In Exchange Server 2003, you can allow anonymous SMTP hosts to relay mail by adding their IP address(es) in SMTP Virtual Server Properties | Access tab | Relay. Hosts that require anonymous relay capability include application servers and devices such as copiers, which scan documents and send them as email attachments.
Starting with Exchange Server 2007, Exchange implemented its own SMTP protocol stack – unlike Exchange Server 2003/2000, you no longer need to install the SMTP service from IIS. SMTP Virtual Servers have been replaced by Receive Connectors. Understandably, the way you allow relaying has changed as well.
Do you really need to allow relaying?
Before you setup anonymous relaying, it’s important to understand the need for relaying. If your application servers or devices like copiers need to send mail only to internal recipients – i.e. mail to addresses for which Exchange has an Accepted Domain (or a Recipient Policy in Exchange Server 2003/2000) and therefore will receive inbound mail for, it is not considered relaying. The application server or device should be able to do this without any configuration on Exchange.
Recipient Policies and Exchange Server 2010/2007
In Exchange 2003, Recipient Policies tell Exchange which domains to receive inbound email for, and to generate email addresses for recipients using those domains. Exchange 2007 splits this functionality into two parts:
- Accepted Domains: As the name suggests, Accepted Domain tells Exchange which domain to accept inbound email for
- Email Address Policies which actually generate the email addresses
In Exchange Server 2003/2000, you use Active Directory Users & Computers (ADUC) to create recipients such as user accounts and distribution groups. Exchange’s Recipient Update Service (RUS) monitors Active Directory for new recipients or changes to existing recipients and applies Recipient Policies.
In Exchange 2007 and later, there’s no RUS (or its role is significantly minimized that it’s safe to say there’s no RUS). Recipients are provisioned in Exchange using the Exchange Management Console (EMC) or the Exchange Management Shell (EMS) and Email Address Policies are applied in real-time.
Just like previous versions, Exchange 2010/2007 allow authenticated relaying by default. So if your application server or device can authenticate, you must look at configuring them to do so and avoid allowing anonymous relaying. However, some applications or devices may not be able to authenticate. You may need to allow anonymous relaying when the application server or device receives the SMTP error message:
550 5.7.1 Unable to relay
Relaying: The easy way, and the secure way
The best way to allow unauthenticated relaying, or certainly the more secure and recommended one, is to create or use a Receive Connector dedicated for this purpose. I recommended this approach even on Exchange Server 2003/2000 — it’s not a good idea to use your Internet-exposed SMTP virtual server to allow anonymous relaying, even if restricted to specified IP addresses.
Scott Landry wrote about this recently on the Exchange team blog in “Allowing application servers to relay off Exchange Server 2007“.
To create a new Receive Connector, you need another IP address on your Exchange server.
The other alternative is to create a new Receive Connector that listens on a different port instead of the default SMTP port (TCP port 25). Most app servers and devices don’t like this (which shouldn’t be a surprise, because these are coded by the same developers who decided against providing for authenticated SMTP) and many won’t let you configure an alternate port for sending SMTP mail. Rather than mess with non-default ports for SMTP, and having to configure all clients that need to submit to it to also use the same non-default port, it’s best to add another IP address to your Exchange server and create a new Receive Connector.
Receive Connector Bindings in Exchange 2010/2007
Server processes communicating using TCP/IP listen on a particular port number on a given network interface or IP address. This combination of IP address + port number is known as a socket or binding. Two processes can’t use the same socket at the same time— each needs to have a unique binding. In Exchange 2003, SMTP Virtual Servers bind to a socket, specified by a unique combination of IP address + port number. This means two SMTP Virtual Servers can’t bind to the same IP address + Port combination.
In Exchange 2010/2007, Receive Connectors also consider the RemoteIPRanges — the IP addresses or subnets that are allowed to connect to a Receive Connector, in addition to the IP address + port combination, as a unique binding. This means you can create more than one Receive Connectors using the same IP address + port combination, but different RemoteIPRanges. This allows you to enforce different settings for different SMTP hosts that connect to the same IP address + port. .
