How to Allow Anonymous Relay on a Receive Connector

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

This topic explains how to use the Exchange Management Console or the Exchange Management Shell to create and configure a Receive connector that allows anonymous relay. The Receive connector is configured on servers that have the Microsoft Exchange Server 2007 Hub Transport server role or the Edge Transport server role installed.

Relay is the transfer of messages from one Simple Mail Transfer Protocol (SMTP) messaging server to another when the accepting SMTP messaging server is not the final destination of the message. When unrestricted, anonymous relay on Internet SMTP messaging servers is a serious security deficiency that could be exploited by unsolicited commercial e-mail senders, or spammers, to hide the source of their messages. Therefore, restrictions are placed on Internet-facing messaging servers to prevent relaying to unauthorized destinations.

In Exchange 2007, relaying is typically handled by using accepted domains. Accepted domains are configured on the Edge Transport server or Hub Transport server. The accepted domains are additionally classified as internal relay domains or external relay domains. For more information about accepted domains, see Managing Accepted Domains.

You can also to restrict anonymous relay based on the source of the incoming messages. This method is useful when an unauthenticated application or messaging server must use a Hub Transport server or an Edge Transport server as a relay server.

Before You Begin

To perform this procedure, the account you use must be delegated the following:

  • Exchange Server Administrator role and local Administrators group for the target server

To perform the following procedures on a computer that has the Edge Transport server role installed, you must log on by using an account that is a member of the local Administrators group on that computer.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.

Creating a Receive Connector that Grants Anonymous Relay to Specific Source IP Addresses

When you create the Receive connector that is configured to allow anonymous relay, you should place the following restrictions on the Receive connector:

  • Local network settings   Restrict the Receive connector to listen only on the appropriate network adapter on the Hub Transport server or Edge Transport server.

  • Remote network settings   Restrict the Receive connector to accept connections only from the specified server or servers. This restriction is necessary, because the Receive connector is configured to accept relay from anonymous users. Restricting the source servers by IP address is the only measure of protection that is allowed on this Receive connector.

To grant the relay permission to anonymous users on the Receive connector, you can use either of the strategies described in the following sections. Each strategy has advantages and disadvantages.

Grant the Relay Permission to Anonymous Connections

This strategy involves the following tasks:

  • Create a new Receive connector with the usage type set to Custom.

  • Add the Anonymous permission group to the Receive connector.

  • Assign the relay permission to the Anonymous Logon security principal on the Receive connector.

The Anonymous permission group grants the following permissions to the Anonymous Logon security principal on the Receive connector:

  • Ms-Exch-Accept-Headers-Routing

  • Ms-Exch-SMTP-Accept-Any-Sender

  • Ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

  • Ms-Exch-SMTP-Submit

However, to allow anonymous relay on this Receive connector, you must also grant the following permission to the Anonymous Logon security principal on the Receive connector:

  • Ms-Exchange-SMTP-Accept-Any-Recipient

The advantage of this strategy is that it grants the minimum required permissions for relay to the specified remote IP addresses.

The disadvantages of this strategy are as follows:

  • You can only assign the relay permission to the Anonymous Logon account on the Receive connector by using the Exchange Management Shell in a separate step after you create the Receive connector.

  • The messages that originate from the specified IP addresses are treated as anonymous messages. Therefore, the messages don't bypass anti-spam checks, don't bypass message size limit checks, and anonymous senders can't be resolved. The process of resolving anonymous senders forces an attempted match between the anonymous sender's e-mail address and the corresponding display name in the global address list.

