RSS Subscription 167 Posts and 2,643 Comments

How Anonymous Relay works in Exchange 2007

Yes there are many blogs out there that talk about how to enable anonymous relaying in Exchange 2007.  One of the most popular of these is the official Microsoft Exchange Team Blog.  That specific article is located here. Out of the articles I have read, I haven’t seen any that really explain how/why relaying isn’t enabled when you enable Anonymous users.  I’ll explain exactly what permissions are given to the anonymous group and why enabling anonymous doesn’t allow relay.

I previously wrote a blog article entitled, “Client to Server Secure SMTP Connectivity in Exchange Server 2007.”  I explained in this article that on your Default Receive Connector, the Exchange Users group is enabled to use that connector by default.

This Exchange Users group is allowed the following permissions to that connector:

  • Ms-Exch-SMTP-Submit
  • Ms-Exch-SMTP-Accept-Any-Recipient
  • Ms-Exch-Bypass-Anti-Spam
  • Ms-Exch-Accept-Headers-Routing

The Ms-Exch-SMTP-Accept-Any-Recipient is the permission that allows a user to relay off of that connector.

So what really happens when you place a check mark in the Anonymous users group in the above screenshot?  A lot of people are afraid to place a checkmark in that box in fear that anonymous users will be able to relay off your Exchange Server.  This is NOT the case.

When you place a checkmark in that box, the following permissions are given to the Anonymous Logon group:

  • Ms-Exch-SMTP-Submit
  • Ms-Exch-SMTP-Accept-Any-Sender
  • Ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
  • Ms-Exch-Accept-Headers-Routing

So, as you can see, there is no Ms-Exch-SMTP-Accept-Any-Recipient permission added by default.  Because of this, users will NOT be able to relay off your Exchange Server by default.  In order to allow for this, you should do the following as outlined in my previous article:

  1. Create a new Receive Connector with the Custom Usage Group
  2. For Remote Network Settings, remove 0.0.0.0-255.255.255.255, and then add the IP Address of the remote server that requires relaying permissions
  3. Once the new Custom Receive Connector is created, go into the properties of this connector, go to the Permission Groups Tab > Add Anonymous Users

To activate Anonymous users to use this connector for relaying, you must issue the following command:
Get-ReceiveConnector “Receive Connector Name” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”

The command should be easy enough to read, but what it essentially does is retrieve the receive connector that you created, add a permission into Active Directory for the Anonymous Logon group, and assign that group the Ms-Exch-SMTP-Accept-Any-Recipient permission for that group on that connector.

Now you may be thinking, why should I create this new connector?  Well, Exchange will always look to see how specific you are on a connector.  So let’s say we have a SharePoint Server at 192.168.119.150.  We would create a relay connector and allow ONLY 192.168.119.150 to relay.  So when Exchange receives SMTP from an address of 192.168.119.150, it will see there are a few connectors.  One being the Default Receive Connector and one being the Relay Connector.  The Default Receive Connector allows connections from any IP Address while the Relay Connector only allows connections from 192.168.119.150.  Because you explicitly set the address on your Relay Connector, that is given higher preference in serving that SMTP connection from SharePoint and your SharePoint Server will now be able to relay off of Exchange (even though you can configure SharePoint to authenticate, but still just giving an example).

Share

23 Responses to “How Anonymous Relay works in Exchange 2007”

  1. on 22 Aug 2008 at 1:56 pmsubject: exchange

    Weekend reading…

    How to Configure the SCL in Exchange Virtualizing Exchange Server with Microsoft Hyper-V Fast Guide:…

  2. on 20 Dec 2008 at 12:47 pmOneAB

    Dear Elan,

    Thank you very much!!
    I have been struggling with the topic all day, and found al lot of websites that didn’t solve my problem. But you nailed it!!!!

    Thanks again.

    OneAB

  3. on 27 Mar 2009 at 10:21 pmweisshole

    Elan,

    Thank you for this post, I just ran into this issue today and this will help. Can you clarify something for me. Since multiple reciever connectors can can be used, can they work on the same port and IP. example default is 192.168.0.2 port 25 and trusted with anonymous box checked will be 192.168.0.2 on port 25 as well with specific IP addresses set per your article. I would think there would be some kind of port conflict sine two connectors are listening on port 25 for the same IP address.

