Yes there are many blogs out there that talk about how to enable anonymous relaying in Exchange 2007. One of the most popular of these is the official Microsoft Exchange Team Blog. That specific article is located here. Out of the articles I have read, I haven’t seen any that really explain how/why relaying isn’t enabled when you enable Anonymous users. I’ll explain exactly what permissions are given to the anonymous group and why enabling anonymous doesn’t allow relay.
I previously wrote a blog article entitled, “Client to Server Secure SMTP Connectivity in Exchange Server 2007.” I explained in this article that on your Default Receive Connector, the Exchange Users group is enabled to use that connector by default.
This Exchange Users group is allowed the following permissions to that connector:
The Ms-Exch-SMTP-Accept-Any-Recipient is the permission that allows a user to relay off of that connector.
So what really happens when you place a check mark in the Anonymous users group in the above screenshot? A lot of people are afraid to place a checkmark in that box in fear that anonymous users will be able to relay off your Exchange Server. This is NOT the case.
When you place a checkmark in that box, the following permissions are given to the Anonymous Logon group:
So, as you can see, there is no Ms-Exch-SMTP-Accept-Any-Recipient permission added by default. Because of this, users will NOT be able to relay off your Exchange Server by default. In order to allow for this, you should do the following as outlined in my previous article:
- Create a new Receive Connector with the Custom Usage Group
- For Remote Network Settings, remove 0.0.0.0-255.255.255.255, and then add the IP Address of the remote server that requires relaying permissions
- Once the new Custom Receive Connector is created, go into the properties of this connector, go to the Permission Groups Tab > Add Anonymous Users
To activate Anonymous users to use this connector for relaying, you must issue the following command:
Get-ReceiveConnector “Receive Connector Name” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”
The command should be easy enough to read, but what it essentially does is retrieve the receive connector that you created, add a permission into Active Directory for the Anonymous Logon group, and assign that group the Ms-Exch-SMTP-Accept-Any-Recipient permission for that group on that connector.
Now you may be thinking, why should I create this new connector? Well, Exchange will always look to see how specific you are on a connector. So let’s say we have a SharePoint Server at 192.168.119.150. We would create a relay connector and allow ONLY 192.168.119.150 to relay. So when Exchange receives SMTP from an address of 192.168.119.150, it will see there are a few connectors. One being the Default Receive Connector and one being the Relay Connector. The Default Receive Connector allows connections from any IP Address while the Relay Connector only allows connections from 192.168.119.150. Because you explicitly set the address on your Relay Connector, that is given higher preference in serving that SMTP connection from SharePoint and your SharePoint Server will now be able to relay off of Exchange (even though you can configure SharePoint to authenticate, but still just giving an example).