Exchange 2010 – Configure Anonymous Relay to External Domains

By | February 4, 2010

One thing that caught me by surprise in Exchange 2010 was the new ways it handled relaying to external domains. Well Microsoft is moving closer and closer to lockdown by default type of methodology for their systems; making you open the holes you want to open. Well what this did was made me troubleshooting why notifications from network applications were going to internal users instead of external users.

 

Here is how you fix it.

Create a new SMTP Receive Connector

Open up Exchange System Manager

Click on Server Configuration –> Hub Transport

Under Receive Connectors, right click and click “New Receive Connector…”

image

In the Introduction dialog

Under “Name”, type External Relay

Under “Select the intended use for this Receive connector” choose custom

Click Next

In the Local Network settings dialog

Leave Local IP Address(es) default

Under Specify the FQDN this connector will provide in response to HELO or EHLO:

Enter your fully qualified domain name of your mail server.

image

 

 

Under the Remote Network Settings dialog

Enter in the IP addresses and subnet mask’s in CIDR notation

As an example, I want a server who’s IP address is 192.168.12.30 255.255.255.0, the correct notation would be 192.168.12.30/32

Why do you do it that way even though the subnet mask should be /24? That is because if you entered in 192.168.12.30/24, you would allow your entire 192.168.12.0 subnet. The /32 means you want ONLY that host to allow to relay.

image

Click Next

Click new on the New Connector Configuration Summary dialog.

After that finishes, click on your External Relay connector and choose properties.

Click on the Authentication Tab and uncheck all boxes (unless all your developers actually programmed authentication into their applications which send the alerts…. yeah.. I didn’t think that would be the case)

image

Click ok

Next, open your Exchange Management Shell

Enter in the following command

Get-ReceiveConnector “External Relay” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”

Hit enter

And your done. Now your server with the IP Address of 192.168.12.30 can not only relay, but relay to external domains.

Please keep in mind that allowing anonymous relay isn’t necessarily a good idea, so lock it down the best you can by not allowing an entire subnet, or somehow force your programmers to configure authenticated smtp calls. Otherwise, this should do the trick. Sure I had to look into why this happened and a few people weren’t getting emails, but I am happy Microsoft is finally locking things down with their servers.

Leave a Reply

Your email address will not be published. Required fields are marked *