Our users were getting spam messages from their own accounts (same domain/login for example madboy@company.com to madboy@company.com). This is preety standard trick and I decided to block it so that anonymous users can't send emails as @company.com.
This brought some problems on us like our printers not being able to send emails etc but I solved it with secondary smtp receiver on different port with ip restrictions.
However it seems to affect forwarding by some e-mail servers as well:
Hi. This is the qmail-send program at home.pl. I'm afraid I wasn't
able to deliver your message to the following addresses. This is a
permanent error; I've given up. Sorry it didn't work out.:
89.14.1.26 failed after I sent the message. Remote host said: 550 5.7.1 Client does not have permissions to send as this sender— Below this line is a copy of the message.
Return-Path: Return-Path: Received:
from mail.company.com [89.14.1.26] (HELO mail.company.com) by
company.ho.pl [79.93.31.43] with SMTP (IdeaSmtpServer v0.70) id
488fcb01c2f069d9; Tue, 3 Jan 2012 09:46:55 +0100 Received: from
EXCHANGE1.COMPANY ([fe80::d425:135f:b655:1223]) by
EXCHANGE2.COMPANY ([fe80::193f:51ac:9316:cb27%14]) with mapi id
14.01.0355.002; Tue, 3 Jan 2012 09:46:55 +0100 From: =?iso-8859-2?Q?MadBoy?=
So basically server forwards it without affecting email address it was send with and our servers treat it like spam.
I used this command to block things:
Get-ReceiveConnector "DEFAULT Exchange2" | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Remove-ADPermission
Is there anyway I can keep on receiveing things like forwards but be able to block things (except some dedicated antispam solution – this will be added later).
Also how do I "reassing" back the permissions that was removed?
EDIT to clarify:
I have a domain domain.com configured as Authorative. Couple of our users are on project for differentcompany.com which is not on our servers or anywhere close. Now when they send an email from their accounts lets say myuser@domain.com to specialalias@differentcompany.com that special alias is configured so that any email it receives it forwards to multiple people including a group alias at our domain group@domain.com and that group alias puts the email in users mailboxes.
After the email is forwarded by specialalias@differentcompany.com and it reaches our server it is denied because the forwarding done by the "external" server doesn't affect user information so for the server it seems like the myuser@domain.com was actually sender and it treats it as spam and denies it. The server at differentcompany.com just adds itself to the header that it passed thru it and doesn't modify sender at anyway (seems like this is how forwarding works).
Although I could probably allow this particular server as allowed to relay but this would seem to affect more servers/users as anyone can setup forwarding on their email back to our domain…
Best Answer
Oh yes there is.
On the new Receive Connector where you employ IP restrictions, add the servers that needs to be able to forward as remote hosts, and give "NT AUTHORITY\ANONYMOUS LOGON" the ms-Exch-SMTP-Accept-Any-Sender permission, so to allow the relaying server to relay with any sender address.
If the relaying server also needs to be able to send mails outside your own organization (I guess that is what you mean be forwarding), you might also need to grant the
ms-Exch-SMTP-Accept-Any-Recipientpermission