| Home | Kaiming |
Permission group
Permission group is only for Receive Connector.
AnonymousUsers
ExchangeUsers
ExchangeServers
ExchangeLegacyServers
Partners
Get-ReceiveConnector -Server win20081 | fl name,permissiongroups
Name : Default WIN20081
PermissionGroups : ExchangeUsers, ExchangeServers, ExchangeLegacyServers
Name : Client WIN20081
PermissionGroups : ExchangeUsers
Set-ReceiveConnector 'Default Ex64' -PermissionGroups ExchangeUsers,ExchangeLegacyServers
Set-ReceiveConnector 'Default Ex64' -PermissionGroups AnonymousUsers,ExchangeUsers,ExchangeServers,ExchangeLegacyServers,partners
By using Add-ADpermission cmdlet
Add-AdPermission -Identity "Default Ex64" -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights ms-Exch-SMTP-Submit,ms-Exch-SMTP-Accept-Any-Recipient,ms-Exch-Bypass-Anti-Spam
S-1-9-1419165041-1139599005-3936102811-1022490595-10 is the exchange partner’s SID.
Add-AdPermission -Identity "Default Ex64" -User "S-1-9-1419165041-1139599005-3936102811-1022490595-10" -ExtendedRights ms-Exch-SMTP-Submit,ms-Exch-Accept-Headers-Routing
Receive Connector
Permission: ms-Exch-SMTP-Submit
If not granted, a communication is rejected right away.
Permission: ms-Exch-SMTP-Accept-Any-Sender permission
If granted, the connector will bypass the sender address spoofing check or will not verify the sender’s e-mail address against GAL. Within exchange organization, you should turn it off. All internal clients should be authenticated first and then submit messages to the exchange servers. The Internet-face receive connector should have it enabled, because the GAL does not include the external SMTP addresses.
Permission: ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
If the message is targeted to e-mail addresses of authoritative domains, connection is allowed.
Permission: ms-Exch-Accept-Headers-Routing
The connector will accept all the headers. If it is not granted, the Hub Transport will strip all received headers.
All the four permissions are included in AnonymousUsers permission group. It is usually granted to Anonymous User account.
Internet-face receive connector should have the AnonymousUsers group assigned to Anonymous user account.
The permission group: ExchangeUsers include the following permissions:
Ms-Exch-SMTP-Submit
Ms-Exch-SMTP-Accept-Any-Recipient
Ms-Exch-Bypass-Anti-Spam
Ms-Exch-Accept-Headers-Routing
Permission: ms-Exch-SMTP-Accept-Any-Recipient
The connector definitely receives messages destined to authoritative domain e-mail addresses. The connector also receives messages destined to non-authoritative domain e-mail addresses (@cnn.com, @gmail.com, etc.) After it receives the messages, it relays to the external domain. This is why it is assigned to Authenticated users group. If it is granted to anonymous user account, you will have an open relay.
Permission: Ms-Exch-bypass-Anti-Spam
When granted, transport server will not go through the anti-spam filtering process for the messages—bypass anti-spam filtering. If not granted, the anti-spam filtering will act on it. The anonymousUsers permission does not include the permission. So, messages from Internet users will go through Anti-Spam filtering process.
Anatomy of an e-mail message
X-Receiver: <mary@contoso.com> NOTIFY=NEVER ORcpt=mary@contoso.com
X-Sender: <bob@contoso.com> BODY=7bit ENVID=12345ABCD auth=<someAuth>
To: mary@contoso.com
From: bob@contoso.com
Subject: Optional message subject
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
<HTML><BODY>
<TABLE>
<TR><TD>cell 1</TD><TD>cell 2</TD></TR>
<TR><TD>cell 3</TD><TD>cell 4</TD></TR>
</TABLE>
</BODY></HTML>
There are other fields in a message, such as X-CreatedBy, Spam Confidence Level (SCL), message signing, and encryption. What X-Header fields are kept or removed?
All these fields are metadata.
When Outlook clients and OWA clients connect to an exchange server, they are authenticated. When a message is sent to Exchange server, the ExchangeUsers permission group applies.
All X-header fields are kept when Hub Transport Server A sends B in the same exchange organization. ExchangeServers permission group applies.
Transport servers within the Exchange Organization trust each other. An edge transport server receives messages from the Internet doesn’t trust the authenticated stamp of anonymous servers on the Internet.