![]() If you’re in a cross-Forest deployment, you should attempt to authenticate the SMTP communication, as stated in KBA 828870 above.Īs I suggested in the beginning of this post, if it’s not already too late to make another New Year’s resolution, make one today: There may be scenarios where resolving anonymous senders is justified, for instance on internal SMTP virtual servers, where access is controlled or restricted to certain hosts. Note If you enable the Resolve anonymous e-mail setting on your front-end SMTP servers, anonymous senders can bypass the From authenticated users only setting. ![]() KBA 827616: How to restrict the users who can send inbound Internet e-mail to another user or to a distribution group in Exchange 2003 does mention this: Having read KBA 828870: Resolve Anonymous Senders Functionality in Microsoft Exchange 2003 a few times, I don’t find any mention of this, though the article clearly recommends that this should not be enabled on any server that receives mail from the internet, and if it is – message from anonymous senders appear as authenticated mail. I tested this a few times yesterday, and I’m still in disbelief! Microsoft documentation on resolving anoymous senders What’s worse – and I just discovered this, thanks to a newsgroup poster and Exchange MVP Andy David’s response – when you check the option to resolve anonymous senders, unauthenticanted senders can now send mail to recipients that have been set to receive email from authenticated users only! That’s a big surprise, and totally unexpected – Exchange actually treats anonymous senders as authenticated senders, at least for the purpose of message delivery to such restricted recipients.įurther, not only can someone using a valid internal recipient’s email address send mail to such recipients, but even total strangers ( addresses that do not resolve to a valid internal recipient, like ) can. (You could use a little macro that KC Lemson posted on her blog a little while ago, which displays a button on the Outlook toolbar that shows you the headers with a single click and saves them in a text file.) Sadly, this doesn’t exist, even in Outlook 2007. It would be great to provide users the option to turn on a “mini” header that shows the actual originating host, and for advanced users – including sysadmins / Exchange administrators who look at headers all day, an option to turn on “full” headers. This is one of the reasons I’ve always wanted Microsoft Outlook to provide an option to show SMTP headers at first look – without the time-wasting, mouse-clicking exercise of selecting a message, right-clicking, selecting Message Options, and viewing what is usually a long message header in a small scrollable text box. If a spam message or a message with malicious code or link gets by your anti-spam & anti-virus scanners, having the sender’s address resolved to a valid internal sender buys it instant credibility. For example, this allows anonymous senders to send mail to your users using your CEO’s email address and the message will actually appear as if it was sent by an internal/authenticated sender. SMTP, the protocol, allows senders to easily spoof headers. However, not only is resolving anonymous senders a bad idea, it’s also a security risk. ![]() The risk with resolving anonymous senders See KBA 288635 – ResolveP2 Functionality in Exchange 2000 Server for more details. Note: You may need to create the registry key for the SMTP virtual server (a numeric value) and the Parameters key if it doesn’t exist. For example, to resolve the FROM, TO and CC headers, use 18. To resolve more than one type of P2 header, add up the corresponding values.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |