Monday , January 23 2017

Anonymous Application relay connectors in Exchange 2016

Lets see how to create an Anonymous Application relay connectors in Exchange 2016. Every Application needs to have relay permission when they need to send out email using Exchange server.

Like ticketing systems ,Monitoring servers to CRM applications.

Relaying in simple terms –

Email relaying is using an email server to send out emails which does not originate on the
email server.Most Commonly used for fax servers, CRM , Email Routing from different forests etc..

Powershell –

New-ReceiveConnector -Name "Relay" -RemoteIPRanges ("10.128.57.54","10.128.57.55") -TransportRole "FrontendTransport" -Bindings ("0.0.0.0:25") -Usage "Custom" -Server "Servername.careexchange.in"
Set-ReceiveConnector -Identity "Servername\Relay" -PermissionGroups "AnonymousUsers"

image

Get-ReceiveConnector "Servername\Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

GUI – 

Step 1 –

Login to Exchange Control Panel – Mail Flow – Receive Connectors – Click “+”

Choose “FrontEnd Transport”

image

image

Remove the whole range. Enter the required IPs which needs to be allowed for relay.

image

Double click on created connector – Security – Choose Anonymous users –

image

 

Step 2 –

Giving permission to the Receive connector to accept any recipient

Get-ReceiveConnector "Servername\Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

image

Step 3 – TESTING

lets test the same from an windows machine using simple telnet – Assuming the relay ip which i added is a windows machine

Open Server Manager – Manage – Add Roles and Features

image

Next and Finish to install

Open Powershell –


telnet Exch2016D.dubai.com 25
Helo
MAIL FROM: cloud@Application.com
RCPT TO: info@domain.com
DATA
"SUBJECT:My Subject"
Test
.

image

As i received the email – The relaying works without any issues.

Securing these connectors are very important . Lets say its a buggy application sent out 2000 emails. Exchange can be overloaded with Logs etc. .

Recommendations to Secure these Connectors – 

  • Validating Application configurations using valid SMTP domain.
  • Enable Verbose Logging in these Relay Connectors Properties to see the connectors activity logs (Server Level Only).
  • Setting Proper Banner on Relay Connectors useful while troubleshooting
    Set-ReceiveConnector EXCH2016\RELAY -Banner "220 Exch 2016 Relay for Authorized Applications"
  • Setting Rate Limit on Relay Connectors – 200 Messages Per Minute for Example
    Set-ReceiveConnector EXCH2016\RELAY -MessageRateLimit 200
  • Blocking Telnet.exe in Application servers using anti-virus. Prone to Mail worms/Storming Exchange Servers.

Logging Location –

Get-FrontendTransportService EXCH2016 | fl *Receive*

Default Location –

C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive

Note that any applications you are allowing should use a valid domain to send out emails as there is a risk of IP getting blacklisted when huge junk emails are sent out using applications. Its always recommended to set a message rate limit on anti-spam servers as well.

About Satheshwaran Manoharan

Satheshwaran Manoharan is an Microsoft Exchange Server MVP , Publisher of CareExchange.in Supporting/Deploying/Designing Microsoft Exchange for some years. Extensive experience on Microsoft Technologies.

Check Also

Mailbox Replication Service was unable to connect to the remote server

Office 365 Mailbox Migration Error – The migration encountered an error The Mailbox Replication Service ...

One comment

  1. Thanks ffor e?ery othe? informative website. The ?lace ?lse c?uld ? am getting t??t ?ind of info ?ritten iin such an ideal m?ans?

    I’?e a project t?at I’m just no? work?ng on, and
    I’?? been at the ?ook out for such information.

Leave a Reply

Your email address will not be published.