An accepted domain * is found in the Accepted Domain settings

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at https://go.microsoft.com/fwlink/?linkid=34707.]  

Topic Last Modified: 2010-01-15

The Microsoft Exchange Analyzer Tool checks the Exchange environment to determine whether the following items are configured:

  • The Accepted Domains value is set correctly.

  • The Anonymous account does not have relay permissions on a non-scoped connector.

  • The Externally Secured Servers group does not have ms-Exch-SMTP-Accept-Any-Recipient permissions on a non-scoped externally secured connector.

If one or more of these conditions are true, Exchange Analyzer displays one or more of the following messages:

An accepted domain '*' is found in the Accepted Domain settings. This will cause every domain to be accepted. It is recommended that you remove this configuration.

Relay permission on non-scoped connector ConnectorName was granted to Anonymous account on server ServerName. It is recommended that you remove this permission or change the 'Remote IP address(es)' of this connector.

Permission on non-scoped connector ConnectorName was granted to Externally Secured Servers group on server ServerName. It is recommended that you change the 'Remote IP address(es)' or 'Authentication' of this connector.

To address these issues, follow these steps.

Change the Accepted Domains configuration

  1. Open the Exchange Management console.

  2. On an Edge Transport server, select Edge Transport, and then click the Accepted Domains tab. On a Hub Transport server, expand Organization Configuration, select Hub Transport, and then click the Accepted Domains tab.

  3. In the action pane, right-click the Accepted Domain, and then click Properties.

  4. Edit the name of the Accepted Domain. Use this field to identify the SMTP domain name for which the Exchange organization will accept e-mail messages. You can use a wildcard character to accept messages for a domain and all its sub-domains. For example, use *.contoso.com.

  5. Click OK.

Create a scoped connector

  1. In the Exchange Management Console, expand Server Configuration.

  2. Click Hub Transport.

  3. In the Actions pane, click New Receive Connector.

  4. Type a name for the new connector, select Custom from the list, and then click Next.

  5. On the Remote network settings page, enter the IP addresses that you want to use, and then click Next.

  6. Click New, and then click Finish.

  7. Right-click the new receive connector, and then click Properties.

  8. Click the Permissions tab, and then select Exchange Users. If you want to allow anonymous access for devices that send mail but cannot authenticate, such as a scanner or printing device, you can also select Anonymous. This grants the most common permissions to the anonymous account, but it does not grant the relay permission. To do this, you must run the following command from the Exchange Shell:

    Get-ReceiveConnector "CRM Application" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient" 
    
  9. On the Authentication tab, select Transport Layer Security (TLS). If this is an externally secured connector, select Externally Secured (IPSec).

  10. Click OK.