Exchange 2007 如何防止黑客利用HELO命令冒充用戶发送邮件!
最近做了???,公司有一?Exchange2007服?器,?外?通了25 110 443??端口,我作了以下??!
C:telnet mail.mydomain.com 25
220 mailsvr.mydomain.local Microsoft ESMTP MAIL Service ready at Thu, 26 Mar 2009 09:12:05 +0800
HELO
250 mailsvr.mydomain.local Hello [192.168.0.110]
Mail from:test@mydomain.local
250 2.1.0 Sender OK
Rcpt to:test2@mydomain.local
250 2.1.5 Recipient OK
Data
354 Start mail input; end with <CRLF>.<CRLF>
This is a test mail......
.
250 2.6.0 <f95d912c-b33f-43d4-a035-01ba74bd94ae@mailsvr.mydomain.local> Queued mail for delivery
?果我在Test2@mydomain.local?箱中收到??冒充test@mydomain.local??的?件!
??我?得很危?,因?知道我域名的人都可以利用我的SMTP和某一用??送?件了!例如:冒充老???件???等等,真的很麻?!!
??有?有方法解???漏洞?
问题分析和解决
对于Exchange 2007来说,在缺省情况下Anonymous user权限组有下面的权限,
Ms-Exch-SMTP-Submit
Ms-Exch-SMTP-Accept-Any-Sender
Ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
This permission allows senders that have e-mail addresses in authoritative domains to establish a session to this Receive connector.
Ms-Exch-Accept-Headers-Routing
要阻止别冒充您的域名向您发送邮件,可以使用下面的方法来解决:
Get-ReceiveConnector "My Test ReceiveConnector" | Get-ADPermission -user "NT AUTHORITYAnonymous Logon" | where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Remove-ADPermission
请将My Test ReceiveConnector替换为您实际的接受连接器的名称,注意是端口为25的那个。您可以使用Get-ReceiveConnector?来查看它的identity?。
该操作不会影响POP3帐号的收发邮件。因为POP3帐号在发送邮件之前先要经过服务器的身份验证,在通过了身份验证后,该用户所获得的权限组是Exchange user组。
当然您也可以将权限添加回去,运行下面的命令即可完成。
Add-ADPermission -Identity "Default 150795M1" -User "NT AUTHORITYAnonymous Logon" -ExtendedRights ms-exch-smtp-accept-authoritative-domain-sender
对于Exchange 2007来说,在缺省情况下Anonymous user权限组有下面的权限,
Ms-Exch-SMTP-Submit
Ms-Exch-SMTP-Accept-Any-Sender
Ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
This permission allows senders that have e-mail addresses in authoritative domains to establish a session to this Receive connector.
Ms-Exch-Accept-Headers-Routing
要阻止别冒充您的域名向您发送邮件,可以使用下面的方法来解决:
Get-ReceiveConnector "My Test ReceiveConnector" | Get-ADPermission -user "NT AUTHORITYAnonymous Logon" | where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Remove-ADPermission
请将My Test ReceiveConnector替换为您实际的接受连接器的名称,注意是端口为25的那个。您可以使用Get-ReceiveConnector?来查看它的identity?。