My customer is running a single (multirole) Exchange 2013 server, patched to CU 10 (build 15.1130.7), with 1 Internet-facing receive connector. We are having a spam issue where outside (Internet) senders are sending messages to our internal users
as themselves, eg jsmith@domain.com receives a spam message from jsmith@domain.com. Domain.com is one of our accepted domains.
To prevent this, we used ADSI Edit to remove the "ms-exch-smtp-accept-authoritative-domain-sender" permission for anonymous logons on the Internet-facing receive connector:
-->ADSI Edit-->Configuration-->Services-->Microsoft Exchange-->Administrative Groups-->Exchange Administrative Group-->Servers-->[server name]-->Protocols-->SMTP Receive Connetors-->[Internet-facing Receive Connector]-->right
click, view properties, go to security, select anonymous logon, uncheck "Accept Authoritative Domain Sender".
When this is done, the only 3 remaining "Allow" checkmarks for anonymous logon are: "Submit Messages to Server", "Accept Routing Headers", and "Accept Any Sender".
When this change is made in Exchange 2010 (we have a lab server with 2010), when we tested by sending a message using telnet from jsmith@domain.com to somebodyelse@domain.com, it works correctly and the message is refused as expected. When we do the same thing on the Exchange 2013, the message is delivered, even if we set an explicit "deny" on "Accept Authoritative Domain Sender" instead of just unchecking it.
At least one other company has reported this issue:
https://social.technet.microsoft.com/Forums/office/en-US/18d8e518-92ff-4d5d-b6fd-3852b87c9d1b/exchange-server-2013-and-msexchsmtpacceptauthoritativedomainsender?forum=exchangesvrsecuremessaging
The suggested work-around is to use Exchange's antispam filter to block anything coming from domain.com:
https://social.technet.microsoft.com/Forums/office/en-US/0fdf213c-02e3-4ea1-9e6d-242abf9559b8/prevent-own-domain-spoofed-spam?forum=exchangesvrsecuremessaging
but this is awkward to set up and administer.
Why doesn't 2013 obey the "ms-exch-smtp-accept-authoritative-domain-sender" permissions setting? Would it help to update to CU 11? How can we fix this without using a antispam filtering workaround?
To prevent this, we used ADSI Edit to remove the "ms-exch-smtp-accept-autho
-->ADSI Edit-->Configuration-->Ser
When this is done, the only 3 remaining "Allow" checkmarks for anonymous logon are: "Submit Messages to Server", "Accept Routing Headers", and "Accept Any Sender".
When this change is made in Exchange 2010 (we have a lab server with 2010), when we tested by sending a message using telnet from jsmith@domain.com to somebodyelse@domain.com, it works correctly and the message is refused as expected. When we do the same thing on the Exchange 2013, the message is delivered, even if we set an explicit "deny" on "Accept Authoritative Domain Sender" instead of just unchecking it.
At least one other company has reported this issue:
https://social.technet.mic
The suggested work-around is to use Exchange's antispam filter to block anything coming from domain.com:
https://social.technet.mic
but this is awkward to set up and administer.
Why doesn't 2013 obey the "ms-exch-smtp-accept-autho