• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • Disclaimer & Policy

Elan Shudnow's Blog

MVP Logo
  • Azure
  • Exchange
  • Lync

How Anonymous Relay works in Exchange 2013

June 4, 2013 by Elan Shudnow 32 Comments

This article is to provide you, the reader, the knowledge on how to properly create an Exchange 2013 Relay Connector.

In Exchange 2013, I am utilizing a multi-role server that has both the Client Access Server and Mailbox Server roles. We’ll want to head to the mail flow section in the Exchange Administration Center (EAC) that you can access by going to https://OWA.domain.com/ECP.

E15Relay02

Once in this mail flow section, we’ll click the tab called receive connectors which will allow us to see all receive connectors that exist.

E15Relay03

As you can see, there are connectors for FrontendTransport and connectors for HubTransport.  FrontEndTransport belongs to the Client Access Server Role and the HubTransport role belongs to the Mailbox Server role.

Let’s take a look at the “Default B-E15DAG1” receive connector that belongs to the HubTransport role  as well as the “Default Frontend B-E15DAG1” that belongs to the FrontendTransport role.

Taking a look at the “Default FrontEnd B-E15DAG1”, we can see that the connector listens on port 25 as we would expect.

E15Relay05

Taking a look at the “Default B-E15DAG1” receive connector, we can see it listens on port 2525 which is something we haven’t seen before.

E15Relay04

All mail flow should come into the Frontend Transport which then delivers it to the appropriate mailbox server where the mailboxes exist.  On a multi-role server, these two roles cannot utilize the same ports as they are two different services.  What this means is, when creating a relay connector, this connector must be created on the Client Access Server role that owns the Frontend Transport because this service is the service that owns port 25.  If you try to create a receive connector on the Mailbox Server role that owns the HubTransport service, mail flow may work temporarily, but it will eventually fail due to both the FrontendTransport and HubTransport services fighting each other for port 25.  Obviously if the Client Access Server and Mailbox Server roles are on different servers, it’s not an issue.

To create our relay connector, we’ll choose the + symbol to create a new Receive Connector.

E15Relay06

Give the connector a name and be sure to choose Frontend Transport and Custom. Click Next.

E15Relay07

The default settings here are fine.  We want port 25 due to what I mentioned above. Click Next.

E15Relay08

In the remote network settings, it is important to ensure that you remove 0.0.0.0-255.255.255.255.  We want to explicitly define what servers are allowed to relay to ensure our server does not turn into an open relay for everybody.  In my case, I am going to add 192.168.50.2 which may be a printer, custom application, etc…  But the server that owns 192.168.50.2 would need to relay.  Once this is done, click Finish.

E15Relay09

Once the relay connector is created, open its properties, go to security, and make sure you check Anonymous Users.

E15Relay10

So what really happens when you place a check mark in the Anonymous users group in the above screenshot?  A lot of people are afraid to place a checkmark in that box in fear that anonymous users will be able to relay off your Exchange Server.  This is NOT the case.

When you place a checkmark in that box, the following permissions are given to the Anonymous Logon group:

  • Ms-Exch-SMTP-Submit
  • Ms-Exch-SMTP-Accept-Any-Sender
  • Ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
  • Ms-Exch-Accept-Headers-Routing

So, as you can see, there is no Ms-Exch-SMTP-Accept-Any-Recipient permission added by default.  Because of this, users will NOT be able to relay off your Exchange Server by default.

To activate Anonymous users to use this connector for relaying, you must issue the following command: Get-ReceiveConnector “Receive Connector Name” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”

The command should be easy enough to read, but what it essentially does is retrieve the receive connector that you created, add a permission into Active Directory for the Anonymous Logon group, and assign that group the Ms-Exch-SMTP-Accept-Any-Recipient permission for that group on that connector.  Once this is done, any server IPs you added to the Remote Network settings will be allowed to relay off your server utilizing port 25.

E15Relay11

Now you may be thinking, why should I create this new connector?  Well, Exchange will always look to see how specific you are on a connector.  So let’s say we have a SharePoint Server at 192.168.119.150.  We would create a relay connector and allow ONLY 192.168.119.150 to relay.  So when Exchange receives SMTP from an address of 192.168.119.150, it will see there are a few connectors.  One being the Default Receive Connector and one being the Relay Connector.  The Default Receive Connector allows connections from any IP Address while the Relay Connector only allows connections from 192.168.119.150.  Because you explicitly set the address on your Relay Connector, that is given higher preference in serving that SMTP connection from SharePoint and your SharePoint Server will now be able to relay off of Exchange (even though you can configure SharePoint to authenticate, but still just giving an example).

Now, for servers that will have a lot of relay traffic, there are some more steps you need to do on your Receive Connector.  If you see that you have mail flow issues where things periodically work with relaying and sometimes they don’t, it’s recommended to run the following commands on your Relay Connector.

Set-ReceiveConnector -identity “Relay Connector Name” -TarpitInterval 00:00:00

Set-ReceiveConnector -identity “Relay Connector Name” -ConnectionTimeout 00:30:00

Set-ReceiveConnector -identity “Relay Connector Name” -ConnectionInactivityTimeout 00:20:00

Set-ReceiveConnector -identity “Relay Connector Name” -MaxAcknowledgementDelay 00:00:00

Set-ReceiveConnector -identity “Relay Connector Name” -MaxInboundConnection 10000

Set-ReceiveConnector -identity “Relay Connector Name” -MaxInboundConnectionPercentagePerSource 100

Set-ReceiveConnector -identity “Relay Connector Name” -MaxInboundConnectionPerSource unlimited

So in my case, I would run the following command which would allow me to do Get-ReceiveConnector and pipe into Set-ReceiveConnector to make all the modifications in one command:

Get-ReceiveConnector -Identity “Relay Connector Name” | Set-ReceiveConnector -TarpitInterval 00:00:00 -ConnectionTimeout 00:30:00 -ConnectionInactivityTimeout 00:20:00 -MaxAcknowledgementDelay 00:00:00 -MaxInboundConnection 10000 -MaxInboundConnectionPercentagePerSource 100 -MaxInboundConnectionPerSource unlimited

E15Relay12

If you are wondering what the default settings were, I ran the following to view the defaults before running Set-ReceiveConnector.

E15Relay13

 

Share this:

  • Click to share on X (Opens in new window) X
  • Click to share on LinkedIn (Opens in new window) LinkedIn
  • Click to share on Reddit (Opens in new window) Reddit

Filed Under: Exchange Tagged With: Exchange

Reader Interactions

Comments

  1. V says

    April 18, 2022 at 3:55 pm

    I still use this article to get the ps command like every other week lol

    Reply
  2. Dominik says

    April 8, 2015 at 3:29 am

    Thanks, great writeup, helped me quite a lot today!

    Reply
  3. graycj says

    March 10, 2015 at 2:15 am

    Thanks Elan, great post – clear and easy to understand. I was almost there, just missing the last step!
    Carl http://oxfordsbsguy.com

    Reply
  4. Jabulani says

    January 20, 2015 at 3:34 am

    Hi Robert, thanks for your Tutorial, may you please assist me if possible

    I've currently installed Exch 2013 on a Exch 2010 environment

    Exch 2013 – I'm able to send internally/externally without any issues but not receiving anything except from mailboxes on the same exch 2013 server

    I have not configured and Send or Receive connectors as yet

    Send Connectors available reside from the existing exch 2010 environment, I just added the new exch 2013 on them

    There a couple of Receive connectors residing on the exch 2010 environment but not yet migrated over

    How would I go about making sure that I can send/receive from both exch 2010 and 2013 and vise versa

    Reply
  5. Rich says

    October 7, 2014 at 7:07 pm

    This post saved me! I kept creating the receive connector with the Hub Transport selected and the Transport service kept stopping. Problem solved! Thanks!

    Reply
  6. Exch 2013 Noob says

    August 19, 2014 at 5:16 pm

    Elan, you posted a "simple script" for enabling multiple users from a .csv script, will that same script work with Exch 2013? Thank you………Noob!

    Reply
  7. Steve says

    March 31, 2014 at 1:08 pm

    Hello,

    Great article. I am however a little confused on what the difference is on creating a receive/relay connector on CAS vs. creating on Mailbox. Can you help clarify a few things?

    If you wanted to relay and send mail to external recipients for device/application notifications, I would imagine you would want to create the connector using the Front-End Transport role on CAS, correct? Would relaying external also work if connector was created on Mailbox? What’s the difference??? Is the only advantage of using the mailbox server for the receive connector is for the option of having the mail queued?

    What if I only wanted to relay internally? Which server or role should I use?

    Lastly, what if the applications needing to relay external use different ports other than port 25? Does it matter where it gets created or same procedure?

    Reply
  8. vverdun says

    March 28, 2014 at 4:01 pm

    great explanation thanks for your work !

    Reply
  9. Nemanja says

    March 25, 2014 at 4:36 am

    Excellent post

    Reply
  10. Anonymous says

    November 7, 2013 at 10:39 am

    Great post. Was having an issue with SCOM notifications being dropped due to the submission rate being to high. This cleared up the issue!

    Reply
  11. Geoff says

    November 7, 2013 at 4:37 am

    Hi, Thanks for this step by step guide.

    I would also recommend running the following command in order to allow more than 1 Anonymous connection at a time:

    Set-ThrottlingPolicy -anonymousmaxconcurrency 10 on the default ThrottlingPolicy

    Reply
  12. Fred Fish says

    November 1, 2013 at 9:28 am

    Elan thank you very much for your in-depth explanation of this issue resolution. I have been trying to do this for a month and unable to figure it out since our upgrade to Exch 2013.

