24 C
Dubai
Thursday, December 26, 2024

Anonymous Application relay connectors in Exchange 2016

Lets see how to create an Anonymous Application relay connectors in Exchange 2016. Every Application needs to have relay permission when they need to send out email using Exchange server.

Like ticketing systems ,Monitoring servers to CRM applications.

Relaying in simple terms –

Email relaying is using an email server to send out emails which does not originate on the
email server.Most Commonly used for fax servers, CRM , Email Routing from different forests etc..

Powershell –

New-ReceiveConnector -Name "Relay" -RemoteIPRanges ("10.128.57.54","10.128.57.55") -TransportRole "FrontendTransport" -Bindings ("0.0.0.0:25") -Usage "Custom" -Server "Servername.azure365pro.com"
Set-ReceiveConnector -Identity "Servername\Relay" -PermissionGroups "AnonymousUsers"

image

Get-ReceiveConnector "Servername\Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

GUI – 

Step 1 –

Login to Exchange Control Panel – Mail Flow – Receive Connectors – Click “+”

Choose “FrontEnd Transport”

image

image

Remove the whole range. Enter the required IPs which needs to be allowed for relay.

image

Double click on created connector – Security – Choose Anonymous users –

image

 

Step 2 –

Giving permission to the Receive connector to accept any recipient

Get-ReceiveConnector "Servername\Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

image

Step 3 – TESTING

lets test the same from an windows machine using simple telnet – Assuming the relay ip which i added is a windows machine

Open Server Manager – Manage – Add Roles and Features

image

Next and Finish to install

Open Powershell –


telnet Exch2016D.dubai.com 25
Helo
MAIL FROM: cloud@Application.com
RCPT TO: info@domain.com
DATA
"SUBJECT:My Subject"
Test
.

image

As i received the email – The relaying works without any issues.

Securing these connectors are very important . Lets say its a buggy application sent out 2000 emails. Exchange can be overloaded with Logs etc. .

Recommendations to Secure these Connectors – 

  • Validating Application configurations using valid SMTP domain.
  • Enable Verbose Logging in these Relay Connectors Properties to see the connectors activity logs (Server Level Only).
  • Setting Proper Banner on Relay Connectors useful while troubleshooting
    Set-ReceiveConnector EXCH2016\RELAY -Banner "220 Exch 2016 Relay for Authorized Applications"
  • Setting Rate Limit on Relay Connectors – 200 Messages Per Minute for Example
    Set-ReceiveConnector EXCH2016\RELAY -MessageRateLimit 200
  • Blocking Telnet.exe in Application servers using anti-virus. Prone to Mail worms/Storming Exchange Servers.
  • Add Logging to Verbose to See Logs with Source IP information
Set-ReceiveConnector EXCH2016\RELAY -ProtocolLoggingLevel Verbose

Logging Location –

Get-FrontendTransportService EXCH2016 | fl *Receive*

Default Location –

C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive

Note that any applications you are allowing should use a valid domain to send out emails as there is a risk of IP getting blacklisted when huge junk emails are sent out using applications. Its always recommended to set a message rate limit on anti-spam servers as well.

Satheshwaran Manoharan
Satheshwaran Manoharanhttps://www.azure365pro.com
Award-winning Technology Leader with a wealth of experience running large teams and diversified industry exposure in cloud computing. From shipping lines to rolling stocks.In-depth expertise in driving cloud adoption strategies and modernizing systems to cloud native. Specialized in Microsoft Cloud, DevOps, and Microsoft 365 Stack and conducted numerous successful projects worldwide. Also, Acting as a Technical Advisor for various start-ups.

Related Articles

4 COMMENTS

  1. Thanks ffor e?ery othe? informative website. The ?lace ?lse c?uld ? am getting t??t ?ind of info ?ritten iin such an ideal m?ans?

    I’?e a project t?at I’m just no? work?ng on, and
    I’?? been at the ?ook out for such information.

  2. Hi,

    I am able to relay email for external clients in an authenticated fashion but we have realised that the emails sent via our copier are not sent into the mailbox sent items folder which means we dont know what emails are sent to whom. Can you please help.. Exchange 2016

LEAVE A REPLY

Please enter your comment!
Please enter your name here

× How can I help you?