How to Enable Anonymous SMTP Relay in Exchange Server 2019

Learn how to configure a dedicated receive connector in Exchange Server 2019 that allows anonymous SMTP relay from specific IP addresses or ranges.

SMTP relay is the process of transferring email messages from one server to another. It is often used by applications, devices, or services that need to send email messages, but are not capable of authenticating with an SMTP server. For example, you may have a web server, a database server, a monitoring application, or a printer that needs to send email notifications or reports to internal or external recipients.

By default, Exchange Server 2019 does not allow anonymous SMTP relay, which means that the sender must provide valid credentials to use the Exchange server as a relay. This is a security measure to prevent unauthorized or malicious use of the Exchange server as an open relay, which could result in spamming, blacklisting, or compromising the server.

However, there may be situations where you need to allow anonymous SMTP relay from certain sources within your network, such as the ones mentioned above. In this article, we will show you how to create a dedicated receive connector in Exchange Server 2019 that allows anonymous SMTP relay from a specific list of IP addresses or ranges. We will also explain the key considerations and best practices for configuring and securing the anonymous relay receive connector.

Table of Contents

Step 1: Create a Dedicated Receive Connector for Anonymous Relay
Step 2: Configure the Permissions for Anonymous Relay on the Dedicated Receive Connector
Step 3: Test the Anonymous Relay Receive Connector
Frequently Asked Questions (FAQs)
Summary

Step 1: Create a Dedicated Receive Connector for Anonymous Relay

To create a dedicated receive connector for anonymous relay, you need to perform the following steps:

Log in to the Exchange Admin Center (EAC) with an account that has the Exchange Organization Management role.
Navigate to Mail flow > Receive connectors and click + to create a new receive connector.
In the New receive connector wizard, enter a name for the receive connector, such as Anonymous Relay. Select the server that will host the receive connector, and choose Front End Transport as the role and Custom as the type. Click Next.
On the Remote network settings page, remove the default IP address range of 0.0.0.0-255.255.255.255 and add the IP addresses or ranges of the sources that you want to allow anonymous relay from. For example, you may enter 192.168.1.10 or 192.168.1.0/24. Click Finish.
The receive connector is created and listed in the EAC. Select the receive connector and click Edit to modify its properties.
On the General page, you can optionally change the FQDN (fully qualified domain name) of the receive connector to match the DNS name of the server. This is the name that the receive connector will use to respond to HELO or EHLO commands from the SMTP clients. Click Save.
On the Security page, under Authentication, make sure that only Transport Layer Security (TLS) is checked. Under Permission groups, make sure that only Exchange servers is checked. Click Save.
On the Scoping page, under Network adapter bindings, you can optionally change the port number that the receive connector will listen on. By default, it is set to 25, which is the standard SMTP port. However, if you have another receive connector in the Front End Transport service that also listens on port 25, you may want to change the port number to avoid conflicts. For example, you may use port 26 or 587. Click Save.

Step 2: Configure the Permissions for Anonymous Relay on the Dedicated Receive Connector

After creating the receive connector, you need to configure the permissions that are required for anonymous relay. To do this, you need to use the Exchange Management Shell (EMS), which is a PowerShell interface for Exchange Server. You cannot use the EAC to configure these permissions.

To configure the permissions for anonymous relay on the dedicated receive connector, you need to perform the following steps:

Log in to the Exchange server that hosts the receive connector with an account that has the Exchange Organization Management role.
Open the EMS and run the following command to grant the ms-Exch-SMTP-Accept-Any-Recipient permission to the anonymous users on the receive connector. Replace Anonymous Relay with the name of your receive connector.
```
Get-ReceiveConnector "Anonymous Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"
```
The command should return the output of the permission that was added. You can verify the permission by running the following command:
```
Get-ReceiveConnector "Anonymous Relay" | Get-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" | Format-List User,ExtendedRights
```
The command should return the output of the user and the extended right that was granted. You should see something like this:
```
User           : NT AUTHORITY\ANONYMOUS LOGON
ExtendedRights : {ms-Exch-SMTP-Accept-Any-Recipient}
```
The receive connector is now ready to accept anonymous SMTP relay from the specified IP addresses or ranges.

Step 3: Test the Anonymous Relay Receive Connector

To test the anonymous relay receive connector, you can use any SMTP client that can send email messages without authentication, such as Telnet, PowerShell, or a third-party tool. For example, you can use the following PowerShell script to send a test email message from the Exchange server to an external recipient. Replace the parameters with your own values.

$From = "[email protected]"
$To = "[email protected]"
$Subject = "Test email from anonymous relay"
$Body = "This is a test email sent from the anonymous relay receive connector in Exchange Server 2019."
$SMTPServer = "localhost"
$SMTPPort = 25 # or the port number that you configured for the receive connector
Send-MailMessage -From $From -To $To -Subject $Subject -Body $Body -SmtpServer $SMTPServer -Port $SMTPPort

If the email message is sent successfully, you should see a confirmation message in the PowerShell console. You should also check the recipient’s inbox to verify that the email message was received.
If the email message fails to send, you should see an error message in the PowerShell console. You should also check the Application event log on the Exchange server for any SMTP-related events that may indicate the cause of the failure. You may need to adjust the settings or permissions of the receive connector or the firewall rules to allow the SMTP traffic.

Frequently Asked Questions (FAQs)

Question: What is the difference between anonymous relay and open relay?

Answer: Anonymous relay is a controlled scenario where you allow specific sources to use your Exchange server as a relay without authentication. Open relay is a misconfigured scenario where you allow anyone to use your Exchange server as a relay without any restriction. Anonymous relay is a legitimate and common requirement for many businesses, while open relay is a security risk and a source of spam.

Question: What are the best practices for configuring and securing the anonymous relay receive connector?

Answer: Some of the best practices are:

Use a dedicated receive connector for anonymous relay and do not modify the default receive connectors that are created by Exchange.
Restrict the IP addresses or ranges that are allowed to use the anonymous relay receive connector and do not use the default range of 0.0.0.0-255.255.255.255.
Use TLS encryption for the anonymous relay receive connector and configure the SMTP clients to use TLS as well.
Use a unique port number for the anonymous relay receive connector and configure the firewall rules to allow the SMTP traffic on that port.
Monitor the usage and performance of the anonymous relay receive connector and check the event logs for any errors or warnings.

Question: How can I troubleshoot the anonymous relay receive connector?

Answer: Some of the troubleshooting steps are:

Verify that the receive connector is enabled and has the correct settings and permissions.
Verify that the SMTP client is using the correct parameters and can connect to the receive connector.
Verify that the DNS records and the FQDN of the receive connector are correct and resolvable.
Verify that the firewall rules and the network connectivity are allowing the SMTP traffic.
Use tools such as Telnet, PowerShell, or Message Tracking to test and trace the SMTP messages.

Summary

In this article, we have shown you how to create and configure a dedicated receive connector in Exchange Server 2019 that allows anonymous SMTP relay from specific IP addresses or ranges. We have also explained the key considerations and best practices for configuring and securing the anonymous relay receive connector. We have also provided some FAQs and troubleshooting tips for the anonymous relay scenario.

Disclaimer: This article is for informational purposes only and does not constitute professional advice. The author and the publisher are not liable for any errors or omissions, or for any consequences arising from the use of the information in this article. The user is responsible for verifying the accuracy and suitability of the information before applying it to their own environment. The user should also follow the official documentation and best practices from Microsoft when configuring and managing Exchange Server 2019.