• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • Disclaimer & Policy

Elan Shudnow's Blog

MVP Logo
  • Azure
  • Exchange
  • Lync

How Anonymous Relay works in Exchange 2007

August 21, 2008 by Elan Shudnow 23 Comments

Yes there are many blogs out there that talk about how to enable anonymous relaying in Exchange 2007.  One of the most popular of these is the official Microsoft Exchange Team Blog.  That specific article is located here. Out of the articles I have read, I haven’t seen any that really explain how/why relaying isn’t enabled when you enable Anonymous users.  I’ll explain exactly what permissions are given to the anonymous group and why enabling anonymous doesn’t allow relay.

I previously wrote a blog article entitled, “Client to Server Secure SMTP Connectivity in Exchange Server 2007.”  I explained in this article that on your Default Receive Connector, the Exchange Users group is enabled to use that connector by default.

This Exchange Users group is allowed the following permissions to that connector:

  • Ms-Exch-SMTP-Submit
  • Ms-Exch-SMTP-Accept-Any-Recipient
  • Ms-Exch-Bypass-Anti-Spam
  • Ms-Exch-Accept-Headers-Routing

The Ms-Exch-SMTP-Accept-Any-Recipient is the permission that allows a user to relay off of that connector.

So what really happens when you place a check mark in the Anonymous users group in the above screenshot?  A lot of people are afraid to place a checkmark in that box in fear that anonymous users will be able to relay off your Exchange Server.  This is NOT the case.

When you place a checkmark in that box, the following permissions are given to the Anonymous Logon group:

  • Ms-Exch-SMTP-Submit
  • Ms-Exch-SMTP-Accept-Any-Sender
  • Ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
  • Ms-Exch-Accept-Headers-Routing

So, as you can see, there is no Ms-Exch-SMTP-Accept-Any-Recipient permission added by default.  Because of this, users will NOT be able to relay off your Exchange Server by default.  In order to allow for this, you should do the following as outlined in my previous article:

  1. Create a new Receive Connector with the Custom Usage Group
  2. For Remote Network Settings, remove 0.0.0.0-255.255.255.255, and then add the IP Address of the remote server that requires relaying permissions
  3. Once the new Custom Receive Connector is created, go into the properties of this connector, go to the Permission Groups Tab > Add Anonymous Users

To activate Anonymous users to use this connector for relaying, you must issue the following command:
Get-ReceiveConnector “Receive Connector Name” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”

The command should be easy enough to read, but what it essentially does is retrieve the receive connector that you created, add a permission into Active Directory for the Anonymous Logon group, and assign that group the Ms-Exch-SMTP-Accept-Any-Recipient permission for that group on that connector.

Now you may be thinking, why should I create this new connector?  Well, Exchange will always look to see how specific you are on a connector.  So let’s say we have a SharePoint Server at 192.168.119.150.  We would create a relay connector and allow ONLY 192.168.119.150 to relay.  So when Exchange receives SMTP from an address of 192.168.119.150, it will see there are a few connectors.  One being the Default Receive Connector and one being the Relay Connector.  The Default Receive Connector allows connections from any IP Address while the Relay Connector only allows connections from 192.168.119.150.  Because you explicitly set the address on your Relay Connector, that is given higher preference in serving that SMTP connection from SharePoint and your SharePoint Server will now be able to relay off of Exchange (even though you can configure SharePoint to authenticate, but still just giving an example).

Share this:

  • Twitter
  • LinkedIn
  • Reddit

Filed Under: Exchange Tagged With: Exchange

Reader Interactions

Comments

  1. Karl Molder says

    October 17, 2012 at 10:29 am

    Thank you so much! Needed this for Saleforce.com relay to work for external recipients.

    Reply
  2. Erwin Craps says

    October 10, 2012 at 8:20 am

    Thank u.

    Reply
  3. Patricio Tello says

    July 1, 2011 at 9:05 am

    Muchas gracias Elan, después de muchos días finalmente funciono perfecto!!!! gracias!!!

    Reply
  4. Mustu says

    May 3, 2011 at 1:12 am

    Great article and insight to how anonymous relaying works!… I specifically wanted to know how the precedence works if multiple connectors have the same network range configured. I thought the ranges should not overlap but as per your article it seems it picks the more explicit one.

    Reply
  5. nuoc hoa o to says

    April 7, 2011 at 1:42 am

    Thanks for clarifying this for me.

    Reply
  6. Art G says

    November 19, 2010 at 11:07 am

    Tahnks for a great explanation of the real story behind Anonymous users.

    Reply
  7. timdaigle says

    November 17, 2010 at 10:57 am

    How can I undo the command above? By command I mean

    Get-ReceiveConnector “Receive Connector Name” | Add-ADPermission -User “NT AUTHORITYANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”

    i would like to undo this command and create a custom connector.

    Thanks for all your help

    Reply
    • Elan Shudnow says

      November 18, 2010 at 9:48 am

      Change Add to Remove.

      Reply
  8. Josh B says

    July 19, 2010 at 7:56 pm

    Explaining the importance of specific IP addresses in the Receive Connector is what made this article stand out above the rest. I was racking my brain all day until I found this article. Thank you for the detailed explanation which fixed us!!

    Reply
  9. Richard says

    February 18, 2010 at 11:07 pm

    This reallly helped out in getting a network MFP printer/scanner to be able to send scans throuhg Exchange 2007 to user mailboxes. Thanks!

    Reply
  10. @Zaerion says

    February 8, 2010 at 5:33 pm

    Excellent! Worked great and explained why!

