some difficulties with pointing the batch files to the new server. I looked at the GUI and saw much the same thing as on the AuthMechanism line. But, here you go: [PS] C:\Windows\system32>get-receiveconnector "USMAILDB01P\Default USMAILDB01P" | fl RunspaceId : df01cc12-5634-4aad-81ff-ac2951003160 AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer Banner : BinaryMimeEnabled : True Bindings : {:::25, 0.0.0.0:25} ChunkingEnabled : True DefaultDomain : DeliveryStatusNotificationEnabled : True EightBitMimeEnabled : True BareLinefeedRejectionEnabled : False DomainSecureEnabled : False EnhancedStatusCodesEnabled : True LongAddressesEnabled : False OrarEnabled : False SuppressXAnonymousTls : False AdvertiseClientSettings : False Fqdn : USMailDB01p.example.org Comment : Enabled : True ConnectionTimeout : 00:10:00 ConnectionInactivityTimeout : 00:05:00 MessageRateLimit : unlimited MessageRateSource : IPAddress MaxInboundConnection : 5000 MaxInboundConnectionPerSource : unlimited MaxInboundConnectionPercentagePerSource : 100 MaxHeaderSize : 64 KB (65,536 bytes) MaxHopCount : 60 MaxLocalHopCount : 8 MaxLogonFailures : 3 MaxMessageSize : 10 MB (10,485,760 bytes) MaxProtocolErrors : 5 MaxRecipientsPerMessage : 5000 PermissionGroups : ExchangeUsers, ExchangeServers, ExchangeLegacyServers PipeliningEnabled : True ProtocolLoggingLevel : None RemoteIPRanges : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255} RequireEHLODomain : False RequireTLS : False EnableAuthGSSAPI : False ExtendedProtectionPolicy : None LiveCredentialEnabled : False TlsDomainCapabilities : {} Server : USMAILDB01P SizeEnabled : EnabledWithoutValue TarpitInterval : 00:00:05 MaxAcknowledgementDelay : 00:00:30 AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0) Name : Default USMAILDB01P DistinguishedName : CN=Default USMAILDB01P,CN=SMTP Receive Connectors,CN=Protocols,CN=USMAILDB01P,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=EXAMPLE,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=EXAMPLE,DC=com Identity : USMAILDB01P\Default USMAILDB01P Guid : 1f2d1b85-ee22-4462-bafb-f187a6bf261a ObjectCategory : example.org/Configuration/Schema/ms-Exch-Smtp-Receive-Connector ObjectClass : {top, msExchSmtpReceiveConnector} WhenChanged : 2014-01-21 18:50:57 WhenCreated : 2014-01-21 15:57:24 WhenChangedUTC : 2014-01-22 02:50:57 WhenCreatedUTC : 2014-01-21 23:57:24 OrganizationId : OriginatingServer : USdc4.example.org IsValid : True On Thu, Mar 6, 2014 at 2:41 PM, Michael B. Smith <[email protected]> wrote: > Have you changed any configuration of the Default receive connector? > > If not, then it also accepts Anonymous email addressed to anyone whose email > address is in one of your "accepted domains". > > To verify that, give me a "Get-ReceiveConnector Default | fl *" and post the > output. > > Exchange 2003 and Exchange 2010 are connecting via a Routing Group Connector > that was created for you magically when you installed the Exchange 2010 > server. > > VERY LIKELY - based on default configurations - you don't need to change > anything. What you want is the default configuration. > > If you want to do auth, then use the CLIENT connector to port 587. That will > allow you to do outgoing relay. Again, it's already configured in the default > configuration. > > Exchange 2010 and Exchange 2013 come configured ALMOST completely right > out-of-the-box for most people. You've got to create a Send connector and > install a certificate or two, and you are off to the races. > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Kurt Buff > Sent: Thursday, March 6, 2014 5:27 PM > To: [email protected] > Subject: [Exchange] Securing Exchange 2010 for local delivery only, > with no auth > > Looking for some validation - much appreciated if any of you point out > errors, or a better way of doing things. > > As part of our transition away from Exchange 2003, I have a two-server > Exchange 2010 setup. A CAS server and a Hub/DB server. > > It's fronted by a Barracuda spam filter, which is currently sending all > emails to the Exchagne 2003 server, and mail is then delivered to Exchange > 2010. That all works well. > > In addition, I have a large number of batchfiles on various machines that > send email via blat, etc. > > I now need to swing over the Barracuda and the batch files to the CAS machine. > > I see two Receive Connectors, Default and Client, on the CAS machine. > Both require auth, which the Barracuda doesn't seem to support - I've checked > the config, but haven't cofirmed with Barracuda, and don't really care to at > this point, as I also don't want to change all of my scripts, and worse, > require the engineers to change all of their scripts, to use auth of any sort > for email. > > I believe that the Default RC handles the email from our Exchange 2003 server. > > My thought is to narrow the range of accepted IP addresses for the Default RC > (only if necessary!) to just the US Exchange 2003 server, and create another > RC (perhaps called InternalSMTP) and set it to receive from my validated set > of internal addresses without auth - the Barracuda, my machines running > scripts, the engineers running scripts, etc. > > Is my assumption regarding the Default RC correct, and is this a reasonable > approach, or is there a better way of doing this? > > I should also note that there is an Exchange 2003 server in each of the two > overseas offices, and we're yet undecided as to whether to put Exchange 2010 > servers there, or to centralize everything here - because of bandwidth > issues. Also, we're at DFL/FFL 2003 Native, though the DCs here in the US are > 2008R2 Don't know if any of that makes a difference, but wanted to make sure > I don't leave anything out. > > > Thanks, > > Kurt > > SMP Partners Limited, SMP Trustees Limited and SMP Fund Services Limited are licensed by the Isle of Man Financial Supervision Commission. SMP Accounting & Tax Limited is a member of the ICAEW Practice Assurance Scheme. SMP Partners Limited registered in the Isle of Man, Company Registration No: 000908V Directors: M.W. Denton, M.J. Derbyshire, P.N. Eckersley, S.E McGowan, O. Peck, J.J. Scott, S.J. Turner SMP Trustees Limited registered in the Isle of Man, Company Registration No: 068396C Directors: A.C. Baggesen, M.W. Denton, O. Peck, J.J. Scott, J. Watterson, J. Cubbon SMP Fund Services Limited registered in the Isle of Man, Company Registration No: 120288C Directors: V. Campbell, M.W. Denton, P.N. Eckersley, D.A. Manser, S.E McGowan, O. Peck, J.J. Scott, R.K. Corkill SMP Accounting & Tax Limited registered in the Isle of Man, Company Registration No: 001316V Directors: I.F. Begley, A.J. Cowley, A.J. Dowling, P. Duchars, P.N. Eckersley, J.J. Scott, S.J. Turner SMP Capital Markets Limited registered in the Isle of Man, Company Registration No: 002438V Directors: M.W. Denton, M.J. Derbyshire, D.F Hudson, S.E McGowan, O. Peck, J.J. Scott. SMP Partners Limited, SMP Trustees Limited, SMP Fund Services Limited, SMP Accounting & Tax Limited and SMP Capital Markets Limited are members of the SMP Partners Group of Companies. This email is confidential and is subject to disclaimers. Details can be found at: http://www.smppartners.com/disclaimer.asp ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
