We run an Exchange 2016 op-prem. As our internet-faced SMTP Receive connector we use a FrontendTransport Connector. By some reason it looks like ms-Exch-SMTP-Accept-Authoritative-Domain-Sender Deny for Anonymous Logon seems to not apply. First I did remove AD permission by using this command:
Get-ReceiveConnector "Connector Name" | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-Exch-SMTP-Accept-Authoritative-Domain-Sender"} | Remove-ADPermission
Then I even have explicitly denied permission via ADSI Edit security tab, but no success. Still mail from with a autoritative domain in Email Address can send emails through this connector. This is not true for a test connector of type Hub Transport.
Is this as designed? Do I need to create my internet smpt connector as a Hub Transport connector? What is the difference anyway?
Interesting is that I could bet, this worked in the past. I have configured that several years ago and from what I can remember ms-Exch-SMTP-Accept-Authoritative-Domain-Sender Deny for Anonymous Logon did work.
kind regards,
Dieter