This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sending mails from external server via internal Exchange

Hello,

we're using Exchange Server internally togehter with Email Protection. We want to allow two mail accounts to send mails from an external server in the internet.

I allowed the two mailbox users to send mail (via Relaying tab under Authenticated Relay).
This works fine. But now I've noticed that these two users can send mails with any sender.
Theoretically they can use the mail address of the company boss as sender mail.

How is this possible? Can I restrict this in the UTM?

Regards
UTMaddict



This thread was automatically locked due to age.
Parents
  • Are the two users part of a shared mailbox, and sending it out as another user that is part of that share?  They shouldn't be able to send as another user if your security is set up correctly.  AD environment?

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • It is an AD environment.
    The two mailboxes are shared mailboxes and the users are the (by default) disabled Active Directory users/user objects of the mailboxes itself.

  • That's a permission issue, not a UTM issue.  If they have rights to send in Exchange from a shared box, they can do it.  

    Even is the users are disabled, they are still part of the share (stupid, yes I know, but Microsoft...).  You should remove them from the shared mailbox, or at the very least change the permissions so that they can read only and not send.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • But these are default users which are added by the Exchange automatically if I add a shared mailbox via Exchange ECP.
    By default they are disabled.
    Example: If my shared mailbox is called team1@mymail.com there is automatically a disabled user which is called team1.

    I enabled them and gave them a password to use the accounts for sending mails directly from it.

  • You should still be able to actually remove the mailbox user that it was created for from that mailbox to prevent that very thing.  

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

Reply
  • You should still be able to actually remove the mailbox user that it was created for from that mailbox to prevent that very thing.  

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

Children
No Data