Last Updated on 2016-02-11.
[:en]Scenario
Using MS Exchange Server 2010, you might get spam e-mails from external hosts which use your own domain name as sender.
Solution
Tell Exchange to only accept mails using your domain name if they come from LAN. This setting has to be done on your Internet Receive Connector.
This is a bit tricky: You have to do this explicitely via Exchange Shell and not via GUI Console.
At first sight, the command looks like it only removes option “Anonymous Users”, but if you do this via GUI, no more mails from external hosts (which are anonymous by default) will be accepted!
So the following code only removes a special right. Execute via Shell console:
Get-ReceiveConnector "My Internet ReceiveConnector" | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Remove-ADPermission
Example for German users:
Get-ReceiveConnector "Default Exchange" | Get-ADPermission -user "NT-Autorität\Anonymous-Anmeldung" | where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Remove-ADPermission
After executing the command, option “Anonymous Users” will be unchecked if you open your receive connector’s properties page in GUI console. So beware of checking and unchecking this setting, it could overwrite the permission change you just did with the shell command.
Also make sure you don’t execute it on a receive connector which allows your internal devices, e.g. copier, to send documents anonymously.
Additionally, you might have to create a new receive connector if your anonymous e-mails from internal servers are not relayed any more (even not to local recipients). Create an “internal” connector, e.g. with “remote IP range 192.168.1.0/16” or whatever your LAN IP range is, and enable the checkbox for “anonymous users”.