Context
- When you have multiple incoming receive connectors, it might be appropriate to merge all connectors.
- When you have multiple Exchange Servers, you are compelled to have same configuration anywhere
Audit
Let’s get backup Exchange Reference Receive-Connectors
Get-ReceiveConnector -Server $env:COMPUTERNAME | Export-Clixml -Path C:\EXPLOIT\$($env:COMPUTERNAME).ReceiveConnectors.xml
Merge Connectors
On the destination computers, let’s get only our usefull smtp relays. In the case above, we get back ‘Linux Relay’ and ‘SMTPRELAY’.
We will ignore all other connectors.
$ReceiveConnectors = Import-Clixml -Path C:\EXPLOIT\ReferenceComputer.ReceiveConnectors.xml
$ReceiveConnectors | Select Server, Name, Bindings, RemoteIPRanges, PermissionGroups
$Relay1 = $ReceiveConnectors | ?{ $_.Name -eq 'Linux Relay' }
$Relay2 = $ReceiveConnectors | ?{ $_.Name -eq 'SMTPRELAY' }
$IPs = $Relay1.RemoteIPRanges + $Relay2.RemoteIPRanges
New Connector
Here, we create a new relay connector on destination servers named ‘SMTP Relay’, and activate extended right ‘ms-Exch-SMTP-Accept-Any-Recipient’ in order to allow SMTP relaying. For the moment, only 127.0.0.1 will be allowed
New-ReceiveConnector -server $env:COMPUTERNAME -Name 'SMTP Relay' -Bindings '0.0.0.0:25' -RemoteIPRanges 127.0.0.1 -usage Custom -TransportRole FrontendTransport
$Rcv = Get-ReceiveConnector "$($env:COMPUTERNAME)\SMTP Relay"
$Rcv | Set-ReceiveConnector -fqdn 'smtprelay.mydomain.local' -permissiongroups AnonymousUsers -AuthMechanism None -Banner '220 SMTP OK' -ProtocolLoggingLevel Verbose
$Rcv | Add-ADPermission -User 'ANONYMOUS LOGON' -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"
Add allow IP addresses to relay
And now, we only allow $IPs to relay, so easy …
$Rcv | Set-ReceiveConnector -RemoteIPRanges $IPs