    Reply
  13. Robert S. says

    October 23, 2013 at 7:15 am

    Is it possible to setup another connector (on port 25) to allow for smtp auth relay as well? Basically, i want to allow printers or other devices/apps to be able to send a user/pass to send email so i don't have to enter hundreds of IP's in my allow list as well as keep the list up to date, not to mention allow them to use dhcp if possible. Then i can also use another connector with the method you have posted here to allow for those other devices/apps that can't use smtp auth and i will allow those to relay anonymously by IP.. does that make sense?

    Reply
    • Elan Shudnow says

      October 23, 2013 at 8:05 am

      Yes, that makes sense. If the client is authenticating, all you need to do is have the Exchange User permission checked. This will allow them to utilize that connector. Then for the devices that cannot authenticate, you can simply just use the relay connector as I have outlined in this article.

      Reply
      • Robert S. says

        October 23, 2013 at 8:17 am

        thanks for the reply.. now i get to ask details ;-) so, this is on a standalone cas server with the internal relay connector as you have outlined here and the other default connectors as they come installed. Since the default connector and the internal relay connector both use port 25, how do i setup a new connector to use exchange user authentication on port 25 without having to specify by IP address and have it not conflict with the default connector? I could allow the default connector to relay anonymous, but then since that is setup to allow anonymous permission group (by default), would allow anyone to connect using pretty much any method right? I was thinking that maybe i would setup a new connector with the exchange user permission group assigned and then setup broad subnets that are used internally (probably 30 of them, but still a lot less than setting up all the devices by IP's). Would this work and still allow the devices that are using anonymous relay to be specified by IP on the internal relay connector? From what i understand, the more specific the IP match on the receive connectors will determine which method it uses. Do you think this would be the proper method to do this or am i making this too difficult?

        Reply
  14. kevin says

    October 20, 2013 at 7:32 am

    Your a legend i was adding it manually without the command, now it finaly works u have no idea how much time i spend and it was this silly command i was missing ARWRR@#$##$@!!
    anyways thanks!

    Reply
  15. Frederic D. says

    October 16, 2013 at 5:38 am

    Is using "Exchange servers" as permission group and "Externally secured" for authentication still a valid option for creating a relay connector?

    Reply
    • Elan Shudnow says

      October 16, 2013 at 7:48 am

      You need to use either Anonymous as I outlined or you can use Externally Secured. The problem with Externally Secured is anything that hits that connector also bypasses antispam rules. With Externally Secured, you're providing more privileges than are necessary. Principle of Least privilege applies here. I recommend using the Anonymous Group method I have outlined. As always, it is imperative that you restrict what IPs can hit your connector or you will turn your server into an open relay.

      Reply
  16. Geoffrey says

    October 11, 2013 at 12:06 pm

    EXACTLY what we needed to get mail flowing on our internal phpbb. Thank you so much!

    Reply
  17. EXange says

    September 26, 2013 at 2:24 am

    hello,

    I have configured Exchange 2013 with both roles Mailbox and CAS. Users are able to send and receive mails from owa web console, but when the mailbox user is setup with office outlook then, they can't send mails and get error: Server error: '550 5.7.1 Unable to relay'. This error is shown in office outlook 2007 application only not in web mail (owa)….I tried creating new receive connector following your article but I couldn't create it because port conflict with other connectors.

    Reply
  18. Fred Woodbridge says

    September 24, 2013 at 7:55 pm

    Do you have instructions for installations with split CAS and MB roles? I'm having a tough time relaying from apps and printers through a connector I set up on the CAS. It seems to deliver to local addresses but not the Internet (through a Smarthost). The other problem is that I cannot test, it fails with a 5.7.1 relay error even though I have the proper IP address listed.

    Reply
  19. Gautam Achanta says

    August 23, 2013 at 12:25 pm

    Thanks for this article. Did wonders trying to email reports to external domains from within Crystal Reports in a Exchange 2013 setting.

    Reply
  20. Joe Lightner says

    August 18, 2013 at 6:45 pm

    I can't thank you enough for this post! I just turned on Exchange 2013 for a client over the weekend, then added the Anonymous Receive Connector for their scanners. I noticed that later in the day, Exchange stopped receiving mail. Major panic, since this client will be in Monday morning expecting their mail to be up and running! Bottom line…created the Receive Connector as a Hub Transport Service instead of a Frontend Transport Service. Had already deleted the first connector to see if I Exchange would start receiving mail again (it did!). Recreated the Anonymous Relay Connector as a Frontend Transport Service…and…success! Thank you so much for taking the time to create this blog. It saved my life!!

    Reply
    • Elan Shudnow says

      August 19, 2013 at 6:48 am

      You're welcome. Thanks for posting!