  4. on 29 Mar 2009 at 8:57 pmChris Wiegand

    weisshole: Yes, you can, but you can’t have them serving the same IP addresses/ranges. So I have two connectors, both on the same IP/port, one serves 0.0.0.0-255.255.255.255, requires some form of authentication/Exchange servers, offers all forms of security except External (so it’s meant for employees using iPhones/Outlook Express/etc..). I then have another with specific IP addresses it allows (our co-location IPs), with Externally secured and Exchange Server/Anonymous user authentication. That way our web apps which don’t support authenticating can still send us emails but only from those specific IPs, but the general unwashed masses of the internet have to authenticate in order to send email (this server isn’t our MX record, that server does have anti-spam, greylisting, etc.., and is for public use, but some people still try our exchange server’s IP to see what they can do).

    BTW, thank you SO MUCH for writing this article – I understood the basic concept but it was breaking my brain trying to make it work – the step by step part helped me figure it out.

  5. on 30 Mar 2009 at 6:50 pmweisshole

    Chris,

    Thanks for clarifying this for me.

    Elan,

    Thanks again for your posts, I have found a lot of useful information on your blog.

  6. on 20 Apr 2009 at 10:20 pmWiztech2000

    Elan,

    This has been a problem for the past few days and even some top IT personel couldn’t solve it. Well done worked without a hitch

    Thankyou

  7. on 23 Sep 2009 at 2:16 amnuoc hoa

    thank you for your information
    ———————————————-

  8. on 03 Dec 2009 at 5:03 pmJoseph

    I have Exchange 2007 and SharePoint 2007 on the same server and Exchange is working fine via a remote.webaddress.com. How do I enable SharePoint server to SEND emails through my Exchanger Server ?

  9. on 03 Dec 2009 at 5:04 pmJoseph

    Sorry for the double – both of these servers are local on the same machine — I have Exchange 2007 and SharePoint 2007 on the same server and Exchange is working fine via a remote.webaddress.com. How do I enable SharePoint server to SEND emails through my Exchanger Server ?

  10. on 03 Dec 2009 at 6:54 pmElan Shudnow

    Joseph,

    I'm not sure how to do this for SharePoint. I would ask in the TechNet SharePoint forum:
    http://social.technet.microsoft.com/Forums/en/cat

    Generally, you can either do one of two things:
    1. Allow SharePoint to relay
    2. Configure a Mailbox for SharePoint and conifgure SharePoint to use this account to send mail so you don't have to allow relay.

  11. on 08 Feb 2010 at 5:33 pm@Zaerion

    Excellent! Worked great and explained why!

  12. on 18 Feb 2010 at 11:07 pmRichard

    This reallly helped out in getting a network MFP printer/scanner to be able to send scans throuhg Exchange 2007 to user mailboxes. Thanks!

  13. on 19 Jul 2010 at 7:56 pmJosh B

    Explaining the importance of specific IP addresses in the Receive Connector is what made this article stand out above the rest. I was racking my brain all day until I found this article. Thank you for the detailed explanation which fixed us!!

  14. on 17 Nov 2010 at 10:57 amtimdaigle

    How can I undo the command above? By command I mean

    Get-ReceiveConnector “Receive Connector Name” | Add-ADPermission -User “NT AUTHORITYANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”

    i would like to undo this command and create a custom connector.

    Thanks for all your help

  15. on 18 Nov 2010 at 9:48 amElan Shudnow

    Change Add to Remove.

  16. on 19 Nov 2010 at 11:07 amArt G

    Tahnks for a great explanation of the real story behind Anonymous users.

  17. on 07 Apr 2011 at 1:42 amnuoc hoa o to

    Thanks for clarifying this for me.

  18. on 03 May 2011 at 1:12 amMustu

    Great article and insight to how anonymous relaying works!… I specifically wanted to know how the precedence works if multiple connectors have the same network range configured. I thought the ranges should not overlap but as per your article it seems it picks the more explicit one.

  19. on 01 Jul 2011 at 9:05 amPatricio Tello

    Muchas gracias Elan, después de muchos días finalmente funciono perfecto!!!! gracias!!!

  20. [...] http://www.shudnow.net/2008/08/21/how-anonymous-relay-works-in-exchange-2007/ Esta entrada fue publicada en Uncategorized por patriciotello. Guarda el enlace permanente. [...]

  21. [...] http://www.shudnow.net/2008/08/21/how-anonymous-relay-works-in-exchange-2007/ [...]

  22. on 10 Oct 2012 at 8:20 amErwin Craps

    Thank u.

  23. on 17 Oct 2012 at 10:29 amKarl Molder

    Thank you so much! Needed this for Saleforce.com relay to work for external recipients.

Trackback this post | Feed on Comments to this post

Leave a Reply