    Reply
  11. Joseph says

    December 3, 2009 at 5:04 pm

    Sorry for the double – both of these servers are local on the same machine — I have Exchange 2007 and SharePoint 2007 on the same server and Exchange is working fine via a remote.webaddress.com. How do I enable SharePoint server to SEND emails through my Exchanger Server ?

    Reply
    • Elan Shudnow says

      December 3, 2009 at 6:54 pm

      Joseph,

      I'm not sure how to do this for SharePoint. I would ask in the TechNet SharePoint forum:
      http://social.technet.microsoft.com/Forums/en/cat…

      Generally, you can either do one of two things:
      1. Allow SharePoint to relay
      2. Configure a Mailbox for SharePoint and conifgure SharePoint to use this account to send mail so you don't have to allow relay.

      Reply
  12. Joseph says

    December 3, 2009 at 5:03 pm

    I have Exchange 2007 and SharePoint 2007 on the same server and Exchange is working fine via a remote.webaddress.com. How do I enable SharePoint server to SEND emails through my Exchanger Server ?

    Reply
  13. nuoc hoa says

    September 23, 2009 at 2:16 am

    thank you for your information
    ———————————————-

    Reply
  14. Wiztech2000 says

    April 20, 2009 at 10:20 pm

    Elan,

    This has been a problem for the past few days and even some top IT personel couldn’t solve it. Well done worked without a hitch

    Thankyou

    Reply
  15. weisshole says

    March 30, 2009 at 6:50 pm

    Chris,

    Thanks for clarifying this for me.

    Elan,

    Thanks again for your posts, I have found a lot of useful information on your blog.

    Reply
  16. Chris Wiegand says

    March 29, 2009 at 8:57 pm

    weisshole: Yes, you can, but you can’t have them serving the same IP addresses/ranges. So I have two connectors, both on the same IP/port, one serves 0.0.0.0-255.255.255.255, requires some form of authentication/Exchange servers, offers all forms of security except External (so it’s meant for employees using iPhones/Outlook Express/etc..). I then have another with specific IP addresses it allows (our co-location IPs), with Externally secured and Exchange Server/Anonymous user authentication. That way our web apps which don’t support authenticating can still send us emails but only from those specific IPs, but the general unwashed masses of the internet have to authenticate in order to send email (this server isn’t our MX record, that server does have anti-spam, greylisting, etc.., and is for public use, but some people still try our exchange server’s IP to see what they can do).

    BTW, thank you SO MUCH for writing this article – I understood the basic concept but it was breaking my brain trying to make it work – the step by step part helped me figure it out.

    Reply
  17. weisshole says

    March 27, 2009 at 10:21 pm

    Elan,

    Thank you for this post, I just ran into this issue today and this will help. Can you clarify something for me. Since multiple reciever connectors can can be used, can they work on the same port and IP. example default is 192.168.0.2 port 25 and trusted with anonymous box checked will be 192.168.0.2 on port 25 as well with specific IP addresses set per your article. I would think there would be some kind of port conflict sine two connectors are listening on port 25 for the same IP address.

    Reply
  18. OneAB says

    December 20, 2008 at 12:47 pm

    Dear Elan,

    Thank you very much!!
    I have been struggling with the topic all day, and found al lot of websites that didn’t solve my problem. But you nailed it!!!!

    Thanks again.

    OneAB

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

  • GitHub
  • LinkedIn
  • RSS
  • Twitter
  • YouTube

More to See

Azure Runbooks Connecting to Exchange Online and Microsoft Graph

July 22, 2022 By Elan Shudnow

Using Python 3.8.0 Azure Runbooks with Python Packages

July 11, 2022 By Elan Shudnow

Preserving UNC Path after Azure Files Migration using DFS-N

April 10, 2022 By Elan Shudnow

Pin Azure VM Availability Sets into an Availability Zone

April 9, 2022 By Elan Shudnow

Tags

ACR Always Encrypted Ansible Automation Availability Sets Availability Zones Azure Azure Active Directory Azure Application Gateway Azure Files Azure Firewall Azure Key Vault Azure Load Balancer Azure Migrate Azure Monitor Azure Web App Backup Exec CDN Cluster DevOps DFS Docker DPM Event Grid Exchange Exchange 2010 Function App ISA iSCSI Log Analytics Logic App Lync Microsoft Graph OCS Office Personal PowerShell Proximity Placement Groups Runbook SCOM SQL Storage Accounts Virtual Machines Windows Server 2008 Windows Server 2008 R2

Footer

About Me

Microsoft Cloud Solution Architect focused on Azure IaaS, PaaS, DevOps, Ansible, Terraform, ARM and PowerShell.

Previously a 6x Microsoft MVP in Exchange Server and Lync Server.

My hobbies include watching sports (Baseball, Football and Hockey) as well as Aviation.

Recent

  • Pre-creating Azure AD App for Azure Migrate
  • Azure Runbooks Connecting to Exchange Online and Microsoft Graph
  • Using Python 3.8.0 Azure Runbooks with Python Packages
  • Preserving UNC Path after Azure Files Migration using DFS-N
  • Pin Azure VM Availability Sets into an Availability Zone

Search

Tags

ACR Always Encrypted Ansible Automation Availability Sets Availability Zones Azure Azure Active Directory Azure Application Gateway Azure Files Azure Firewall Azure Key Vault Azure Load Balancer Azure Migrate Azure Monitor Azure Web App Backup Exec CDN Cluster DevOps DFS Docker DPM Event Grid Exchange Exchange 2010 Function App ISA iSCSI Log Analytics Logic App Lync Microsoft Graph OCS Office Personal PowerShell Proximity Placement Groups Runbook SCOM SQL Storage Accounts Virtual Machines Windows Server 2008 Windows Server 2008 R2

Copyright © 2023 · Magazine Pro on Genesis Framework · WordPress · Log in