We have a similar situation here, also using Exchange 2010 - we have two classes of non-human email senders, those that send emails for internal use only and are allowed to send anonymously but only internally, and those that come from our CRM and go to external customers - we've allowed these to send anonymously also.
The approach I took was to set up an extra IP address (with matching FQDN in DNS - I used "allowanonymousinternal.example.tld" and "allowanonymousexternal.example.tld") on the Exchange server for each of the two new connectors, then limit incoming to each connector to specific sending IP addresses. So far it's worked well for us. Kurt On Wed, Jul 22, 2015 at 7:27 AM, Tony Patton <[email protected]> wrote: > Hi folks, > > We have a requirement to try to restrict applications relaying via Exchange > to the internal domain and another email domain, without opening it up to > allow emails to relay to any and all domains, unless the IP has been added > to the allowed list. > > The internal Exchange domain is CompanyA.com, which routes all external > emails to MimeSweeper filters, no Exchange Edge servers are implemented. > > We do have smtp receive connectors set up for the applications to relay with > IP address restrictions, but is either an all or nothing as far as external > email goes and Security aren't happy with that approach. The sending > servers/applications either can't or won't use Authentication, so all > connections to the receive connector is Anonymouns. > The Send connector is configured to route mail via the smart hosts by IP, so > doesn't try to resolve the CompanyB.com MX record. > > Remote domains is the Default *, and a single Send Connector with address * > pointing to the MimeSweeper servers. > > Can an Accepted Domain configured as "External Relay Domain" with the > CompanyB.com domain accomplish what we are being asked to do? I.e. any > server not allowed by IP can then send to both domains, with the emails for > CompanyB sent to the MimeSweeper filters as normal? Or is there another > "safe" way to do this? Or something I'm missing completely? > > Obviously we don't want to impact emails being sent by CompanyA users to > CompanyB users. > > The servers are Exchange 2010 SP3 RU6, soon to be RU9, if that has a bearing > on it. > > If it can't be done easily or safely, for various definitions of both, they > will just have to fight it out with the security team. > > I've looked at various TechNet & MSExchange.org articles, but everything > I've come across assumes that Edge servers in place, so looking for > alternate confirmation on whether it will work or not. > > If I haven't explained it correctly, hit me with a big stick, I've been > coming back to this over the course of the day so may be a bit muddled :) > > Thanks, > > Tony
