Many of the spam messages spoof your domain in the sender address. For example, I might receive a spam message from admin@conexion.ca when my email address is in the conexion.ca domain. Fortunately, in Exchange Server, we can modify the Internet receive connector to block messages from your accepted domains. This means that emails with your domains as the From address will not be accepted from the Internet.
To block inbound messages from our own domain, we remove the extended AD permission ms-exch-smtp-accept-authoritative-domain-sender for the anonymous user on the Internet receive connector. Assuming that have already identified that connector, the following command removes the permission:
Get-ReceiveConnector "Internet" | Get-ADPermission -User "NT Authority\Anonymous Logon" | Where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Remove-ADPermissionIf you're like me and want to verify that you've got the right thing before you remove it, use the following command to verify first:
Get-ReceiveConnector "Internet" | Get-ADPermission -User "NT Authority\Anonymous Logon" | Where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Format-List *Before you actually implement this make sure that you don't have any applications or devices such as copiers that submit messages on the Internet connector:
- I have seen copiers in small businesses configured to submit scanned documents via email through the SMTP relay of an ISP instead of the local Exchange server.
- I have also seen external cloud-based applications sending messages to internal users using a from email address of the internal domain.
- Also, sometimes Internal devices are configured with an IP address that uses the same receive connector as used for Internet mail reception. So, verify that the receive connector used for Internet messages does not allow internal IP addresses.
Thanks Byron. I have been experiencing this problem and the emails contain malware (which forunately has been stripped by Exchange 2016). I still would rather not receive them though. I applied the command, with success
ReplyDeleteNice Blog Post !
ReplyDeleteHi. sorry to revive this blog post, but i am searching for answers and i hope you can provide me with some insights
ReplyDeletethis command:
Get-ReceiveConnector "Internet" | Get-ADPermission -User "NT Authority\Anonymous Logon" | Where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Remove-ADPermission
has no effect in 2013 cu24 servers or 2016/2019 exchange.
I did not find a way to block this on a internet facing receive connector on a CAS only exchange 2013 server. It is not an open relay, but with telnet you can use an internal domain address to send email internally. Is there no way to block this anynmore?
i've googled alot, there are lots of forums posts, yet no answer
here is a very recent example :
https://docs.microsoft.com/en-us/answers/questions/203616/ms-exch-smtp-accept-authoritative-domain-sender-de.html?page=2&pageSize=10&sort=oldest
thank you for your time.
I read through your link and it looks like that method is not supported in recent versions of Exchange as you suggest. Quite possible at the time I did that with Exchange 2010.
DeleteIt appears that a transport rule is your best way to go. Here is one example: https://support.knowbe4.com/hc/en-us/articles/212679977-Domain-Spoof-Prevention-in-Exchange-2013-2016-Office-365
That example assumes all inbound mail comes from a single IP address (antispam provider). If your server accepts mail directly from the Internet, you can approach it the opposite way and apply the rule to all inbound messages except known IP addresses that are apps that send using your domain.