We have a bunch of Exchange 2007 transport hubs and now we have three Exchange 2010 multirole servers that have been recently installed.
I am 100% positive that all the Default relay connectors on all our Exchange 2007 servers were NOT allowed to accept anonymous mail.
More than sure.
We actually created two custom receive connectors on each Ex2007 transport hub - one for accepting mail from app servers for internal domains and another one for relaying mail from app servers to domains outside of company.
We have a very right procedure where app owners submit to us relay requests with the IP addresses of their app servers and we set up their access to the receive connectors.
Today, one app owner requested to have his app server removed from the access list. But his server's IP address wasn't even on the list! And his app was able to submit mail. And he could do a Telnet session from the console of his app host and submit mail!
Long story short, we tracked it down to the Default receive connector - that's who was accepting connections from his app server.
When I went to the properties of one of the Default receive connectors, and clicked on the Permission Group tab, the "Anonymous users" checkbox was UNchecked.
Only when I ran the command below did I see that there were extended permissions there which never used to be there before!!!
Get-ReceiveConnector "hub1msex01\Default HUB1MSEX01" | Get-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" | Ft *ext*
ExtendedRights
--------------
{ms-Exch-SMTP-Accept-Authoritative-Domain-Sender}
{ms-Exch-SMTP-Submit}
{ms-Exch-Store-Create-Named-Properties}
{ms-Exch-Create-Public-Folder}
How did these permissions get there? Did Exchange 2010 installation introduce them? Or did one of the recent Ex2007 service packs or rollup updates sneak them in???
I then went back to the GUI properties of the Default connector, Checked the Anonymous checkbox, clicked Apply, UNchecked the Anonymous box, clicked Apply again, and the extra permissions got cleared out for sure:
Get-ReceiveConnector "hub1msex01\Default HUB1MSEX01" | Get-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" | Ft *ext*
ExtendedRights
--------------
{ms-Exch-Store-Create-Named-Properties}
{ms-Exch-Create-Public-Folder}
Now I have to go do this on every transport hub.