As I expected. Will this new connector be overridden by the default RC, which settings that covers the range? That is, will I have to pare down the address ranges on the default RC to allow the new one to operate and accept my exceptions for the unauth RC?
Kurt On Fri, Mar 7, 2014 at 2:50 AM, Gavin Wilby <[email protected]> wrote: > Create a new receive connector, lock it down to the internal IP's that it > will accept anonymous connections from, and allow anonymous connections, this > will work. > > We do this all the time to allow scanners and such like to email. > > Gavin Wilby > IT Support Engineer > > SMP Partners Ltd > Clinch’s House, Lord Street, > Douglas, Isle of Man IM99 1RZ > Tel +44 1624 682214 > Mob +44 7624 480575 > [email protected] www.smppartners.com > > A member of the SMP Partners Group of Companies > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Kurt Buff > Sent: 07 March 2014 01:40 > To: [email protected] > Subject: Re: [Exchange] Securing Exchange 2010 for local delivery only, with > no auth > > On the CAS, and in the EMC, I looked at Server Configuration\Hub Transport, > and see two RCs: "Client usmaildb01p" and "Default usmaildb01p" > > The new manager, who is doing much of the work for this migration, has > changed a few of the names of things, so fulfilling your request stumped me > for a few minutes. > > It looks as if he also changed some of the defaults, which is why I'm having > some difficulties with pointing the batch files to the new server. I looked > at the GUI and saw much the same thing as on the AuthMechanism line. > > But, here you go: > > [PS] C:\Windows\system32>get-receiveconnector "USMAILDB01P\Default > USMAILDB01P" | fl > > RunspaceId : df01cc12-5634-4aad-81ff-ac2951003160 > AuthMechanism : Tls, Integrated, BasicAuth, > BasicAuthRequireTLS, ExchangeServer > Banner : > BinaryMimeEnabled : True > Bindings : {:::25, 0.0.0.0:25} > ChunkingEnabled : True > DefaultDomain : > DeliveryStatusNotificationEnabled : True > EightBitMimeEnabled : True > BareLinefeedRejectionEnabled : False > DomainSecureEnabled : False > EnhancedStatusCodesEnabled : True > LongAddressesEnabled : False > OrarEnabled : False > SuppressXAnonymousTls : False > AdvertiseClientSettings : False > Fqdn : USMailDB01p.example.org > Comment : > Enabled : True > ConnectionTimeout : 00:10:00 > ConnectionInactivityTimeout : 00:05:00 > MessageRateLimit : unlimited > MessageRateSource : IPAddress > MaxInboundConnection : 5000 > MaxInboundConnectionPerSource : unlimited > MaxInboundConnectionPercentagePerSource : 100 > MaxHeaderSize : 64 KB (65,536 bytes) > MaxHopCount : 60 > MaxLocalHopCount : 8 > MaxLogonFailures : 3 > MaxMessageSize : 10 MB (10,485,760 bytes) > MaxProtocolErrors : 5 > MaxRecipientsPerMessage : 5000 > PermissionGroups : ExchangeUsers, > ExchangeServers, ExchangeLegacyServers > PipeliningEnabled : True > ProtocolLoggingLevel : None > RemoteIPRanges : > {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255} > RequireEHLODomain : False > RequireTLS : False > EnableAuthGSSAPI : False > ExtendedProtectionPolicy : None > LiveCredentialEnabled : False > TlsDomainCapabilities : {} > Server : USMAILDB01P > SizeEnabled : EnabledWithoutValue > TarpitInterval : 00:00:05 > MaxAcknowledgementDelay : 00:00:30 > AdminDisplayName : > ExchangeVersion : 0.1 (8.0.535.0) > Name : Default USMAILDB01P > DistinguishedName : CN=Default > USMAILDB01P,CN=SMTP Receive > Connectors,CN=Protocols,CN=USMAILDB01P,CN=Servers,CN=Exchange > Administrative Group (FYDIBOHF23SPDLT),CN=Administrative > Groups,CN=EXAMPLE,CN=Microsoft > Exchange,CN=Services,CN=Configuration,DC=EXAMPLE,DC=com > Identity : USMAILDB01P\Default USMAILDB01P > Guid : 1f2d1b85-ee22-4462-bafb-f187a6bf261a > ObjectCategory : > example.org/Configuration/Schema/ms-Exch-Smtp-Receive-Connector > ObjectClass : {top, msExchSmtpReceiveConnector} > WhenChanged : 2014-01-21 18:50:57 > WhenCreated : 2014-01-21 15:57:24 > WhenChangedUTC : 2014-01-22 02:50:57 > WhenCreatedUTC : 2014-01-21 23:57:24 > OrganizationId : > OriginatingServer : USdc4.example.org > IsValid : True > > > On Thu, Mar 6, 2014 at 2:41 PM, Michael B. Smith <[email protected]> > wrote: >> Have you changed any configuration of the Default receive connector? >> >> If not, then it also accepts Anonymous email addressed to anyone whose email >> address is in one of your "accepted domains". >> >> To verify that, give me a "Get-ReceiveConnector Default | fl *" and post the >> output. >> >> Exchange 2003 and Exchange 2010 are connecting via a Routing Group Connector >> that was created for you magically when you installed the Exchange 2010 >> server. >> >> VERY LIKELY - based on default configurations - you don't need to change >> anything. What you want is the default configuration. >> >> If you want to do auth, then use the CLIENT connector to port 587. That will >> allow you to do outgoing relay. Again, it's already configured in the >> default configuration. >> >> Exchange 2010 and Exchange 2013 come configured ALMOST completely right >> out-of-the-box for most people. You've got to create a Send connector and >> install a certificate or two, and you are off to the races. >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Kurt Buff >> Sent: Thursday, March 6, 2014 5:27 PM >> To: [email protected] >> Subject: [Exchange] Securing Exchange 2010 for local delivery only, >> with no auth >> >> Looking for some validation - much appreciated if any of you point out >> errors, or a better way of doing things. >> >> As part of our transition away from Exchange 2003, I have a two-server >> Exchange 2010 setup. A CAS server and a Hub/DB server. >> >> It's fronted by a Barracuda spam filter, which is currently sending all >> emails to the Exchagne 2003 server, and mail is then delivered to Exchange >> 2010. That all works well. >> >> In addition, I have a large number of batchfiles on various machines that >> send email via blat, etc. >> >> I now need to swing over the Barracuda and the batch files to the CAS >> machine. >> >> I see two Receive Connectors, Default and Client, on the CAS machine. >> Both require auth, which the Barracuda doesn't seem to support - I've >> checked the config, but haven't cofirmed with Barracuda, and don't really >> care to at this point, as I also don't want to change all of my scripts, and >> worse, require the engineers to change all of their scripts, to use auth of >> any sort for email. >> >> I believe that the Default RC handles the email from our Exchange 2003 >> server. >> >> My thought is to narrow the range of accepted IP addresses for the Default >> RC (only if necessary!) to just the US Exchange 2003 server, and create >> another RC (perhaps called InternalSMTP) and set it to receive from my >> validated set of internal addresses without auth - the Barracuda, my >> machines running scripts, the engineers running scripts, etc. >> >> Is my assumption regarding the Default RC correct, and is this a reasonable >> approach, or is there a better way of doing this? >> >> I should also note that there is an Exchange 2003 server in each of the two >> overseas offices, and we're yet undecided as to whether to put Exchange 2010 >> servers there, or to centralize everything here - because of bandwidth >> issues. Also, we're at DFL/FFL 2003 Native, though the DCs here in the US >> are 2008R2 Don't know if any of that makes a difference, but wanted to make >> sure I don't leave anything out. >> >> >> Thanks, >> >> Kurt
