On Wed, Jul 22, 2015 at 10:42 AM, Tony Patton <[email protected]> wrote: > That's what we have here, but the issue is that it then allows to send to > any external email address, they want to restrict it to the internal domain > and a *trusted* domain only.
I get that, but my question would be "Is this app hardcoded to send only to this trusted domain, or can users specify the destination?" If the latter, well, I'd seek a way to mitigate that within the app. If the former, I wouldn't worry abut it. > Some systems have a legitimate need to be sending to all external domains, > and we add the IPs of those to the allowed list. Yup. > We have another contract that is a subset of the parent organisation, and > that domain is set as an internal relay, so if the mailbox isn't on that > exchange environment the mails get sent to the smart host. > > I'd sorry of hoped that the external relay domain would have worked for the > issue on this contract, I.e. Relay all mail it receives on the receiver > connector from the apps servers straight to the smart host. I wonder if there's a way to use some Exchange scripting to handle that. I don't see a way to set a smarthost on a receive connector. It would be a nice feature, though. > That way only anything that has a legitimate need to email beyond those 2 > domains needs to be added to the allowed list. > > I'll just tell them that it can't be done, and they need to get security > approval before getting added to the allowed list. Much simpler on my side > :-) > > Tony Seems like your best bet, unless you want to set up another box with a hub transport role and put a smarthost on that for your purpose. Or, getting more exotic, set up a *nix box with Postfix to do the same thing. Actually, setting up a limited VM with just hub transport on it might be an interesting way of handling this... Kurt > On 22 Jul 2015 17:59, "Kurt Buff" <[email protected]> wrote: >> >> We have a similar situation here, also using Exchange 2010 - we have >> two classes of non-human email senders, those that send emails for >> internal use only and are allowed to send anonymously but only >> internally, and those that come from our CRM and go to external >> customers - we've allowed these to send anonymously also. >> >> The approach I took was to set up an extra IP address (with matching >> FQDN in DNS - I used "allowanonymousinternal.example.tld" and >> "allowanonymousexternal.example.tld") on the Exchange server for each >> of the two new connectors, then limit incoming to each connector to >> specific sending IP addresses. >> >> So far it's worked well for us. >> >> Kurt >> >> On Wed, Jul 22, 2015 at 7:27 AM, Tony Patton <[email protected]> wrote: >> > Hi folks, >> > >> > We have a requirement to try to restrict applications relaying via >> > Exchange >> > to the internal domain and another email domain, without opening it up >> > to >> > allow emails to relay to any and all domains, unless the IP has been >> > added >> > to the allowed list. >> > >> > The internal Exchange domain is CompanyA.com, which routes all external >> > emails to MimeSweeper filters, no Exchange Edge servers are implemented. >> > >> > We do have smtp receive connectors set up for the applications to relay >> > with >> > IP address restrictions, but is either an all or nothing as far as >> > external >> > email goes and Security aren't happy with that approach. The sending >> > servers/applications either can't or won't use Authentication, so all >> > connections to the receive connector is Anonymouns. >> > The Send connector is configured to route mail via the smart hosts by >> > IP, so >> > doesn't try to resolve the CompanyB.com MX record. >> > >> > Remote domains is the Default *, and a single Send Connector with >> > address * >> > pointing to the MimeSweeper servers. >> > >> > Can an Accepted Domain configured as "External Relay Domain" with the >> > CompanyB.com domain accomplish what we are being asked to do? I.e. any >> > server not allowed by IP can then send to both domains, with the emails >> > for >> > CompanyB sent to the MimeSweeper filters as normal? Or is there another >> > "safe" way to do this? Or something I'm missing completely? >> > >> > Obviously we don't want to impact emails being sent by CompanyA users to >> > CompanyB users. >> > >> > The servers are Exchange 2010 SP3 RU6, soon to be RU9, if that has a >> > bearing >> > on it. >> > >> > If it can't be done easily or safely, for various definitions of both, >> > they >> > will just have to fight it out with the security team. >> > >> > I've looked at various TechNet & MSExchange.org articles, but everything >> > I've come across assumes that Edge servers in place, so looking for >> > alternate confirmation on whether it will work or not. >> > >> > If I haven't explained it correctly, hit me with a big stick, I've been >> > coming back to this over the course of the day so may be a bit muddled >> > :) >> > >> > Thanks, >> > >> > Tony >> >> >