      Reply
  21. ali says

    July 21, 2013 at 1:03 am

    hey,
    great job,,,
    i have few question.. who is sending mail out side the organization and will receive mail from outside for organization ?
    CAS or Mailbox ?
    and
    1 if exchange 2013 mailbox server will send e-mail externally and internally , then in our reverse proxy TMG etc we will mention mailbox server ip address for outside right ?
    2 while receiving mail what we will do same we will create d-NAT rule to mailbox ?
    3 and if we want to proxy via Cas then we will put CAS server ip not the mailbox in TMG etc right ?
    4 while receiving mail what we will do same we will create d-NAT rule to CAS or Mailbox server ?
    Regards

    Reply
  22. MJL says

    July 18, 2013 at 11:44 am

    Great post, thanks! If I wanted to setup an Exchange 2013 server as a dedicated private relay, could I get away with just installing the CAS role and skip the mailbox role? I ask because our mailboxes will be on Office 365, but we have copiers and apps on the LAN that need to relay.

    Thank you for your time,

    MJL

    Reply
    • Elan Shudnow says

      July 19, 2013 at 7:10 am

      Just install a co-located CAS/MBX Server.

      Reply
      • MJL says

        July 22, 2013 at 8:23 am

        Okay, thanks for your reply. I was hoping to get away with just installing the CAS role to keep server resource usage down. Of course, I can't imagine the store.exe process will use much RAM if there aren't any mailboxes on the server. :-)

        Thanks!

        MJL

        Reply
        • Elan Shudnow says

          July 22, 2013 at 9:34 am

          Well, store.exe still likes to eat ram. But, it releases it as needed so you should be good.

          Reply
    • Joakim S says

      August 19, 2013 at 4:27 am

      No need to install a full Exchange server just to relay mail. A Windows Server with IIS SMTP will do the trick! http://support.microsoft.com/kb/2600912

      Reply
      • Elan Shudnow says

        August 19, 2013 at 6:48 am

        This is true. But this post is for companies that are currently using Exchange.

        Reply
        • Joakim S says

          August 19, 2013 at 7:59 am

          Sure, but I was replying to MJLs post regarding a relaying server when using Office 365. I assumed that he/she didn't have a local Exchange environment and in that case an IIS server would do just fine :)

          Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

  • GitHub
  • LinkedIn
  • RSS
  • YouTube

More to See

Azure AD User Settings

Pre-creating Azure AD App for Azure Migrate

January 24, 2023 By Elan Shudnow

Azure Runbooks Connecting to Exchange Online and Microsoft Graph

July 22, 2022 By Elan Shudnow

Using Python 3.8.0 Azure Runbooks with Python Packages

July 11, 2022 By Elan Shudnow

Preserving UNC Path after Azure Files Migration using DFS-N

April 10, 2022 By Elan Shudnow

Tags

ACR Always Encrypted Ansible Automation Availability Sets Availability Zones Azure Azure Active Directory Azure Application Gateway Azure Files Azure Firewall Azure Key Vault Azure Load Balancer Azure Migrate Azure Monitor Azure Web App CDN Cluster DevOps DFS Docker DPM Event Grid Exchange Exchange 2010 Exchange Online Function App ISA iSCSI Log Analytics Logic App Lync Microsoft Graph OCS Office Personal PowerShell Proximity Placement Groups Runbook SCOM Storage Accounts Symantec Virtual Machines Windows Server 2008 Windows Server 2008 R2

Footer

About Me

Microsoft Cloud Solution Architect focused on Azure IaaS, PaaS, DevOps, Ansible, Terraform, ARM and PowerShell.

Previously a 6x Microsoft MVP in Exchange Server and Lync Server.

My hobbies include watching sports (Baseball, Football and Hockey) as well as Aviation.

Recent

  • GRS Storage and BCDR Considerations
  • Pre-creating Azure AD App for Azure Migrate
  • Azure Runbooks Connecting to Exchange Online and Microsoft Graph
  • Using Python 3.8.0 Azure Runbooks with Python Packages
  • Preserving UNC Path after Azure Files Migration using DFS-N

Search

Tags

ACR Always Encrypted Ansible Automation Availability Sets Availability Zones Azure Azure Active Directory Azure Application Gateway Azure Files Azure Firewall Azure Key Vault Azure Load Balancer Azure Migrate Azure Monitor Azure Web App CDN Cluster DevOps DFS Docker DPM Event Grid Exchange Exchange 2010 Exchange Online Function App ISA iSCSI Log Analytics Logic App Lync Microsoft Graph OCS Office Personal PowerShell Proximity Placement Groups Runbook SCOM Storage Accounts Symantec Virtual Machines Windows Server 2008 Windows Server 2008 R2

Copyright © 2025 · Magazine Pro on Genesis Framework · WordPress · Log in