Allow relaying: The easy way
With the new IP address added to the Exchange server – let’s say it is 192.168.1.17, and your app server, device or copier that needs to relay is 192.168.1.100, fire up Exchange shell and use the following command:
New-ReceiveConnector -Name RelayConnector -usage Custom -Bindings ‘192.168.1.17:25’ -fqdn server.domain.com -RemoteIPRanges 192.168.1.100 -server MYEXCHANGESERVER -permissiongroups ExchangeServers -AuthMechanism ‘TLS, ExternalAuthoritative’
What this does:
- Creates a new Receive Connector called RelayConnector
- Specifies the usage type Custom
- Binds the Receive Connector to port 25 on IP address 192.168.1.17
- Gives it the FQDN of server.domain.com
- Allows only the host with the IP address 192.168.1.100 to connect to it (specified by the RemoteIPRanges parameter)
- Additionally, and most importantly, it assigns the ExchangeServers permission group to it, and disables authentication. When you select ExternalAuthoritative for authentication, you’re telling Exchange that you completely trust the IP address(es) or subnets specified in the RemoteIPRanges parameter (192.168.1.100) and you have another authentication mechanism outside of Exchange, such as IPSec, to authenticate.
This also bypasses all security for messages received from that IP address. Because Exchange treats all hosts specified in RemoteIPRanges as trusted, it doesn’t apply anti-spam filters, doesn’t enforce message size limits, resolves P2 headers, and allows sending on behalf of users. Going back to Exchange Server 2003, this is somewhat similar to adding the sending host’s address to Connection Filtering‘s Global Accept list.
A better, more secure way to allow relaying
If you want it to be more secure, you can create a Receive Connector with PermissionGroups set to AnonymousUsers:
New-ReceiveConnector -Name RelayConnector -usage Custom -Bindings ‘192.168.1.17:25’ -fqdn server.domain.com -RemoteIPRanges 192.168.1.100 -server MYEXCHANGESERVER -permissiongroups AnonymousUsers
Notice, we’ve left out the AuthMechanism parameter in the above command. However, we’re still restricting it to a particular IP address— 192.168.1.100. The big difference from the previous approach is we’re not treating the host as trusted.
Next, allow anonymous users to relay. This is done by allowing anonymous users the extended right ms-Exch-SMTP-Accept-Any-Recipient for this Connector:
Get-ReceiveConnector RelayConnector | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”
Exchane 2010/2007 and the transport permissions model
In Exchange 2010/2007, you can assig granular permissions to security principals on Receive Connectors and Send Connectors. For instance, if you want to have messages from a certain sender bypass Exchange’s anti-spam filters, you can also assign the ms-Exch-Bypass-Anti-Spam permission to that sender on a Receive Connector. Note, however, that the sender’s identity can only be established if they’re authenticated. Mail from all unauthenticated senders, which includes most Internet mail, is considered as being received from Anonymous (permissions assigned to NT AUTHORITY\ANONYMOUS LOGON apply).
For more information about transport permissions in Exchange 2010, check out Understanding Receive Connectors and Understanding Send Connectors. For Exchange 2007, see “Exchange Server 2007 Transport Permissions Model” in Exchange Server 2007 documentation.
What’s the difference?
The difference between the 2 approaches can be seen when you send test messages, as shown in the following screenshot:
The first message at 9:22 AM is sent by the first Connector, where the message received without authentication actually shows up as sent by me – the P2 headers are resolved. (More about resolving anonymous senders in previous post: ” A Late New Year’s Resolution: Do Not Resolve Anonymous Senders“). Whereas the second message at 9:34 AM actually shows up with the sender’s SMTP address.
The second message also went through the anti-spam filters – a quick check of the message headers reveals the antispam headers.
{ 60 comments… read them below or add one }
Next Comments →
Thank you for this detailed and accurate instruction set. This saved me a lot of research and work trying to figure this out on my own – Thank You, Thank You.
