Wednesday, 1 December 2010

How to filter Exchange 2010 Receive connector permissions that have ms-Exch-SMTP-Accept-Any-Recipient extended right

Just recently I had to document Exchange 2010 SP1 installation in hosting mode and I wanted to specify all Receive connectors that had ms-Exch-SMTP-Accept-Any-Recipient extended rights assigned to them.

Something like this is not possible to see in Exchange Management Console and especially not in Exchange 2010 SP1 hosted mode because it does not even have EMC.

So I had to use powershell script to list all Receive connectors in the Exchange organization that had ms-Exch-SMTP-Accept-Any-Recipient extended right. Just to be clear, this extended right gives permission to relay e-mail messages to any recipient on the Internet to any sender that has permission to send through that receive connector.

Furthermore I wanted to detect any Receive connector that had "NT AUTHORITY\ANONYMOUS LOGON" users group with the ms-Exch-SMTP-Accept-Any-Recipient extended permission assigned. This effectively creates open SMTP relay server for anyone who has a network cable attached to the same network subnet on which your Hub Transport Exchange server resides.

So, here is the script:

Get-ReceiveConnector | Get-ADPermission | where {$_.AccessRights -eq 'ExtendedRight' -and $_.ExtendedRights -like 'ms-Exch-SMTP-Accept-Any-Recipient'} | Select Identity,User,ExtendedRights

Background check:

ms-Exch-SMTP-Accept-Any-Recipient is extended permission that is automatically assigned to several permissions groups for the Receive connector. For example, permission group "Exchange Users" has associated  security principal of "Authenticated user accounts" which in turn has ms-Exch-SMTP-Accept-Any-Recipient extended rights. This means that anyone who has authenticated to the Active Directory domain has permission to relay e-mail messages through Exchange server to any recipient on the internet.

For more information about Receive connector permission groups check this link:
http://technet.microsoft.com/en-us/library/aa996395.aspx

2 comments:

  1. How to ennables recipient filter on exchange 2010 sp1 hosting mode? when active i have error 550

    ReplyDelete
  2. Exchange 2010 SP1 /Hosting mode does not work with Recipient Filtering or Content Filtering transport agents. Like you said, Recipient Filtering when active rejects all e-mails; and Content Filtering does not stamp e-mails with SCL value.

    ReplyDelete