Receive Connector Default Permission - Is this true?

CoryS

So I read on the msexchangeblog for relaying that when you setup a receive connector and check the "anonymous users" checkbox that you end up not granting the AD permissions for "ms-Exch-SMTP-Accept-Any-Recipient", however when I found this out I was confused as my relay had begun to work (which was setup in early 200 without manually adding this permission. When I went to confirm this by attempting to apply this permission it informed me that it was indeed already applied.

The article is below, and I know its a bit old (12/2006) but I was curious if this fellow had just been mistaken or its been changed since an update... Anyone ever found the need to apply this as it relates to the actions performed in the article? (if you feel like reading it that is!)

http://msexchangeteam.com/archive/2006/12/28/432013.aspx

royal

I actually blogged about this but I'll include a little more info than what I put in my blog since you're talking more about anonymous when I was more focused on Exchange Users:
http://www.shudnow.net/2008/02/10/client-to-server-secure-smtp-connectivity-in-exchange-server-2007/

Essentially, by default the Exchange Users group is allowed which enables the following:
* Ms-Exch-SMTP-Submit
* Ms-Exch-SMTP-Accept-Any-Recipient
* Ms-Exch-Bypass-Anti-Spam
* Ms-Exch-Accept-Headers-Routing

Allowing the Anonymous Group allows just enough permission for the anonymous group to send mail to the receive connector so it can receive mail from the internet, but it does NOT enable the Ms-Exch-SMTP-Accept-Any-Recipient permission. The anonymous group gets the following permissions:
# Ms-Exch-SMTP-Submit
# Ms-Exch-SMTP-Accept-Any-Sender
# Ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
# Ms-Exch-Accept-Headers-Routing

As you can see, Ms-Exch-SMTP-Accept-Any-Recipient is not in there. In order to enable relaying for the anonymous group, you must add the Ms-Exch-SMTP-Accept-Any-Recipient to the connector for that group.

That is where the following command comes into play:

Get-ReceiveConnector "Connector Here" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

As for your situation, not sure why relaying was working without the command. Maybe the application was authenticating to Exchange causing it to be an Exchange User. Have you tried a Get-ReceiveConnector "Connector Here" | Get-ADPermission?

I'd be curious to see what's on there.

CoryS

Hmm its weird cause that is/was allowed... Maybe I ran the cmdlet and forgot about doing it? I checked my transcript logs and it doesnt appear to be anywhere in those.. I am kind of irritated by not knowing, thanks for the good explanation. I am going to create another one just to test and see, I am sure it probably will act as described which would help me sleep tonite (if i ever get that wrapped up it may be time for a break)



(heres a glance at my output for that account in regards to what you mentioned)
"NT AUTHORITY\ANON... False False ms-Exch-SMTP-Accept-Any-Recipient"


Thanks again!

CoryS

Alright.. not to beat a dead horse, but I thought I would post an update. I just finally created a new receive connector and selected "anonymous users", and corrsponding authentication methods (externally secured). It indeed added the

"NT AUTHORITY\ANON... False False ms-Exch-SMTP-Accept-Any-Recipient"

on its own without having to grant this permission... So, at least in my case (surely this isnt isolated to my test lab/production but I wont speak globally) the last step in the blog post seems invalid (to what degree, again it could be just the funky juice I am rocking here)...

Have a great day!