In Exchange 2003 we had the choice of connect or relay. Also we had the option of using ipsec.vbs to import hosts.
1. can new recieve connectors be set to “connect” or “relay”?
2. if theres 100 hosts we need to import from Exchange 2003 for example, can the addresses be seperated by commas? ipsec.vbs cannot be used?
Correct me if I’m wrong but allowing the anonymouse group Ms-Exch-SMTP-Accept-Any-Recepient permissions you would in fact open up your Exchange server as an open relay to the external world since the default Receive Connector has the Anonymous Group enabled?
If you didn’t restrict your Receive Connector to particular IP address (or IP ranges) using the RemoteIPRanges parameter, as shown in the example, yes— you would in fact open up relaying to the world on an internet-facing Recieve Connector.
Exchange Server 2007’s Receive Connectors have a different view of IP binding, unlike Exchange Server 2003/2000’s SMTP Virtual Servers. A binding is considered unique if it uses a unique combination of IP Address + TCP port + RemoteIPRanges. So it in fact allows multiple Receive Connectors to be created using the same IP address + TCP port, as long as you have different IP ranges specified.
However, I would recommend using a different IP address, if possible.
Bharat, even though the bindings are unique to each IP/port address. The permissions are standard throughout all bindings. Therefore if you change the Anonymous permissions for a new binding, aren’t you changing the Anonymous permissions in every binding? If I have a default binding with the Anonymous permission and a custom group with Anonymous would they have the same permissions?
No. Each Receive Connector has its own set of permissions. Changing permissions on one Receive Connector does not change permissions on another Receive Connector that’s bound to the same IP address + port combination (but a different RemoteIPRange).
In other words, when creating Receive Connectors (with same IP + port) for different RemoteIPRanges, think of this as assigning permissions (or other settings) to connections from IP address(es) in the corresponding RemoteIPRanges.
Excellent, thank you for the clarification. Could not find a clear answer from Microsoft on this.
Mahalo nui loa – thanks very much from Honolulu, Hawaii..
Aloha, reader from Hawaii…
Hope to return to Honolulu soon! :)
How do I do this for a range of addresses, like 192.168.1.100-101?
What I did was run the command like you had it stated, then after it created the receive connector I added the other addresses using the GUI. However it appears to not care about the other IPs. The first allows relay, the others reply “Unable to relay”. I tried disable/enable, not willing to reset exchange.
Finally, why so difficult? In 2003 one graphical utility you click, ti works. Now, two blocks of text and it appears that graphical may have a bug?
-Rob
I would like to relay to/from an Exchange server on the internet through my intranet Exchange server.
Let me explain:
My home Exchange server is blocked from sending and receiving on port 25 by my ISP (AT&T; doesn’t allow any port 25 traffic on consumer DSL lines). I would like to use my office Exchange 2007 server as a relay for port 26 SMTP traffic to and from my Exchange 2003 SBS server. I’ve got the receive connector working, but the send connector and possible other settings have me baffled. Any help you can give me would be excellent as my boss would also like to do this from his home Exchange 2003 SBS server.
Thank you,
Benjamin
Is there a upper limit on the number of relaying hosts you can add to the RemoteIPRanges section?
Hi. I have two HUBs and I would like to configure a Receive connector to allow relay from certain IP range on both of them in one shot. Is this possible? Or do I need to run a separate powershell for each HUB?
Also how would I go about appending a new IP range instead of overwriting the existing?
what should be the result of “Get-ReceiveConnector RelayConnector | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient” ?
i got “Identity User Deny Inherited Rights
——– —- —- ——— ——
SERVER\InternalR… NT AUTHORITY\ANON… False False ms-Exch-SMTP-Accep…”
is this correct?
@Anonymous from July 15: I’m not aware of any upper limits on number of hosts in RemoteIPRanges.
