GAPTHEGURU

Geek with special skills

Exchange 2010: Full description Extended Rights

ms-Exch-SMTP-Submit If the SMTP receive session does not have this permission, it will fail to submit messages. It will fail both the “MAIL FROM” and “AUTH” command. The “AUTH” command will also fail as the credential might have been correct, but the authenticated user or computer will have no chance to do anything useful with the session.

ms-Exch-SMTP-Accept-Any-Recipient If the SMTP receive session does not have this permission, the server will reject the “RCPT TO” command if the recipient domain does not match any accepted domain. You could call this permission also the Relay permission.

ms-Exch-SMTP-Accept-Any-Sender If the SMTP receive session does not have this permission, the server will check sender address spoofing. If the spoofing check fails, the message gets rejected at either “MAIL FROM” or EOD (End Of Data), depending on which sender (envelop or message/header) was found to be spoofed.

ms-Exch-SMTP-Accept-Authoritative-Domain-Sender If the SMTP receive session does not have this permission, the server will reject “MAIL FROM” if the specified address is at an authoritative domain. (An authoritative domain is an administrative domain with at least one mail server responsible for the final delivery of messages addressed to that domain.)

ms-Exch-SMTP-Accept-Authentication-Flag If the SMTP receive session does not have this permission, the server will ignore the AUTH= option that was specified on the “MAIL FROM” command. (Internally, Exchange Servers transfer anonymous messages using “AUTH=<>”.)

ms-Exch-Accept-Headers-Routing If the SMTP receive session does not have this permission, the server will strip all “Received:” headers. Note: This should only happen for client message submissions over SMTP, which is why by default ExchangeUsers do not get this permission. (See RFC 2476.)

ms-Exch-Accept-Headers-Organization If the SMTP receive session does not have this permission, the server will strip all organization headers. Those headers all start with “X-MS-Exchange-Organization-”.

ms-Exch-Accept-Headers-Forest If the SMTP receive session does not have this permission, the server will strip all forest headers. Those headers all start with “X-MS-Exchange-Forest-”.

ms-Exch-SMTP-Accept-Exch50 If the SMTP receive session does not have this permission, the server will not accept the “XEXCH50″ command. Note: This command is necessary for interoperability with Exchange2000 and Exchange2003. In an environment with only Exchange2007 servers, the “XEXCH50″ command won’t be used once disabled.

ms-Exch-SMTP-Send-Exch50 If the SMTP send session does not have this permission, the server will not send the “XEXCH50″ command.

ms-Exch-Send-Headers-Routing If the SMTP send session does not have this permission, the server will strip all “Received:” headers.

ms-Exch-Send-Headers-Organization If the SMTP send session does not have this permission, the server will strip all organization headers. Those headers all start with “X-MS-Exchange-Organization-”.

ms-Exch-Send-Headers-Forest If the SMTP send session does not have this permission, the server will strip all organization headers. Those headers all start with “X-MS-Exchange-Forest-”.

ms-Exch-Bypass-Message-Size-Limit If the SMTP receive session has this permission, the server will skip message size restrictions at the protocol level.

ms-Exch-Bypass-Anti-Spam If the SMTP receive session has this permission, the server will pass this permission to anti spam agents, as to skip this message for anti-spam checks.

08/28/2012 Posted by | Exchange server | , | Leave a comment

HOW TO: Prevent annoying spam from your own domain

One of the more annoying types of spam is the one that seems to be coming from your own domain; or worse— from your own email address! Of course, users from your own domain don’t generally spam each other— unless you’re using one of the free web-based email services. And most of us don’t spam ourselves.

Obviously, this is coming from a spammer who has spoofed your email address, or that of someone else from your domain. Unfortunately, SMTP— the protocol that allows mail clients and servers to exchange email, allows headers to be spoofed easily.

In Exchange Server 2010, Accepted Domains tell Exchange which domains to accept email for. If a domain exists as an Accepted Domain, there is no reason external senders should use that domain in the MAIL or FROM headers.

You may have remote POP3/IMAP4 users who use SMTP to send mail. However, such sessions should be authenticated, and preferably use a separate Receive Connector.

Thanks to the extensive Transport Permission model in Exchange 2010, we can easily prevent such spam. Receive Connectors have the ms-exch-smtp-accept-authoritative-domain-sender permission which dictates whether an Accepted Domain can be used in the MAIL orFROM headers. External/internet hosts submit mail to your server without authentication, as anonymous senders. To prevent anonymous senders from sending mail using your domain(s), we need to remove the ms-exch-smtp-accept-authoritative-domain-senderpermission assigned to them.

Use the following command to remove the ms-exch-smtp-accept-authoritative-domain-sender permission from NT Authority\Anonymous Logon on internet-facing Receive Connector(s):

Get-ReceiveConnector “My Internet ReceiveConnector” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission

Once this permission is removed, when anonymous senders try to submit mail using your Accepted Domain(s), here’s how the SMTP conversation goes:

220 E12Postcard.e12labs.com Microsoft ESMTP MAIL Service ready at Thu, 28 Aug 2012 06:22:43 -0700
helo
250 E12Postcard.gaptheguru.com Hello [172.31.0.170]
mail from:test@gaptheguru.com
550 5.7.1 Client does not have permissions to send as this sender

Exchange stopped spoofing of P1/envelope headers. Let’s continue the session and try to spoof the P2 headers (the ones in the DATA part of the message) — maybe that’ll work!

mail from:someone@someotherdomain.com
250 2.1.0 Sender OK
rcpt to:test@gaptheguru.com

250 2.1.5 Recipient OK
data
354 Start mail input; end with .
from:test@gaptheguru.com
subject: Header spoofing

This is how we spoof headers, spoof headers.

.
550 5.7.1 Client does not have permissions to send as this sender
quit
221 2.0.0 Service closing transmission channel

As you can see, removing the ms-exch-smtp-accept-authoritative-domain-senderpermission stops spoofing of your domains in both envelope (P1) and message (P2) headers.

When not to remove the permission?
Do not do this change on Receive Connectors used by internal or trusted SMTP hosts (such as copiers/scanners and application servers) that submit mail without authentication. If you use internal/trusted SMTP host, you should make an additional Receive Connector for this purpose.

08/28/2012 Posted by | Exchange server, Recive Connector | , , , | Leave a comment

   

%d bloggers like this: