User account was locked out from exchange server - how to prevent in future?

I had a bizarre instance this morning and I'm hoping someone can help me shed some light as to what's happened.

A user complained about being locked out this morning. After resetting the password, we noticed that the account was almost instantaneously locked out again. We looked through the audit logs to discover the requests were coming from our Exchange server - something I had never really seen before.

We looked through the OWA logs to discover that there were no entries in there corresponding to that username. We disabled OWA, ActiveSync, MAPI, etc and the account continued to be locked out.

After looking through the event viewer logs on the Exchange server, we came across this entry.

Inbound authentication failed with error LogonDenied for Receive connector Default EMAILSERVER. The authentication mechanism is Login. The source IP address of the client who tried to authenticate to Microsoft Exchange is [XX.XX.XX.XX].

With nowhere left to turn, we black-hole'd the traffic from that IP address and the account lockouts ceased. This was a public IP address that resolved to a country where I would not expect to receive much mail from.

My questions are :

  • How was this IP address attempting to authenticate? I can't see anything in my logs that would make any sense to me as to the vector which they tried to log in.
  • How can I prevent this from happening in the future? This is Exchange 2010 SP3 and unfortunately Edge Transport is not a viable option at this point :(

"Receive connector" means SMTP. Look at your transport connector logs.

Unless you have a good reason to, you shouldn't let Exchange users authenticate to an external SMTP connector. That would stop this problem from happening.

You should have:

  • One receive connector dedicated to receiving email from the internet with just TLS (and possibly Mutual TLS Auth) turned on.

If you have anything else that needs SMTP, then you should have more connectors:

  • If you have devices inside your network (like copiers/scanners) that need to send to your users, then you should have a connector for that. This should have TLS and auth enabled but restricted to a specific service account.
  • If you have internal devices that don't support auth or TLS, then another connector should be configured with IP restrictions.
  • External users that need to send via authenticated SMTP should be on a different port (usually 587) and required to use TLS.