@Anonymous from Aug 26: Yes, you could do it in one shot, but the command would get fairly complicated and you’d spend more time fiddling/testing it. :)
@Anonymous from Oct 14: Yes, that looks about right. If you use Get-ReceiveConnector “MyConnector” | Get-ADPermission -User “NT Authority\AnonymousLogon”, you should see ms-Exch-SMTP-Accept-Any-Recipient permission assigned. The Deny column displays False, and so does the Inherited column (because we allowed the permission, not denied it, and the permission is explicitly assigned – not inherited).
Hi Bharat,
We have around 500 applications which are using the Exchange 2007 receive connector to send out or relay the mails through exchange but one particular application is not able to relay through 2007 server inspite of all the settings on receive connector even they are not able to provide me any logs, from where I can find out the issue. Is there any way to find out the logs on exchange server, so that I can provide you more specific error even I tried it to create a new receive connector with a relay permission to Anonymous but it also not succesful in my case. Your help really appricated. Thanks.
sunil Bansal.
There is a limit for hosts on the RemoteIP for the connector.
We have reached it around 1200.
Another connector for th4e same IP:port has to be created.
@Anonymous from Feb. 17: It would be a good idea to go back to the drawing board and figure out why that many hosts are allowed to relay, and if IP ranges can be used to reduce the individual entries.
This works for me to relay from another device/server, but I also want to relay from the Exchange 2007 box itself. I want to use the Server 2008 event log trigger to email alerts. In Exchange 2003 I would add 127.0.0.1 as an allowed relay and use localhost in the SMTP server section of the app I was emailing from. Doesn’t seem to work in 2007.
This is by far the most extensive overview of relaying in Exchange 2010. Very well written!
I’m trying to setup Exchange 2010 with NO edge transport servers. I have 2 ht/cas servers and 2 mailbox servers. I want to be able to receive mail from the internet, and I want to be able to have our scripts/apps relay mail to external recipients, but I don’t want to allow relay for mail received from the internet. I cannot see a way to do this in Exchange 2010. It seems that if I have a receive connector setup to receive internet mail and I have a send connector setup to send internet mail and I then also have an accepted domain setup for external relay to *, then my server is effectively an open relay on the internet, which I obviously do not want. I cannot figure out how I can allow my scripts/apps to relay to any external domains while still having Exchange receive internet mail for the users on our domain without also then allowing any random internet user/server to use our Exchange to relay mail to any location. Is there something I’m missing here? Is there any way to do what I want without using edge transport and without having separate mail gateway devices? Thanks!
Never mind. I now understand that what I’m supposed to do is remove the * accepted domain, and instead simply follow your instructions above to create a new receive connector that is set to allow relay. I can then have all my apps/scripts use the IP of that receive connector to relay mail to external organizations, while still having the Default receive connector listening on a different IP address and receiving mail from the internet. The Default receive connector will NOT relay mail. Thanks, and sorry for the confusion.
I must be missing something, I keep getting “connection timed out” I am trying to relay out of an application. First it said unable to relay. I set up the new receive connector and that fixing the relay error but I then get a connection timed out error. Can anyone help me here?
Thanks
Rod
We have an ASP page using CDO to send emails through our Exchange server. It works fine on Exchange 2007. After upgraded to Exchange 2010 and configured receive connector for relay, the application is still able to send out emails using Exchange 2010, but it takes much longer and the script often timed out trying to send out large amount of emails . Are there any settings we need to tweak on Exchange 2010 to make this work properly? What are we missing here? Thanks.
Did you fix your problem? How? Right now I’m having the same issue sending email through a third party application we have onsite.
Thanks for the help with this. We ran into a problem when implementing – when the device authorized to use the relay sends email to external addresses, it works fine. When trying to send to internal addresses (ie. [email protected]) the emails get lost in space somewhere – we can’t track them. Are there any ideas as to why this would occur?
Check SMTP Receive logs to figure out what’s going on.
I was able to have my matter resolved. After reviewing the logs, seeing that everything looked fine, it turned out that the user had a rule enabled to transfer emails from the admin account (the one used to process all internal system-generated notifications) to a designated folder. Thanks again for this clear and correct tutorial.
