Lets see how to create an Anonymous Application relay connectors in Exchange 2016. Every Application needs to have relay permission when they need to send out email using Exchange server.
Like ticketing systems ,Monitoring servers to CRM applications.
Relaying in simple terms –
Email relaying is using an email server to send out emails which does not originate on the
email server.Most Commonly used for fax servers, CRM , Email Routing from different forests etc..
Powershell –
New-ReceiveConnector -Name "Relay" -RemoteIPRanges ("10.128.57.54","10.128.57.55") -TransportRole "FrontendTransport" -Bindings ("0.0.0.0:25") -Usage "Custom" -Server "Servername.azure365pro.com"
Set-ReceiveConnector -Identity "Servername\Relay" -PermissionGroups "AnonymousUsers"
Get-ReceiveConnector "Servername\Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
GUI –
Step 1 –
Login to Exchange Control Panel – Mail Flow – Receive Connectors – Click “+”
Choose “FrontEnd Transport”
Remove the whole range. Enter the required IPs which needs to be allowed for relay.
Double click on created connector – Security – Choose Anonymous users –
Step 2 –
Giving permission to the Receive connector to accept any recipient
Get-ReceiveConnector "Servername\Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
Step 3 – TESTING
lets test the same from an windows machine using simple telnet – Assuming the relay ip which i added is a windows machine
Open Server Manager – Manage – Add Roles and Features
Next and Finish to install
Open Powershell –
telnet Exch2016D.dubai.com 25 Helo MAIL FROM: cloud@Application.com RCPT TO: info@domain.com DATA "SUBJECT:My Subject" Test .
As i received the email – The relaying works without any issues.
Securing these connectors are very important . Lets say its a buggy application sent out 2000 emails. Exchange can be overloaded with Logs etc. .
Recommendations to Secure these Connectors –
- Validating Application configurations using valid SMTP domain.
- Enable Verbose Logging in these Relay Connectors Properties to see the connectors activity logs (Server Level Only).
- Setting Proper Banner on Relay Connectors useful while troubleshooting
Set-ReceiveConnector EXCH2016\RELAY -Banner "220 Exch 2016 Relay for Authorized Applications"
- Setting Rate Limit on Relay Connectors – 200 Messages Per Minute for Example
Set-ReceiveConnector EXCH2016\RELAY -MessageRateLimit 200
- Blocking Telnet.exe in Application servers using anti-virus. Prone to Mail worms/Storming Exchange Servers.
- Add Logging to Verbose to See Logs with Source IP information
Set-ReceiveConnector EXCH2016\RELAY -ProtocolLoggingLevel Verbose
Logging Location –
Get-FrontendTransportService EXCH2016 | fl *Receive*
Default Location –
C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive
Note that any applications you are allowing should use a valid domain to send out emails as there is a risk of IP getting blacklisted when huge junk emails are sent out using applications. Its always recommended to set a message rate limit on anti-spam servers as well.
Thanks ffor e?ery othe? informative website. The ?lace ?lse c?uld ? am getting t??t ?ind of info ?ritten iin such an ideal m?ans?
I’?e a project t?at I’m just no? work?ng on, and
I’?? been at the ?ook out for such information.
great article! thank you so much!
Thanks!
Hi,
I am able to relay email for external clients in an authenticated fashion but we have realised that the emails sent via our copier are not sent into the mailbox sent items folder which means we dont know what emails are sent to whom. Can you please help.. Exchange 2016