Allow Anonymous Relay on a Receive Connector

 

Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

You can use the EMC or the Shell to create and configure a Receive connector that allows anonymous relay.

Looking for other management tasks related to managing connectors? Check out Managing Connectors.

Prerequisites

Allowing anonymous relay on a Receive connector is a security risk, especially on Internet-facing servers. Make sure you fully understand the implications by reading the "Using a Receive Connector for Anonymous Relay" section in Understanding Receive Connectors.

Grant the relay permission to anonymous connections

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Receive connectors" entry in the Transport Permissions topic.

You can create the Receive connector using either EMC or the Shell; however, you must use the Shell to grant the relay permission to anonymous connections.

Use the EMC to create the Receive connector

  1. Perform one of the following steps:

    1. To create a Receive connector on a computer that has the Edge Transport server role installed, select Edge Transport, and then in the work pane, click the Receive Connectors tab.

    2. To create a Receive connector on a Hub Transport server role, in the console tree, expand Server Configuration and select Hub Transport. In the result pane, select the server on which you want to create the connector, and then click the Receive Connectors tab.

  2. In the action pane, click New Receive Connector. The New Receive Connector wizard starts.

  3. On the Introduction page, follow these steps:

    1. In the Name field, type a meaningful name for this connector. This name is used to identify the connector.

    2. In the Select the intended use for this Receive connector field, select Custom.

    3. Click Next.

  4. On the Local Network settings page, follow these steps:

    1. Select the existing All Available IPv4 entry, and then click Remove icon.

    2. Click Add. In the Add Receive Connector Binding dialog box, select Specify an IP address. Type an IP address assigned to a network adapter on the local server that's best able to communicate with the remote messaging server. In the Port field, type 25, and then click OK. Leave the Specify the FQDN this connector will provide in response to HELO or EHLO field blank.

    3. Click Next.

  5. On the Remote Network settings page, follow these steps:

    1. Select the existing 0.0.0.0 - 255.255.255.255 entry, and then click Remove icon.

    2. Click Add or the drop-down arrow located next to Add and type the IP address or IP address range for the remote messaging server or servers that are allowed to relay mail on this server. When you're finished entering the IP addresses, click OK.

    3. Click Next.

  6. On the New Connector page, review the configuration summary for the connector. If you want to modify the settings, click Back. To create the Receive connector by using the settings in the configuration summary, click New.

  7. On the Completion page, click Finish.

  8. In the work pane, select the Receive connector that you created.

  9. Under the name of the Receive connector in the action pane, click Properties to open the Properties page.

  10. Click the Permission Groups tab. Select Anonymous users.

  11. Click OK to save your changes and exit the Properties page.

Use the Shell to create the Receive connector

This example uses the New-ReceiveConnector cmdlet to create the Receive connector Anonymous Relay that listens on local IP address 10.2.3.4 on port 25 from a source server at IP address 192.168.5.77.

New-ReceiveConnector -Name "Anonymous Relay" -Usage Custom -PermissionGroups AnonymousUsers -Bindings 10.2.3.4:25 -RemoteIpRanges 192.168.5.77

For detailed syntax and configuration information, see New-ReceiveConnector.

Use the Shell to grant relay permission to anonymous connections on the new Receive connector

Note

You can't use the EMC to perform this task.

This example retrieves the specified Receive connector information and pipes the result to the Add-ADPermission cmdlet to grant relay permission to anonymous connections on the new Receive connector.

Get-ReceiveConnector "Anonymous Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

For detailed syntax and configuration information, see Get-ReceiveConnector or Add-ADPermission.

Configure the Receive connector as externally secured

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Receive connectors" entry in the Transport Permissions topic.

Use the EMC to create the Receive connector as externally secured

  1. Perform one of the following steps:

    1. To create a Receive connector on a computer that has the Edge Transport server role installed, select Edge Transport, and then in the work pane, click the Receive Connectors tab.

    2. To create a Receive connector on a Hub Transport server role, in the console tree, expand Server Configuration and select Hub Transport. In the result pane, select the server on which you want to create the connector, and then click the Receive Connectors tab.

  2. In the action pane, click New Receive Connector. The New Receive Connector wizard starts.

  3. On the Introduction page, follow these steps:

    1. In the Name field, type a meaningful name for this connector. This name is used to identify the connector.

    2. In the Select the intended use for this Receive connector field, select Custom.

    3. Click Next.

  4. On the Local Network settings page, follow these steps:

    1. Select the existing All Available entry, and then click Remove icon.

    2. Click Add. In the Add Receive Connector Binding dialog box, select Specify an IP address. Type an IP address assigned to a network adapter on the local server that's best able to communicate with the remote messaging server. In the Port field, type 25, and then click OK. Leave the Specify the FQDN this connector will provide in response to HELO or EHLO field blank.

    3. Click Next.

  5. On the Remote Network settings page, follow these steps:

    1. Select the existing 0.0.0.0 - 255.255.255.255 entry, and then click Remove icon.

    2. Click Add or the drop-down arrow located next to Add and type the IP address or IP address range for the remote messaging server or servers that are allowed to relay mail on this server. When you're finished entering the IP addresses, click OK.

    3. Click Next.

  6. On the New Connector page, review the configuration summary for the connector. If you want to modify the settings, click Back. To create the Receive connector by using the settings in the configuration summary, click New.

  7. On the Completion page, click Finish.

  8. In the work pane, select the Receive connector that you created.

  9. Under the name of the Receive connector in the action pane, click Properties to open the Properties page.

  10. Click the Permission Groups tab. Select Exchange servers.

  11. Click the Authentication tab. Select Externally Secured (for example, with IPsec).

  12. Click OK to save your changes and exit the Properties page.

Use the Shell to create the Receive connector as externally secured

This example creates the Receive connector Anonymous Relay that listens on local IP address 10.2.3.4 on port 25 from a source server at IP address 192.168.5.77.

New-ReceiveConnector -Name "Anonymous Relay" -Usage Custom -AuthMechanism ExternalAuthoritative -PermissionGroups ExchangeServers -Bindings 10.2.3.4:25 -RemoteIpRanges 192.168.5.77

For detailed syntax and configuration information, see New-ReceiveConnector.

 © 2010 Microsoft Corporation. All rights reserved.