    Note

    If Exchange 2007 Service Pack 1 (SP1) is deployed on a computer that is running Windows Server 2008, you can enter IP addresses and IP address ranges in the Internet Protocol Version 4 (IPv4) format, Internet Protocol Version 6 (IPv6) format, or both formats. A default installation of Windows Server 2008 enables support for IPv4 and IPv6.
    We strongly recommend against configuring Receive connectors to accept anonymous connections from unknown IPv6 addresses. If you configure a Receive connector to accept anonymous connections from unknown IPv6 addresses, the amount of spam that enters your organization is likely to increase. Currently, there is no broadly accepted industry standard protocol for looking up IPv6 addresses. Most IP Block List providers do not support IPv6 addresses. Therefore, if you allow anonymous connections from unknown IPv6 addresses on a Receive connector, you increase the chance that spammers will bypass IP Block List providers and successfully deliver spam into your organization.
    For more information about Exchange 2007 SP1 support for IPv6 addresses, see IPv6 Support in Exchange 2007 SP1 and SP2. For more information about connection filtering, how to add IP addresses to the IP Allow list and IP Block list, and how to configure IP Block List provider services and IP Allow List provider services, see Configuring Connection Filtering.

To use the Exchange Management Console to create a new Receive connector that grants the relay permission to anonymous connections

  1. Open the Exchange Management Console. Perform one of the following steps:

    1. To create a Receive connector on a computer that has the Edge Transport server role installed, select Edge Transport, and then in the work pane, click the Receive Connectors tab.

    2. To create a Receive connector on a Hub Transport server role, in the console tree, expand Server Configuration, and select Hub Transport. In the result pane, select the server on which you want to create the connector, and then click the Receive Connectors tab.

  2. In the action pane, click New Receive Connector. The New SMTP Receive Connector wizard starts.

  3. On the Introduction page, follow these steps:

    1. In the Name: field, type a meaningful name for this connector. This name is used to identify the connector.

    2. In the Select the intended use for this connector: field, select Custom.

    3. Click Next.

  4. On the Local network settings page, follow these steps:

    1. Select the existing All Available entry, and then click Remove icon.

    2. Click Add. In the Add Receive Connector Binding dialog box, select Specify an IP address. Type an IP address that is assigned to a network adapter on the local server that is best able to communicate with the remote messaging server.

    3. On the Local network settings page, in the Port field, type 25, and then click OK.

    4. Click Next.

  5. On the Remote Network settings page, follow these steps:

    1. Select the existing 0.0.0.0 - 255.255.255.255 entry, and then click Remove icon.

    2. Click Add or the drop-down arrow located next to Add and type the IP address or IP address range for the remote messaging server or servers that are allowed to relay mail on this server. When you are finished entering the IP addresses, click OK.

    3. Click Next.

  6. On the New Connector page, review the configuration summary for the connector. If you want to modify the settings, click Back. To create the Receive connector by using the settings in the configuration summary, click New.

  7. On the Completion page, click Finish.

  8. In the work pane, select the Receive connector that you created.

  9. Under the name of the Receive connector in the action pane, click Properties to open the Properties page.

  10. Click the Permission Groups tab. Select Anonymous users.

  11. Click OK to save your changes and exit the Properties page

  12. Open the Exchange Management Shell.

  13. Run the following command using the name of the Receive connector that you created in steps 1 through 11:

    Get-ReceiveConnector "Receive Connector Name" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
    

To use the Exchange Management Shell to create a new Receive connector that grants the relay permission to anonymous connections

  1. Run the following command:

    New-ReceiveConnector -Name <Name> -Usage Custom -PermissionGroups AnonymousUsers -Bindings <LocalIPAddress:25> -RemoteIpRanges <SourceServer>
    

    For example, to create a new Receive connector named "Anonymous Relay" that listens on local IP address 10.2.3.4 on port 25 from a source server at IP address 192.168.5.77, run the following command:

    New-ReceiveConnector -Name "Anonymous Relay" -Usage Custom -PermissionGroups AnonymousUsers -Bindings 10.2.3.4:25 -RemoteIpRanges 192.168.5.77
    
  2. Run the following command using the name of the Receive connector that you created in step 1:

    Get-ReceiveConnector "Anonymous Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
    

Configure the Receive Connector as Externally Secured

This strategy involves the following tasks:

  • Create a new Receive connector with the usage type set to Custom.

  • Add the ExchangeServers permission group to the Receive connector.

  • Add the ExternalAuthoritative authentication mechanism to the Receive connector.

