Comment répliquer des connecteurs Exchange

Context

  • When you have multiple incoming receive connectors, it might be appropriate to merge all connectors.
  • When you have multiple Exchange Servers, you are compelled to have same configuration anywhere

Audit

Let’s get backup Exchange Reference Receive-Connectors

Get-ReceiveConnector -Server $env:COMPUTERNAME | Export-Clixml -Path C:\EXPLOIT\$($env:COMPUTERNAME).ReceiveConnectors.xml
 

Merge Connectors

On the destination computers, let’s get only our usefull smtp relays. In the case above, we get back ‘Linux Relay’ and ‘SMTPRELAY’.
We will ignore all other connectors.

$ReceiveConnectors = Import-Clixml -Path C:\EXPLOIT\ReferenceComputer.ReceiveConnectors.xml
$ReceiveConnectors | Select Server, Name, Bindings, RemoteIPRanges, PermissionGroups
$Relay1 = $ReceiveConnectors | ?{ $_.Name -eq 'Linux Relay' }
$Relay2 = $ReceiveConnectors | ?{ $_.Name -eq 'SMTPRELAY' }
$IPs = $Relay1.RemoteIPRanges + $Relay2.RemoteIPRanges
 

New Connector

Here, we create a new relay connector on destination servers named ‘SMTP Relay’, and activate extended right ‘ms-Exch-SMTP-Accept-Any-Recipient’ in order to allow SMTP relaying. For the moment, only 127.0.0.1 will be allowed

New-ReceiveConnector -server $env:COMPUTERNAME -Name 'SMTP Relay' -Bindings '0.0.0.0:25' -RemoteIPRanges 127.0.0.1 -usage Custom -TransportRole FrontendTransport
$Rcv = Get-ReceiveConnector "$($env:COMPUTERNAME)\SMTP Relay"
$Rcv | Set-ReceiveConnector -fqdn 'smtprelay.mydomain.local' -permissiongroups AnonymousUsers -AuthMechanism None -Banner '220 SMTP OK' -ProtocolLoggingLevel Verbose
$Rcv | Add-ADPermission -User 'ANONYMOUS LOGON' -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

 

Add allow IP addresses to relay

And now, we only allow $IPs to relay, so easy …

$Rcv | Set-ReceiveConnector -RemoteIPRanges $IPs

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée.