We have an API that sends email. I was trying to set up Exchange O365 so that the API server could send email without authentication. I made some changes and tested and it worked, great! But then I tested from another server and it still worked. Oops. I undid all the changes I made, so it should be back to deployment state, and the relay still works.
Surely this isn't expected, did I miss something?
The steps I took:
- Exchange Admin Center > Protection > Connection Filter > Allowed IP Address: Add server IP
- Exchange Admin center > Mail Flow > Connectors: Added Connector (as described here)
- Admin Center > Domains: Updated SPF record in DNS to include the API server IP address (as described here)
Again, I have reverted all these changes and I can still relay mail through my server using telnet connected to mydomainname-com.mail.protection.outlook.com.
What else can I check to disable this?
Best Answer
Ignoring SPF, DKIM, DMARC, etc., etc. for a minute:
This is essentially how SMTP works. Sending email via the server that is authoritative for the domain you're sending email to does not require authentication. If it did, then everyone in the world would need to authenticate to every mail server in the world in order to send email to anyone.
If I telnet to your email server for the purpose of sending email to you then your server will accept my connection and will accept the email and deliver it to your mailbox. In this scenario I am sending email TO your server for someone who has a mailbox that your server is authoritative for... more specifically I am sending email to someone who has a mailbox and an email domain that your server is authoritative for. This IS NOT relaying.
If I telnet to your server and try to send an email to an email address outside of your organization your server would reject my attempt. In this scenario I am attempting to send email THROUGH your server to someone who has a mailbox/email domain that your server is not authoritative for. This IS relaying.
Creating a send connector for the ip address of your API, your web server, your printer, etc., etc. is a form of "authenticated relaying". In this scenario you are telling your email server that those ip addresses are allowed to send email through that connector to email addresses outside of your organization, which would be any email domain that your server is not authoritative for. There are several "forms" of authenticated relaying, this is just one.
Exchange Online is NOT an open relay, as you rightly discovered.