By on September 1, 2010

Open relay in Microsoft Exchange 2010 (and 2007)

Amazingly there are still many companies out there today who still manage to forget to close off their Exchange server’s native ability to provide a full open relay.

So just a quick note for you, a very easy way to make sure you aren’t an open relay is to run the following command from the Exchange Management Shell.

Get-ReceiveConnector “ReceiveConnectorName” | Remove-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”

Don’t forget to replace ReceiveConnectorName with the name of your own receive connector.

That is it, couldn’t be easier, don’t let your system become a spammer!

There are a number of online tools that can help you to check the status of your server to see if you are an open relay or not, I typically use MXToolbox.


Enterprise Consultant
Mimecast

Article Tags

, ,
  • Anonymous

    Correct me if I’m wrong, but don’t receive connectors inherently have to accept anonymous connections? And is it not the send connectors that have to have authentication? I’m just in the middle of trying to get Exchange 2010 to properly relay stuff; I swear I’ll be bald from all the hair-pulling by the time I’m done…

  • Nicolas Blank

    No,
    Receive Connectors by default do not allow anonymous submission, and
    reciprocally, Send connectors send anonymously by default, without requiring
    authentication.

  • Nicolas Blank

    Hi Andrew, understand your frustration.
    No,
    Receive Connectors by default do not allow anonymous submission, and
    reciprocally, Send Connectors send anonymously by default, without requiring
    authentication.

  • Vman1

    What do you do if you have 4 or 5 connectors setup?
    Do you have to run it on each one?

  • http://blog.barrulus.com/ Barry Gill

    Hello Vman1 – yes, this has to be run per connector, though you could script that fairly simply to call the connector name…

Previous Post

Next Post