Exchangepedia Blog is read by visitors from all 50 US States and 150 countries world-wide
Figure 1: Controlling relay restrictions in Exchange Server 2003
In Exchange Server 2007, SMTP Virtual Servers have been replaced by Receive Connectors, and the SMTP stack is now native to Exchange (unlike Exchange Server 2003, you no longer need to install IIS' SMTP service/stack). Understandably, the way you allow relaying has changed as well.
Do you really need to allow relaying?
Before you setup unauthenticated relaying, it's important to understand the need for relaying. If your application server or devices like copiers need to send mail only to internal recipients - mail for which Exchange has an AcceptedDomain (or a Recipient Policy in Exchange Server 2003/2000) and therefore will receive inbound mail for - it is not considered relaying. The application server or device should be able to do this without any configuration on Exchange.
Recipient Policies and Exchange Server 2007
Exchange Server 2003 Recipient Policies tell Exchange which domains to receive inbound email for, and to generate email addresses. Exchange Server 2007 splits this functionality into AcceptedDomain - which, as the name suggests, tells Exchange which domain(s) to accept inbound email for - and EmailAddressPolicy which actually generates the email addresses. Unlike Exchange Server 2003/2000, there's no RUS to watch AD for new recipients or changes to existing ones. Recipients are provisioned in Exchange - using the console or the shell - and EmailAddressPolicy applied in real-time.
The best way to allow unauthenticated relaying, or certainly the more secure and recommended one, is to create a new Receive Connector. I recommended this approach even on Exchange Server 2003/2000 - it's not a good idea to use your internet-exposed SMTP virtual server to allow unauthenticated relaying, even if restricted by IP addresses.
Scott Landry wrote about this recently on the Exchange team blog in "Allowing application servers to relay off Exchange Server 2007".
To create a new Receive Connector, you need another IP address on your Exchange server. (The other alternative is to create a new Receive Connector that listens on a different port instead of the default SMTP port (TCP port 25). Most app servers and devices don't like this, and many won't let you configure an alternate port for sending smtp mail. I would simply add another IP address to the server. As a sidenote, Exchange Server 2007's Receive Connectors also consider the RemoteIPRanges in addition to the IP address + port combination for binding. More about that in a future post.).
The easy way: With the new IP address added to the Exchange server - let's say it is 192.168.1.17, and your app server, device or copier that needs to relay is 192.168.1.100, fire up Exchange shell and use the following command:
New-ReceiveConnector -Name RelayConnector -usage Custom -Bindings '192.168.1.17:25' -fqdn server.domain.com -RemoteIPRanges 192.168.1.100 -server MYEXCHANGESERVER -permissiongroups ExchangeServers -AuthMechanism 'TLS, ExternalAuthoritative'
What this does - creates a new Receive Connector called RelayConnector for usage type: custom, binds it on port 25 on IP address 192.168.1.17, gives it the fqdn of server.domain.com, and allows the IP address 192.168.1.100 to connect to it. Additionally - and most importantly, it also assigns ExchangeServers permission group to it, and disables authentication - or rather, it assumes you completely trust the IP address 192.168.1.100 and have another means of authenticating it, such as IPSec.This also bypasses all security for messages received from that IP address - doesn't apply any anti-spam filters, nor cares about message size limits, resolves P2 headers, and allows sending on behalf of users. Going back to Exchange Server 2003, this is somewhat similar to adding the sending host's address to Connection Filtering's Global Accept list.
A better, more secure way: If you want it to be more secure, you can create a Receive Connector with PermissionGroups set to AnonymousUsers:
New-ReceiveConnector -Name RelayConnector -usage Custom -Bindings '192.168.1.17:25' -fqdn server.domain.com -RemoteIPRanges 192.168.1.100 -server MYEXCHANGESERVER -permissiongroups AnonymousUsers
Notice, we've left out the AuthMechanism parameter in the above command.Next, allow anonymous users to relay. This is done by allowing anonymous users the extended right ms-Exch-SMTP-Accept-Any-Recipient for this Connector:
Get-ReceiveConnector RelayConnector | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"
For more information about transport permissions, refer to 
"Exchange Server 2007 Transport Permissions Model" in Exchange Server 2007 documentation. Granular permissions can be assigned to security principals on Receive (and Send) Connectors. For instance, if you want to have these messages bypass the anti-spam filters, you can also assign the ms-Exch-Bypass-Anti-Spam permission.
Figure 2:The difference between the 2 approaches can be seen in how messages are displayed in email clients
The first message at 9:22 AM is sent by the first Connector, where the message received without authentication actually shows up as sent by me - the P2 headers are resolved. (More about resolving anonymous senders in previous post: " A Late New Year's Resolution: Do Not Resolve Anonymous Senders"). Whereas the second message at 9:34 AM actually shows up with the sender's SMTP address.
The second message also went through the anti-spam filters - a quick check of the message headers reveals the antispam headers.
Figure 3: Messages received using the second method do not bypass anti-spam filters by default
Labels: Administration, Exchange Server 2007, Exchange Shell, SMTP
19 Comments:
Thank you for this detailed and accurate instruction set. This saved me a lot of research and work trying to figure this out on my own - Thank You, Thank You.
In Exchange 2003 we had the choice of connect or relay. Also we had the option of using ipsec.vbs to import hosts.
