Receive connectors that do not require authentication are needed to allow systems to send mails that do not support authentication. This is normally not a problem if the connectors are configured correctly. However, I have often seen that whole subnets are allowed to send mails everywhere without authentication (historically grown this way).
Removing something like this is tedious. Who knows every system that sends mails, you certainly won't need a whole subnet. To at least get started, you need to find out which computers send mails via the Relay Connector, then you can restrict the Connector to the systems and finally you can look at the computers and change them if necessary...
I have written a script that searches the message tracking logs and lists all computers that use a connector, the script also restricts the connector to the corresponding IPs if desired.
param
(
[Parameter(Mandatory=$True)]
[string]$Server
,
[Parameter(Mandatory=$True)]
[string]$Connector
,
[Parameter(Mandatory=$True)]
[int]$Days
,
[Parameter(Mandatory=$True)]
[string]$ChangeConnector
)$end = get-date
$start = $end.AddDays(-$days)
$connectorname = „$server\$connector“$log = get-messagetrackinglog -EventID „RECEIVE“ -Start $start -End $end -Server $server -resultsize unlimited | where {$_.Source -match „SMTP“ -and $_.ConnectorID -eq $connectorname}
$servers = $log | foreach-object {$_.clientip} | select -unique
$ErrorActionPreference = „silentlycontinue“
$conips = $NULLwrite-host „“
write-host „IP-Adresse`t`tHostname“
write-host „————————————————————–“
write-host „“foreach ($server in $servers)
{
$name = $null
$ip = $server
$name = [System.Net.Dns]::GetHostEntry($ip).hostname
$conips +=@(„$ip“)
write-host $ip`t`t$name
}write-host „“
$ErrorActionPreference = „continue“if ($changeconnector -match „True“)
{
Set-ReceiveConnector $connectorname -RemoteIPRanges $conips
write-host „Connector $connector auf Server $server wurde angepasst“ -foregroundcolor yellow
write-host „“
}
else
{
write-host „Connector $connector auf Server $server wurde nicht angepasst“ -foregroundcolor green
write-host „“
}
Simply copy the script text into a file with the extension .ps1 (example query-relayhost.ps1). The following parameters must be transferred:
-server: The name of the Hub Transport Server on which the connector is located
-connector: The name of the connector on the Hub Transport Server
-Days: The number of days that should be returned in the tracking logs.
-ChangeConnector: True or False, with True the connector is restricted to the IPs found, False only lists
Example: query-relayhosts.ps1 -Server SMAIL01 -Connector "Allow Relay" -Days 30 -ChangeConnector true