question

Azy1412-2549 avatar image
0 Votes"
Azy1412-2549 asked ·

Exchange 2016: Default Frontend Connector - "Ms-Exch-SMTP-Accept-Any-Recipient"

We've recently patched our Exchange servers, after the patch we received complaints that some of our applications were unable to send to external recipients. (the patch might not be the cause but it is the only recent change that was done on Exchange)


I've used telnet to check the sending to external recipients and received the following error:

550 5.7.54 SMTP; Unable to relay recipient in non-accepted domain 451 4.7.0 Timeout waiting for client input


The application mail flow is: APP/User -> Exchange Load Balancer IP -> Exchange Auto Mapped IP -> Exchange IP -> Mail Gateway


I've escalated the issue to our Support and he modified the default frontend connector by the command below.


Get-ReceiveConnector "Default Frontend" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"



After that emails were sent with no issue. but this seems to me like a security concern as the default frontend connector is acting as open relay. ( I know I shouldn't have modified the default receive connector but there so many calls accompanied by verbal abuse to solve the issue as soon as possible )



After some googling I read that you shouldn't remove the Ms-Exch-SMTP-Accept-Any-Recipient as it will not accept any emails coming from internet.



Here are the connector settings:


AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Banner :
BinaryMimeEnabled : True
Bindings : {[::]:25, 0.0.0.0:25}
ChunkingEnabled : True
DefaultDomain :
DeliveryStatusNotificationEnabled : True
EightBitMimeEnabled : True
SmtpUtf8Enabled : True
BareLinefeedRejectionEnabled : False
DomainSecureEnabled : False
EnhancedStatusCodesEnabled : True
LongAddressesEnabled : False
OrarEnabled : False
SuppressXAnonymousTls : False
ProxyEnabled : False
AdvertiseClientSettings : False
Fqdn : LON-EX01.Constoso.local
ServiceDiscoveryFqdn :
Enabled : True
ConnectionTimeout : 00:10:00
ConnectionInactivityTimeout : 00:05:00
MessageRateLimit : Unlimited
MessageRateSource : IPAddress
MaxInboundConnection : 5000
MaxInboundConnectionPerSource : 20
MaxInboundConnectionPercentagePerSource : 2
MaxHeaderSize : 256 KB (262,144 bytes)
MaxHopCount : 60
MaxLocalHopCount : 5
MaxLogonFailures : 3
MaxMessageSize : 36 MB (37,748,736 bytes)
MaxProtocolErrors : 5
MaxRecipientsPerMessage : 200
PermissionGroups : AnonymousUsers, ExchangeServers, ExchangeLegacyServers, Custom
PipeliningEnabled : True
ProtocolLoggingLevel : None
RemoteIPRanges : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
RequireEHLODomain : False
RequireTLS : False
EnableAuthGSSAPI : False
ExtendedProtectionPolicy : None
LiveCredentialEnabled : False
Server : LON-EX01
TransportRole : FrontendTransport
RejectReservedTopLevelRecipientDomains : False
RejectReservedSecondLevelRecipientDomains : False
RejectSingleLabelRecipientDomains : False
AcceptConsumerMail : False
SizeEnabled : Enabled
TarpitInterval : 00:00:05
AuthTarpitInterval : 00:00:05
MaxAcknowledgementDelay : 00:00:30
ExchangeVersion : 0.1 (8.0.535.0)
Name : Default Frontend LON-EX01
OriginatingServer : LON-DC01
IsValid : True
ObjectState : Unchanged




Need your guidance as I don't know where to go from here..



Thank you and I apologize for the lengthy question. ^_^'

office-exchange-server-connectivityoffice-exchange-server-mailflow
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

KaelYao-MSFT avatar image
0 Votes"
KaelYao-MSFT answered ·

Hi, @Azy1412-2549

To my understanding, you would like to use your Exchange server as a SMTP relay for applications.
Did you setup some custom receive connectors used for SMTP relay on your Exchange server before?

Please note that it is never suggested to modify the default receive connectors.

You get the "550 5.7.54 SMTP; Unable to relay recipient in non-accepted domain" error because the "Default Frontend <servername>" receive connector only accept messages sent to your default mail domain and other accepted domains.
This is the default setting.

If the "ms-Exch-SMTP-Accept-Any-Recipient" permission is added to the "Default Frontend <servername>" receive connector, your Exchange server may be under the risk of become a open relay because it will no longer reject emails sent to external domains outside the scope of your accepted domains.


The recommended method of your issue should be creating a dedicated custom receive connector and set it to receive from specific ip addresses (which are used by the applications)
Here is a Microsoft document introducing the detailed steps for your reference: Allow anonymous relay on Exchange servers


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@KaelYao-MSFT Thank you for your valuable input.

I've removed the "ms-Exch-SMTP-Accept-Any-Recipient" from the default connector and I've created a dedicated connector for the application and restricted it to the IP of the application.
I've confirmed that email is delivery is proceeding normally.

But now the mail flow for the application relay is as follows: App -> Exchange IP -> Mail Gateway.
Since the application is sending to Exchange directly there is no load balancing or fault tolerance.

Is there a way to provide load balancing for the application and make sure it uses the dedicated connector ?

0 Votes 0 ·

Hi,
You are welcome.

Is there a way to provide load balancing for the application and make sure it uses the dedicated connector ?
I suppose you may add the ip address of your load balancer to the receive connector and remove the ip addresses of the application.
Then the receive connector would only accept emails routed from the load balancer.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 Votes 0 ·