Some applications or devices require an anonymous relay to be able to send mails. However, a distinction must be made here between internal relay and external relay. The internal relay, i.e. the anonymous sending of mails to the domains accepted by Exchange, works out-of-the-box:
However, external relay, i.e. sending mails to external users without authentication, is not possible:
Das anonyme externe Relay, ist auch immer mit Vorsicht zu betrachten, denn bei falscher Konfiguration kann Exchange hier schnell als SPAM-Schleuder missbraucht werden. Es gilt daher die Connectoren entsprechend einzuschränken und nur bestimmte IPs zuzulassen, nicht aber ganze Subnetze oder noch schlimmer „Jeden“.
However, as already mentioned at the beginning, there are applications such as ticket systems or CRMs that need to send mails to external recipients but cannot authenticate themselves. To allow these applications or devices to send mail, a new receive connector can be created:
The settings in the next dialog can be applied
In den Einstellungen der „Remotenetzwerkeinstellungen“ müssen jetzt alle IP-Adressen hinzugefügt werden, für die das anonyme externe Relay erlaubt werden soll:
It only makes sense to specify individual IPs here that really require this functionality; entire subnets should not be specified here unless absolutely necessary (server network, management network or similar).
Note: Exchange 2016 CU2 currently contains a bug, it is not possible to create a new receive connector on the same IP via EAC. However, a corresponding connector can still be created via Exchange Shell. The steps described above create the connector:
New-Receiveconnector -Server FWEX2016 -Name "Relay" -RemoteIPRange ("172.16.100.102") -TransportRole "FrontendTransport" -Bindings ("0.0.0.0:25") -Usage "Custom"
Nach einem Klick auf „Fertigstellen“ ist der Connector angelegt:
In order for the connector to accept anonymous mails, the security settings must be changed accordingly:
However, in order to be able to send mails to external recipients, the corresponding corrections for the new connector still need to be assigned. The quickest way to do this is via the Exchange Management Shell:
Get-ReceiveConnector "Anonymes Relay FWEX2016" | Add-ADPermission -User "NT-Autorität\Anonymous-Anmeldung" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
There is a small stumbling block with the second command:
- For German servers it is called "NT-Authority\Anonymous login"
- For English servers it is called "NT AUTHORITY\ANONYMOUS LOGON"
The connector is now active and accepts mails anonymously from the correspondingly activated IPs (see remote network settings). For systems that produce a high volume of mail or send very large mails, additional parameters may need to be changed:
Set-ReceiveConnector -identity "Anonymes Relay FWEX2016" -TarpitInterval 00:00:00 Set-ReceiveConnector -identity "Anonymes Relay FWEX2016" -ConnectionTimeout 00:30:00 Set-ReceiveConnector -identity "Anonymes Relay FWEX2016" -ConnectionInactivityTimeout 00:20:00 Set-ReceiveConnector -identity "Anonymes Relay FWEX2016" -MaxAcknowledgementDelay 00:00:00 Set-ReceiveConnector -identity "Anonymes Relay FWEX2016" -MaxInboundConnection 10000 Set-ReceiveConnector -identity "Anonymes Relay FWEX2016" -MaxInboundConnectionPerSource unlimited
And last but not least Important note:
If you find yourself in the following environment, you must never enter the internal IP address of the router in the remote network settings of the connector:
MX-Record points to WAN IP of the router, router forwarded port 25 (SMTP) via NAT to the Exchange Server. In this case, the Exchange server only sees the internal router IP as the source IP. If the internal router IP is now added to the connector, this is an open relay and therefore very quickly a SPAM sling.