1. can new recieve connectors be set to "connect" or "relay"?
2. if theres 100 hosts we need to import from Exchange 2003 for example, can the addresses be seperated by commas? ipsec.vbs cannot be used?
Correct me if I'm wrong but allowing the anonymouse group Ms-Exch-SMTP-Accept-Any-Recepient permissions you would in fact open up your Exchange server as an open relay to the external world since the default Receive Connector has the Anonymous Group enabled?
If you didn't restrict your Receive Connector to particular IP address (or IP ranges) using the RemoteIPRanges parameter, as shown in the example, yes— you would in fact open up relaying to the world on an internet-facing Recieve Connector.
Exchange Server 2007's Receive Connectors have a different view of IP binding, unlike Exchange Server 2003/2000's SMTP Virtual Servers. A binding is considered unique if it uses a unique combination of IP Address + TCP port + RemoteIPRanges. So it in fact allows multiple Receive Connectors to be created using the same IP address + TCP port, as long as you have different IP ranges specified.
However, I would recommend using a different IP address, if possible.
Bharat, even though the bindings are unique to each IP/port address. The permissions are standard throughout all bindings. Therefore if you change the Anonymous permissions for a new binding, aren't you changing the Anonymous permissions in every binding? If I have a default binding with the Anonymous permission and a custom group with Anonymous would they have the same permissions?
No. Each Receive Connector has its own set of permissions. Changing permissions on one Receive Connector does not change permissions on another Receive Connector that's bound to the same IP address + port combination (but a different RemoteIPRange).
In other words, when creating Receive Connectors (with same IP + port) for different RemoteIPRanges, think of this as assigning permissions (or other settings) to connections from IP address(es) in the corresponding RemoteIPRanges.
Excellent, thank you for the clarification. Could not find a clear answer from Microsoft on this.
Mahalo nui loa - thanks very much from Honolulu, Hawaii..
Aloha, reader from Hawaii...
Hope to return to Honolulu soon! :)
How do I do this for a range of addresses, like 192.168.1.100-101?
What I did was run the command like you had it stated, then after it created the receive connector I added the other addresses using the GUI. However it appears to not care about the other IPs. The first allows relay, the others reply "Unable to relay". I tried disable/enable, not willing to reset exchange.
Finally, why so difficult? In 2003 one graphical utility you click, ti works. Now, two blocks of text and it appears that graphical may have a bug?
-Rob
I would like to relay to/from an Exchange server on the internet through my intranet Exchange server.
Let me explain:
My home Exchange server is blocked from sending and receiving on port 25 by my ISP (AT&T doesn't allow any port 25 traffic on consumer DSL lines). I would like to use my office Exchange 2007 server as a relay for port 26 SMTP traffic to and from my Exchange 2003 SBS server. I've got the receive connector working, but the send connector and possible other settings have me baffled. Any help you can give me would be excellent as my boss would also like to do this from his home Exchange 2003 SBS server.
Thank you,
Benjamin
Is there a upper limit on the number of relaying hosts you can add to the RemoteIPRanges section?
Hi. I have two HUBs and I would like to configure a Receive connector to allow relay from certain IP range on both of them in one shot. Is this possible? Or do I need to run a separate powershell for each HUB?
Also how would I go about appending a new IP range instead of overwriting the existing?
what should be the result of "Get-ReceiveConnector RelayConnector | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient" ?
i got "Identity User Deny Inherited Rights
-------- ---- ---- --------- ------
SERVER\InternalR... NT AUTHORITY\ANON... False False ms-Exch-SMTP-Accep..."
is this correct?
@Anonymous from July 15: I'm not aware of any upper limits on number of hosts in RemoteIPRanges.
@Anonymous from Aug 26: Yes, you could do it in one shot, but the command would get fairly complicated and you'd spend more time fiddling/testing it. :)
@Anonymous from Oct 14: Yes, that looks about right. If you use Get-ReceiveConnector "MyConnector" | Get-ADPermission -User "NT Authority\AnonymousLogon", you should see ms-Exch-SMTP-Accept-Any-Recipient permission assigned. The Deny column displays False, and so does the Inherited column (because we allowed the permission, not denied it, and the permission is explicitly assigned - not inherited).
Hi Bharat,
We have around 500 applications which are using the Exchange 2007 receive connector to send out or relay the mails through exchange but one particular application is not able to relay through 2007 server inspite of all the settings on receive connector even they are not able to provide me any logs, from where I can find out the issue. Is there any way to find out the logs on exchange server, so that I can provide you more specific error even I tried it to create a new receive connector with a relay permission to Anonymous but it also not succesful in my case. Your help really appricated. Thanks.
sunil Bansal.
There is a limit for hosts on the RemoteIP for the connector.
We have reached it around 1200.
Another connector for th4e same IP:port has to be created.
@Anonymous from Feb. 17: It would be a good idea to go back to the drawing board and figure out why that many hosts are allowed to relay, and if IP ranges can be used to reduce the individual entries.
This works for me to relay from another device/server, but I also want to relay from the Exchange 2007 box itself. I want to use the Server 2008 event log trigger to email alerts. In Exchange 2003 I would add 127.0.0.1 as an allowed relay and use localhost in the SMTP server section of the app I was emailing from. Doesn't seem to work in 2007.
Post a Comment
Links to this post:
Create a Link
<< Home