The ExchangeServers permission group is required when you select the ExternalAuthoritative authentication mechanism. This combination of authentication method and permission group grants the following permissions to any incoming connection that is permitted on the Receive connector:

  • Ms-Exch-Accept-Headers-Routing

  • Ms-Exch-SMTP-Accept-Any-Sender

  • Ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

  • Ms-Exch-SMTP-Submit

  • Ms-Exch-Accept-Exch50

  • Ms-Exch-Bypass-Anti-Spam

  • Ms-Exch-Bypass-Message-Size-Limit

  • Ms-Exch-SMTP-Accept-Any-Recipient

  • Ms-Exch-SMTP-Accept-Authentication-Flag

The advantages of this strategy are as follows:

  • Ease of configuration

  • The messages that originate from the specified IP addresses are treated as authenticated messages. The messages bypass anti-spam checks, bypass message size limit checks, and can resolve anonymous senders.

The disadvantage of this strategy is that the remote IP addresses are considered completely trustworthy. The permissions that are granted to the remote IP addresses allow the remote messaging server to submit messages as if they originated from internal senders within your Exchange organization.

To use the Exchange Management Console to create a new Receive connector that is configured as externally secured

  1. Open the Exchange Management Console. Perform one of the following steps:

    1. To create a Receive connector on a computer that has the Edge Transport server role installed, select Edge Transport, and then in the work pane, click the Receive Connectors tab.

    2. To create a Receive connector on a Hub Transport server role, in the console tree, expand Server Configuration, and select Hub Transport. In the result pane, select the server on which you want to create the connector, and then click the Receive Connectors tab.

  2. In the action pane, click New Receive Connector. The New SMTP Receive Connector wizard starts.

  3. On the Introduction page, follow these steps:

    1. In the Name: field, type a meaningful name for this connector. This name is used to identify the connector.

    2. In the Select the intended use for this connector: field, select Custom.

    3. Click Next.

  4. On the Local network settings page, follow these steps:

    1. Select the existing All Available entry, and then click Remove icon.

    2. Click Add. In the Add Receive Connector Binding dialog box, select Specify an IP address. Type an IP address that is assigned to a network adapter on the local server that is best able to communicate with the remote messaging server.

    3. On the Local network settings page, in the Port field, type 25, and then click OK.

    4. Click Next.

  5. On the Remote Network settings page, follow these steps:

    1. Select the existing 0.0.0.0 - 255.255.255.255 entry, and then click Remove icon.

    2. Click Add or the drop-down arrow located next to Add and type the IP address or IP address range for the remote messaging server or servers that are allowed to relay mail on this server. When you are finished entering the IP addresses, click OK.

    3. Click Next.

  6. On the New Connector page, review the configuration summary for the connector. If you want to modify the settings, click Back. To create the Receive connector by using the settings in the configuration summary, click New.

  7. On the Completion page, click Finish.

  8. In the work pane, select the Receive connector that you created.

  9. Under the name of the Receive connector in the action pane, click Properties to open the Properties page.

  10. Click the Permission Groups tab. Select Exchange servers.

  11. Click the Authentication tab. Select Externally Secured (for example, with IPsec).

  12. Click OK to save your changes and exit the Properties page.

To use the Exchange Management Console to create a new Receive connector that is configured as externally secured

  • Run the following command:

    New-ReceiveConnector -Name <Name> -Usage Custom -AuthMechanism ExternalAuthoritative -PermissionGroups ExchangeServers -Bindings <LocalIPAddress:25> -RemoteIpRanges <SourceServer>
    

    For example, to create a new Receive connector named "Anonymous Relay" that listens on local IP address 10.2.3.4 on port 25 from a source server at IP address 192.168.5.77, run the following command:

    New-ReceiveConnector -Name "Anonymous Relay" -Usage Custom -AuthMechanism ExternalAuthoritative -PermissionGroups ExchangeServers -Bindings 10.2.3.4:25 -RemoteIpRanges 192.168.5.77
    

For More Information

For more information, see the following topics: