You may occasional need to allow relay from specific servers or applications for example CRM, or Symantec Backup Exec. If you telnet from the source server to the exchange you may received the SMTP error message “550 5.7.1 Unable to relay

The Main rule is to keep everything restricted as possible to stop unknown sources relaying from your Exchange Server. There are two ways of doing this which are outlined below but first you need to create the connector:

Create a new SMTP Receive Connector:

Local Network settings can be left but I like to create at least a new Port for receiving email like 65525 for example:

Receive Mail Server settings are the IP addresses of the servers you want to allow relay from:

Review and Click New to Create the Connector:

Option 1:

This option is the most common option, and preferred in most situations where the application that is submitting will be submitting email to your internal users as well as relaying to the outside world.

Authentication Permissions Need to be the following:

Next, continue to the authentication mechanisms page and add the “Externally secured” mechanism. What this means is that you have complete trust that the previously designated IP addresses will be completely trusted by your organization.

Basically you are telling Exchange to ignore internal security checks because you trust these servers. The nice thing about this option is that it is simple and grants the common rights that most people probably want.

Option 2:

This option grants the minimum amount of required privileges to the submitting application.

Taking the new scoped connector that you created, you have another option. You can simply grant the ms-Exch-SMTP-Accept-Any-Recipient permission to the anonymous account. Do this by first adding the Anonymous Permissions Group to the connector.

This grants the most common permissions to the anonymous account, but it does not grant the relay permission. This step must be done through the Exchange shell:

Get-ReceiveConnector “CRM Application” | Add-ADPermission -User “NT AUTHORITYANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”

This option does not allow the anonymous account to bypass anti-spam.

Leave a Reply

Your email address will not be published. Required fields are marked *