Exchange 2010 “Anonymous Relay” Receive Connector

In almost every environment I have ever seen there are usually some devices and/or systems that need to send email and typically these will require some SMTP server to relay these messages. More often than not these also do not have the ability to authenticate to the relaying host.

How do we deal with these in Exchange? I have seen some pretty silly solutions and the default answer seems to be “Just allow anonymous users on the default connector”. This is not true and is actually quite a dangerous thing to do, so my advice is DON’T. In fact, I would go so far as to say, don’t ever touch the default connector. The correct way is to create a new receive connector and allow relay from only the devices that are required to use this connector.

Allowing anonymous relay is serious and requires thought and planning. If could be exploited by spammers and IMHO should not be configured on internet-facing servers.

So lets say that we have three devices that need to relay anonymously, their IPs are 10.0.0.30, 10.0.0.31 and 10.0.0.32. First we need to create a new receive connector:

New-ReceiveConnector -Name "Anonymous Relay Connector" -Usage Custom -PermissionGroups AnonymousUsers -Bindings 10.0.0.20:25 -RemoteIpRanges 10.0.0.30-10.0.0.32 –Banner "220 Anonymous Relay Connector"

Next we need to to grant relay permission to anonymous connections on the new Receive connector:

Get-ReceiveConnector -Identity "Anonymous Relay Connector" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

What happens if you have multiple servers and would like to duplicate your receive connector settings. Say for example you have two Exchange servers and you have a receive connector on a server called EXHUB01 that allows 100 devices to relay. You would now like to create the same connector on EXHUB02. Instead of manually adding each address, you could do this:

New-ReceiveConnector "Anonymous Relay Connector" -Server EXHUB02 -Usage Custom -PermissionGroups AnonymousUsers -Bindings 10.0.0.21:25 -RemoteIPRanges ( Get-ReceiveConnector "EXHUB01\Anonymous Relay Connector" ).RemoteIPRanges -Banner "220 Anonymous Relay Connector"

Don’t forget to grant relay permission to anonymous connections on the new Receive connector:

Get-ReceiveConnector -Identity "EXHUB02\Anonymous Relay Connector" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"