Unfortunately, there are still applications or devices that can only send mails without authentication. This is not possible in the Exchange Server default setting. However, a new receive connector can be set up which allows anonymous relay for certain IP addresses.
On a server with an English-language operating system, the following commands can be used to create a corresponding connector:
New-ReceiveConnector -Name "Anonymous Relay" -TransportRole FrontendTransport -Custom -Bindings 0.0.0.0:25 -RemoteIpRanges 192.168.100.50, 192.168.100.51
Set-ReceiveConnector "Anonymous Relay" -PermissionGroups AnonymousUsers
Get-ReceiveConnector "Anonymous Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
The commands create a new send connector with the name "Anonymous Relay" and restrict the connector to the IPs 192.168.100.50 and 192.168.100.51. Only these two IPs are therefore allowed to use the connector and send mails without authentication. Care must be taken when specifying the IPs. Only internal IPs and no network ranges should be used here, otherwise you may quickly create an open relay which can be misused by spammers.
On your server with a German-language operating system, a command is slightly different, so here are the commands for a German-language server:
New-ReceiveConnector -Name "Anonymous Relay" -TransportRole FrontendTransport -Custom -Bindings 0.0.0.0:25 -RemoteIpRanges 192.168.100.50, 192.168.100.51
Set-ReceiveConnector "Anonymous Relay" -PermissionGroups AnonymousUsers
Get-ReceiveConnector "Anonymous Relay" | Add-ADPermission -User "NT-Authority\Anonymous-Logon" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
The new connector can be tested with the following command:
Send-MailMessage -SmtpServer -From relay@domain.de -To recicpient@domain.de -Subject "TEST RELAY"
The test only works if the IP has been explicitly allowed. Additional permitted IPs can also be conveniently added via the Exchange Admin Center:
If you operate several Exchange servers, you should add the host name of the server to the name of the connector (as is the case with the other connectors).