Some applications or devices require an anonymous relay to be able to send mails. However, a distinction must be made here between internal relay and external relay. The internal relay, i.e. the anonymous sending of mails to the domains accepted by Exchange, works out-of-the-box:
However, external relay, i.e. sending mails to external users without authentication, is not possible:
The anonymous external relay should also always be viewed with caution, as Exchange can quickly be misused as a SPAM sling if configured incorrectly. It is therefore important to restrict the connectors accordingly and only allow certain IPs, but not entire subnets or even worse "everyone".
However, as already mentioned at the beginning, there are applications such as ticket systems or CRMs that need to send mails to external recipients but cannot authenticate themselves. To allow these applications or devices to send mail, a new receive connector can be created:
The settings in the next dialog can be applied
In the "Remote network settings" settings, all IP addresses for which the anonymous external relay is to be permitted must now be added:
It only makes sense to specify individual IPs here that really require this functionality; entire subnets should not be specified here unless absolutely necessary (server network, management network or similar).
Note: Exchange 2016 CU2 currently contains a bug, it is not possible to create a new receive connector on the same IP via EAC. However, a corresponding connector can still be created via Exchange Shell. The steps described above create the connector:
New-Receiveconnector -Server FWEX2016 -Name "Relay" -RemoteIPRange ("172.16.100.102") -TransportRole "FrontendTransport" -Bindings ("0.0.0.0:25") -Usage "Custom"
After clicking on "Finish", the connector is created:
In order for the connector to accept anonymous mails, the security settings must be changed accordingly:
However, in order to be able to send mails to external recipients, the corresponding corrections for the new connector still need to be assigned. The quickest way to do this is via the Exchange Management Shell:
Get-ReceiveConnector "Anonymous Relay FWEX2016" | Add-ADPermission -User "NT-Authority\Anonymous-Login" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
There is a small stumbling block with the second command:
- For German servers it is called "NT-Authority\Anonymous login"
- For English servers it is called "NT AUTHORITY\ANONYMOUS LOGON"
The connector is now active and accepts mails anonymously from the correspondingly activated IPs (see remote network settings). For systems that produce a high volume of mail or send very large mails, additional parameters may need to be changed:
Set-ReceiveConnector -identity "Anonymous Relay FWEX2016" -TarpitInterval 00:00:00 Set-ReceiveConnector -identity "Anonymous Relay FWEX2016" -ConnectionTimeout 00:30:00 Set-ReceiveConnector -identity "Anonymous Relay FWEX2016" -ConnectionInactivityTimeout 00:20:00 Set-ReceiveConnector -identity "Anonymous Relay FWEX2016" -MaxAcknowledgementDelay 00:00:00 Set-ReceiveConnector -identity "Anonymous Relay FWEX2016" -MaxInboundConnection 10000 Set-ReceiveConnector -identity "Anonymous Relay FWEX2016" -MaxInboundConnectionPerSource unlimited
And last but not least Important note:
If you find yourself in the following environment, you must never enter the internal IP address of the router in the remote network settings of the connector:
MX-Record points to WAN IP of the router, router forwarded port 25 (SMTP) via NAT to the Exchange Server. In this case, the Exchange server only sees the internal router IP as the source IP. If the internal router IP is now added to the connector, this is an open relay and therefore very quickly a SPAM sling.