🧩 Basic information

Exchange servers use receive connectors to control inbound SMTP connections. Several different receive connectors are created by default when you install Exchange, both for FrontEnd and Transport services.

For more information about receive connector properties, permissions and etc. you can visit this article 🔗Receive connectors in Exchange Server

🔄Default FrontEnd receive connector

The primary function of receive connectors in the FrontEnd Transport service is to accept anonymous and authenticated SMTP connections into your Exchange organization. Default Frontend <ServerName> receive connector is created upon installations and accepts anonymous connections from external SMTP servers (specifically, in hybrid configurations, for example) on port 25.

This connector is configured to accept connections for all IPv4 and IPv6 addresses.

AnonymousUsers permissions group is enabled for this connector, and it’s provided permissions below by default:

ms-Exch-SMTP-Accept-Any-Sender permission allows the session to bypass the sender address spoofing check.

That means, that you can send emails anonymously from ANY email address to any INTERNAL recipient. This opportunity is often evaluated by the security department and considered as a serious security violation – both for external and internal access.

During my deliveries of Risk Assessment Programs for Exchange Server, we always highlighted this issue for our customers. Even of you have tools for protection from spoofing like SPF, DKIM and DMARC (that usually implemented for external connections), anonymous authentication is still considered as vulnerability depending on situation, especially, if it allowed to send emails from your authoritative domains.

📌What about default permissions for Default FrontEnd receive connector?

In real life, companies use several options to receive internet (and send to) email:

1. Third party email gateway. In this case third party appliance provides advanced content filtering, protection from spoofing, opportunity to receive email from authoritative domains can be explicitly blocked
2. Edge servers with integrated or third-party anti-spam solutions
3. Accept email directly to Mailbox servers (with integrated or third-party anti-spam solutions)

In first and second options Exchange Mailbox servers are not supposed to accepts messages from internet, so anonymous permission can be removed from Default FrontEnd receive connector to prevent anonymous sending from internal network. You can create dedicated connectors for specific systems, that still require to send messages without authentication.

For second and third options you would probably still like to block submissions from authoritative domain senders. For that, you need to remove ms-Exch-SMTP-Accept-Authoritative-Domain-Sender permissions for corresponding receive connector that accepts emails from internet. I cannot find it anymore, but before there was an official article from Microsoft on how to do that:

The issue is, it doesn’t work for Default FrontEnd receive connector and you will still be able to send email from authoritative domains anonymously (as I remember, it was broken in some CU of Exchange Server 2013).

In that case you need to recreate this connector as –TransportRole HubTransport. Or create a new connector on another port to avoid collisions (depending on your configuration and requirements).

🔍Conclusion

Some customers still accept email from the internet directly on Exchange Servers and don’t have corresponding protections from spoofing. Anyway, it’s recommended to check the default permissions on receive connectors and how they affect security in your organization. Estimate the most appropriate and effective way to protect your organization from spoofing and stay safe!

End.