How to anonymously Relay in Exchange Server 2007/ 2010
In order to allow the Relay for an Internal Application, there are some simple steps that you should follow and that can be found below :
- Create a new Receive Connector, name it "TEST" or whatever you want, and then select "Custom" for the intended use for the receive connector.
- On the Local Network settings, leave it as is, because it will listen all local IP's on port 25.
- On the Remote Network Settings, clear 0.0.0.0-255.255.255.255, and then add the IP Address of the remote server that requires relaying permissions.
- Once the new Custom Receive Connector is created, go into the properties of this connector, go to the Permission Groups Tab and Add "Anonymous Users"
This is not everything. in order to activate the Anonymous users to relay via this connector, simply issue the following cmdlet :
Get-ReceiveConnector “TEST” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”
The command should be easy enough to read, but what it essentially does is retrieve the receive connector that you created, add a permission into Active Directory for the Anonymous Logon group, and assign that group the Ms-Exch-SMTP-Accept-Any-Recipient permission for that group on that connector.
Now you may be thinking, why should I create this new connector? Well, Exchange will always look to see how specific you are on a connector. So let’s say we have a SharePoint Server at 192.168.119.150. We would create a relay connector and allow ONLY 192.168.119.150 to relay. So when Exchange receives SMTP from an address of 192.168.119.150, it will see there are a few connectors. One being the Default Receive Connector and one being the Relay Connector. The Default Receive Connector allows connections from any IP Address while the Relay Connector only allows connections from 192.168.119.150. Because you explicitly set the address on your Relay Connector, that is given higher preference in serving that SMTP connection from SharePoint and your SharePoint Server will now be able to relay off of Exchange (even though you can configure SharePoint to authenticate, but still just giving an example).
Thanks to Elan Shudnows for this nice description :)