I had a bizarre instance this morning and I'm hoping someone can help me shed some light as to what's happened.
A user complained about being locked out this morning. After resetting the password, we noticed that the account was almost instantaneously locked out again. We looked through the audit logs to discover the requests were coming from our Exchange server - something I had never really seen before.
We looked through the OWA logs to discover that there were no entries in there corresponding to that username. We disabled OWA, ActiveSync, MAPI, etc and the account continued to be locked out.
After looking through the event viewer logs on the Exchange server, we came across this entry.
Inbound authentication failed with error LogonDenied for Receive connector Default EMAILSERVER. The authentication mechanism is Login. The source IP address of the client who tried to authenticate to Microsoft Exchange is [XX.XX.XX.XX].
With nowhere left to turn, we black-hole'd the traffic from that IP address and the account lockouts ceased. This was a public IP address that resolved to a country where I would not expect to receive much mail from.
My questions are :
- How was this IP address attempting to authenticate? I can't see anything in my logs that would make any sense to me as to the vector which they tried to log in.
- How can I prevent this from happening in the future? This is Exchange 2010 SP3 and unfortunately Edge Transport is not a viable option at this point :(
"Receive connector" means SMTP. Look at your transport connector logs.
Unless you have a good reason to, you shouldn't let Exchange users authenticate to an external SMTP connector. That would stop this problem from happening.
You should have:
If you have anything else that needs SMTP, then you should have more connectors: