Exchange 2013: Anonymous Relay

Some programs require an anonymous relay to be able to deliver mails. To set up an anonymous relay with Exchange 2013, a new connector should be created that has the appropriate permissions and restrictions for IP addresses:

In this example, the new "Relay" connector is created:

The connector can either listen on all IP addresses of the Exchange server or only on certain ones. In most cases, it will probably be all available addresses.

The connector is now restricted accordingly so that only certain IP addresses can use anonymous relay. Under no circumstances should too large an IP range be entered here. It is better to only explicitly enter the systems that should also use the connector.

The security settings of the connector:

In order for the connector to accept mails from any sender, the corresponding Active Directory authorization must be set.

Get-ReceiveConnector "Relay" | Add-ADPermission -User "NT-Authority\Anonymous-Logon" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

There is a small stumbling block here:

• For German servers it is called "NT-Authority\Anonymous login"
• For English servers it is called "NT AUTHORITY\ANONYMOUS LOGON"

The connector is now active and accepts mails anonymously from any sender to any recipient, but only from the correspondingly activated IPs. If you are dealing with systems that produce a high volume of mail, you can switch off a few security settings to increase the throughput of the connector:

Set-ReceiveConnector -identity "Relay" -TarpitInterval 00:00:00
Set-ReceiveConnector -identity "Relay" -ConnectionTimeout 00:30:00
Set-ReceiveConnector -identity "Relay" -ConnectionInactivityTimeout 00:20:00
Set-ReceiveConnector -identity "Relay" -MaxAcknowledgementDelay 00:00:00
Set-ReceiveConnector -identity "Relay" -MaxInboundConnection 10000
Set-ReceiveConnector -identity "Relay" -MaxInboundConnectionPerSource unlimited