Yes there are many blogs out there that talk about how to enable anonymous relaying in Exchange 2007. One of the most popular of these is the official Microsoft Exchange Team Blog. That specific article is located here. Out of the articles I have read, I haven’t seen any that really explain how/why relaying isn’t enabled when you enable Anonymous users. I’ll explain exactly what permissions are given to the anonymous group and why enabling anonymous doesn’t allow relay.
I previously wrote a blog article entitled, “Client to Server Secure SMTP Connectivity in Exchange Server 2007.” I explained in this article that on your Default Receive Connector, the Exchange Users group is enabled to use that connector by default.
This Exchange Users group is allowed the following permissions to that connector:
- Ms-Exch-SMTP-Submit
- Ms-Exch-SMTP-Accept-Any-Recipient
- Ms-Exch-Bypass-Anti-Spam
- Ms-Exch-Accept-Headers-Routing
The Ms-Exch-SMTP-Accept-Any-Recipient is the permission that allows a user to relay off of that connector.
So what really happens when you place a check mark in the Anonymous users group in the above screenshot? A lot of people are afraid to place a checkmark in that box in fear that anonymous users will be able to relay off your Exchange Server. This is NOT the case.
When you place a checkmark in that box, the following permissions are given to the Anonymous Logon group:
- Ms-Exch-SMTP-Submit
- Ms-Exch-SMTP-Accept-Any-Sender
- Ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
- Ms-Exch-Accept-Headers-Routing
So, as you can see, there is no Ms-Exch-SMTP-Accept-Any-Recipient permission added by default. Because of this, users will NOT be able to relay off your Exchange Server by default. In order to allow for this, you should do the following as outlined in my previous article:
- Create a new Receive Connector with the Custom Usage Group
- For Remote Network Settings, remove 0.0.0.0-255.255.255.255, and then add the IP Address of the remote server that requires relaying permissions
- Once the new Custom Receive Connector is created, go into the properties of this connector, go to the Permission Groups Tab > Add Anonymous Users
To activate Anonymous users to use this connector for relaying, you must issue the following command:
Get-ReceiveConnector “Receive Connector Name” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”
The command should be easy enough to read, but what it essentially does is retrieve the receive connector that you created, add a permission into Active Directory for the Anonymous Logon group, and assign that group the Ms-Exch-SMTP-Accept-Any-Recipient permission for that group on that connector.
Now you may be thinking, why should I create this new connector? Well, Exchange will always look to see how specific you are on a connector. So let’s say we have a SharePoint Server at 192.168.119.150. We would create a relay connector and allow ONLY 192.168.119.150 to relay. So when Exchange receives SMTP from an address of 192.168.119.150, it will see there are a few connectors. One being the Default Receive Connector and one being the Relay Connector. The Default Receive Connector allows connections from any IP Address while the Relay Connector only allows connections from 192.168.119.150. Because you explicitly set the address on your Relay Connector, that is given higher preference in serving that SMTP connection from SharePoint and your SharePoint Server will now be able to relay off of Exchange (even though you can configure SharePoint to authenticate, but still just giving an example).
Thank you so much! Needed this for Saleforce.com relay to work for external recipients.
Thank u.
Muchas gracias Elan, después de muchos días finalmente funciono perfecto!!!! gracias!!!
Great article and insight to how anonymous relaying works!… I specifically wanted to know how the precedence works if multiple connectors have the same network range configured. I thought the ranges should not overlap but as per your article it seems it picks the more explicit one.
Thanks for clarifying this for me.
Tahnks for a great explanation of the real story behind Anonymous users.
How can I undo the command above? By command I mean
Get-ReceiveConnector “Receive Connector Name” | Add-ADPermission -User “NT AUTHORITYANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”
i would like to undo this command and create a custom connector.
Thanks for all your help
Change Add to Remove.
Explaining the importance of specific IP addresses in the Receive Connector is what made this article stand out above the rest. I was racking my brain all day until I found this article. Thank you for the detailed explanation which fixed us!!
This reallly helped out in getting a network MFP printer/scanner to be able to send scans throuhg Exchange 2007 to user mailboxes. Thanks!
Excellent! Worked great and explained why!
Sorry for the double – both of these servers are local on the same machine — I have Exchange 2007 and SharePoint 2007 on the same server and Exchange is working fine via a remote.webaddress.com. How do I enable SharePoint server to SEND emails through my Exchanger Server ?
Joseph,
I'm not sure how to do this for SharePoint. I would ask in the TechNet SharePoint forum:
http://social.technet.microsoft.com/Forums/en/cat…
Generally, you can either do one of two things:
1. Allow SharePoint to relay
2. Configure a Mailbox for SharePoint and conifgure SharePoint to use this account to send mail so you don't have to allow relay.
I have Exchange 2007 and SharePoint 2007 on the same server and Exchange is working fine via a remote.webaddress.com. How do I enable SharePoint server to SEND emails through my Exchanger Server ?
thank you for your information
———————————————-
Elan,
This has been a problem for the past few days and even some top IT personel couldn’t solve it. Well done worked without a hitch
Thankyou
Chris,
Thanks for clarifying this for me.
Elan,
Thanks again for your posts, I have found a lot of useful information on your blog.
weisshole: Yes, you can, but you can’t have them serving the same IP addresses/ranges. So I have two connectors, both on the same IP/port, one serves 0.0.0.0-255.255.255.255, requires some form of authentication/Exchange servers, offers all forms of security except External (so it’s meant for employees using iPhones/Outlook Express/etc..). I then have another with specific IP addresses it allows (our co-location IPs), with Externally secured and Exchange Server/Anonymous user authentication. That way our web apps which don’t support authenticating can still send us emails but only from those specific IPs, but the general unwashed masses of the internet have to authenticate in order to send email (this server isn’t our MX record, that server does have anti-spam, greylisting, etc.., and is for public use, but some people still try our exchange server’s IP to see what they can do).
BTW, thank you SO MUCH for writing this article – I understood the basic concept but it was breaking my brain trying to make it work – the step by step part helped me figure it out.
Elan,
Thank you for this post, I just ran into this issue today and this will help. Can you clarify something for me. Since multiple reciever connectors can can be used, can they work on the same port and IP. example default is 192.168.0.2 port 25 and trusted with anonymous box checked will be 192.168.0.2 on port 25 as well with specific IP addresses set per your article. I would think there would be some kind of port conflict sine two connectors are listening on port 25 for the same IP address.
Dear Elan,
Thank you very much!!
I have been struggling with the topic all day, and found al lot of websites that didn’t solve my problem. But you nailed it!!!!
Thanks again.
OneAB