When I created the server I used 150.742.100.3. So then a followed your instructions and added another IP address 150.742.100.4 and configured a new receive connector that my server in Utah can use to relay email.
Now that configuration works fine, thanks for that!
As you know when a receive connector is created it is set to use \All Available IP address\ (in the network tab). If I leave this setting the way it is, will the two receive connectors conflict (because of the new bindings), or should I change the default receive connector from use \All Available IP address\ to \150.742.100.3\?
Yes, you must change all Receive Connectors which use the same port number to be bound to specific IP addresses to avoid socket/binding conflicts.
If you have a Receive Connector that uses a different port number (e.g. 525), and it’s the only connector which uses that port, you can continue to use the All (“All available IP addresses… “) binding for it.
Get-ReceiveConnector “MyConnector” | Get-ADPermission -User “NT Authority\Anonymous Logon”
Does not work. Get message NT Authority\Anonymous Logon was not found.
if you’re on windows french version :
try : AUTORITE NT\anonymous logon
Try using “NT Authority\Anonymous Logon”
That space in there made the difference for me on Exchange 2010
Hi I have some 100 devices (mostly linux servers or appliances) that need to send error messages which means they need to be allowed to relay. As we use vlans it means 100 or so different ip addresses. What is best way to set up a connector so that all 100 addresses can relay. I dont want to have to set up 100 separate relay connectors
Setup one Receive Connector for relaying, add the 100 IP addresses to the RemoteIPRanges property of the connector.
Hi Bharat,
I have a client who is wanting to relay emails from several hundred hosts on the Internet via their Exchang 2010 server to a particular address within the organisation. The internet hosts are devices that have limitations on the format of the sender email address they can use. They are all configured with different domains for the sender (e.g. [email protected] and [email protected]) but are all configured to authenticate using the same AD account on the relay. The problem we’re having is that the SMTP connector validates and authenticates the user no problem but ut then throws:
“550 5.7.1 Client does not have permissions to send as this sender”
I guess this is because the sender’s email address domain isn’t recognised by the connector. Is there any way we can create a custom connector that will allow relaying of the messages regardless of the senders domain. We will obviously ensure that the connector will only allow authenticated users to connect, to avoid an open relay situation. Thanks… David.
I know im a bit late in the game on this one but in your shell command in the Allow relaying: The easy way section you have a ` and a ‘ around ’192.168.1.17:25′ which wont work.
They need to be the same.
In saying that, thanks so much for the article. Saved my bacon.
Thanks for the feedback Andrew!
I follwed the instructions exactly for the relaying and still cannot receive emails from an application on a server. My IP address of the email server 10.1.40.50 and I added a new IP to the NIC of 10.1.40.52 and I used the commands to create the receive connector and use anonymous and still no emails? Any ideas? Thanks.
Any error messages? Anythng in agent logs (antispam) or SMTP logs?
Was a problem on the app, not exchange. thank you.
Im having Xidan’s issue too….. Please help!!
We have an ASP page using CDO to send emails through our Exchange server. It works fine on Exchange 2005. After upgraded to Exchange 2010 and configured receive connector for relay, the application is still able to send out emails using Exchange 2010, but it takes much longer and the script often timed out trying to send out large amount of emails . Are there any settings we need to tweak on Exchange 2010 to make this work properly? What are we missing here? Thanks.
Jonathan:
I was just looking into this yesterday. This is a change in behavior. Basically, seems you can fix it with the following:
Set-ReceiveConnector “Connector Name” -MaxAcknowledgementDelay 0
See http://theangryangel.co.uk/blog/slow-relaying-with-microsoft-exchange-2010 for an explanation.
There are workarounds possible as well. I myself added the IIS SMTP service locally on the web server, set to relay to the Exchange server — a better setup anyway, IMHO.
Silly question, I follow and understand all the steps outlined, but for the 1st step. Where in SBS2011 do you add the second IP address for the Exchange server. I’m assuming that a second NIC isn’t required.
@MT: No, a second NIC is not required. One NIC can have multiple IP addresses. Also, as indicated in the post, in Exchange 2007/2010, unique binding consists of an IP address + port number + remote IP addresses/ranges. You can bind multiple Receive Connectors to the same IP address + port if each connector allows a different set of IP addresses/ranges (specified by the RemoteIPRanges parameter) to connect.
Hi all,
Is it possible to check email address on receive connector_? I mean, In case of a permission was given an IP address, can I control that receive connector will accept only which sender email address has been given permission (192.168.10.1 IP address has relay and I wanna accept only from this sender email address [email protected])
thx M_.
No, that sort of mapping of hosts to allowed email addresses is not possible out of the box.
Hi, I was just curious as to why you recommend a 2nd ip address, when you can relay with just one.
As an additional security measure – also a vestige of previous Exchange versions which didn’t consider remote IP address/range a part of unique binding.
Hi,
You may also check how to send SMS from MS Exchange 2010 with Ozeki NG SMS Gateway:
sms-integration.com/p_131-ms-exchange-2010-sms.html
BR
Thanks for your document. I have a question. I have set up the relay as you describe. Exchange receives the message, but does not send it to the external address. Is there some logging that could tell me where it stops?
Alright, to an exchange noob like me, this is kind of Greek. However,I created a receive connector and set it to anonymous in the permission groups. Didn’t touch authentication. Local IP addresses says to use all available as I wasn’t sure what you meant by add another IP to exchange. Only one NIC is physically in use. Receive mail from is set to the specific IP of the copier in question. the copier will send mail internally just fine, but nothing will go outside. Keeps telling me to check the destination address. To make it worse, its a Canon ImageRunner 5570 which I can find no support info on at all.
Shawn, I’ve recommended using a separate IP address for this. To make this possible, you’ll need to add another IP address to your server. One network interface can have more than one IP addresses. However, in Exchange 2007 & later, you can also bind multiple Receive Connectors to the same IP address, as long as the remote IP ranges (the ip addresses/ranges that connect to the Connector) are different, they’re considered unique bindings.
If you’ve added the copier’s IP address to the remote ip ranges of the new Receive Connector, the connector’s settings should apply. If the address is for a valid external domain and permissions on the Connector are correct, it should be able to send outbound mail.
What tells you to check the destination address? Can you otherwise send an email to that address?
Thanks for this info but I have some queries. We have over 1000 IP addresses we need to add to a connector we already have in place as we will be shortly removing the anonymous permissions from the default connector – not sure why it is there in the first place. We did this before and found we had to add all IP’s to the relay list. Is it possible to script a CSV file etc of the IP addresses into the connector allow list? also I see above there is a maximum of 1200 allowed per connector – if we put the IP ranges in instead will that get you past the maximum allowed and allow all server VLANs for instance to be allowed to relay? Many Thanks.
1000 IPs does seem a lot – can none of these hosts requiring to relay authenticate? Authenticating would probably be the best alternative because authenticated senders don’t need additional permissions to relay and you don’t need to create a new Receive Connector for them.
If none of them can relay, I’d recommend adding IP ranges if possible.
Yes, you can add all IPs to a text/CSV file and use the Import-CSV cmdlet (built-in in Windows PowerShell) to parse csv and pipe result to Set-ReceiveConnector.
I am getting an error when running the Get-ReceiveConnector RelayConnector | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”command. Trust me there are no typos. The error says that the connector could not be found on Active Directory. Help!!!
RelayConnector is a place holder – it should be replaced with the name of the connector that you created.
Thanks for this article! It was exactly what I needed to do to allow a scanner to email relay!
Hello would you mind stating which blog platform you’re working with? I’m looking to start my own blog soon
but I’m having a hard time making a decision between BlogEngine/Wordpress/B2evolution and Drupal. The reason I ask is because your design seems different then most blogs and I’m looking for something unique.
P.S Apologies for being off-topic but I had to ask!
WordPress with the Thesis theme/framework and a lot of customization.
{ 7 trackbacks }