One thing that caught me by surprise in Exchange 2010 was the new ways it handled relaying to external domains. Well Microsoft is moving closer and closer to lockdown by default type of methodology for their systems; making you open the holes you want to open. Well what this did was made me troubleshooting why notifications from network applications were going to internal users instead of external users.
Here is how you fix it.
Create a new SMTP Receive Connector
Open up Exchange System Manager
Click on Server Configuration –> Hub Transport
Under Receive Connectors, right click and click “New Receive Connector…”
In the Introduction dialog
Under “Name”, type External Relay
Under “Select the intended use for this Receive connector” choose custom
Click Next
In the Local Network settings dialog
Leave Local IP Address(es) default
Under Specify the FQDN this connector will provide in response to HELO or EHLO:
Enter your fully qualified domain name of your mail server.
Under the Remote Network Settings dialog
Enter in the IP addresses and subnet mask’s in CIDR notation
As an example, I want a server who’s IP address is 192.168.12.30 255.255.255.0, the correct notation would be 192.168.12.30/32
Why do you do it that way even though the subnet mask should be /24? That is because if you entered in 192.168.12.30/24, you would allow your entire 192.168.12.0 subnet. The /32 means you want ONLY that host to allow to relay.
Click Next
Click new on the New Connector Configuration Summary dialog.
After that finishes, click on your External Relay connector and choose properties.
Click on the Authentication Tab and uncheck all boxes (unless all your developers actually programmed authentication into their applications which send the alerts…. yeah.. I didn’t think that would be the case)
Click ok
Next, open your Exchange Management Shell
Enter in the following command
Get-ReceiveConnector “External Relay” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”
Hit enter
And your done. Now your server with the IP Address of 192.168.12.30 can not only relay, but relay to external domains.
Please keep in mind that allowing anonymous relay isn’t necessarily a good idea, so lock it down the best you can by not allowing an entire subnet, or somehow force your programmers to configure authenticated smtp calls. Otherwise, this should do the trick. Sure I had to look into why this happened and a few people weren’t getting emails, but I am happy Microsoft is finally locking things down with their servers.
