none
What is the correct setting to relay mail through exchange from an internal application to a specific external domain?

    Question

  • I've been dancing around this subject a bit, usually taking the path of least resistance.  I would, however, like to know the correct answer.

    I've had to make special receive connectors to enable various applications, like SharePoint for example, to have the ability to relay mail off of my 2013 MB/HUB server to my organization, usually by creating an open receive connector with no authentication, then using the ip scope for security.

    I now have to do something similar but different.  I have an internal application (backup product) that needs to send notifications through Exchange to an outside domain.  I'm wondering if there is a more precise way to configure this? The reason this comes up is that this application can already send internally to my corporate domain, but gets denied when sending externally.  Obviously it's able to do this via one of my connectors.  I feel like I'm missing something.

    Thanks, 

    Tuesday, January 5, 2016 10:43 PM

Answers

  • I don't know of any way to allow relay to a specific domain.  Relay is configured on a receive connector, while the recipient scope is specified on a send connector.

    This is the way to allow relay, but it's not domain-specific.  Paul Cunningham knows his stuff so you can consider this good.

    http://exchangeserverpro.com/exchange-2013-configure-smtp-relay-connector/


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    • Marked as answer by Statistic Wednesday, January 6, 2016 8:47 PM
    Wednesday, January 6, 2016 12:21 AM
    Moderator

All replies

  • I don't know of any way to allow relay to a specific domain.  Relay is configured on a receive connector, while the recipient scope is specified on a send connector.

    This is the way to allow relay, but it's not domain-specific.  Paul Cunningham knows his stuff so you can consider this good.

    http://exchangeserverpro.com/exchange-2013-configure-smtp-relay-connector/


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    • Marked as answer by Statistic Wednesday, January 6, 2016 8:47 PM
    Wednesday, January 6, 2016 12:21 AM
    Moderator
  • Do you know why a send connector would allow an application to relay to internal addresses but not to outside addresses?
    Wednesday, January 6, 2016 3:53 PM
  • It sounds like your application isn't authenticating it's SMTP connection, and I'm pretty sure exchange connectors disallow relaying on unauthenticated connections by default.

    So if you can configure your application to authenticate the mail connection, that will allow it to send emails to an outside domain.

    I've had to do similar things for SQL's SSRS, which doesn't support authentication. Go figure...

    What I ended up doing was installing the open source hMailServer on another machine. Using IP security to allow only certain IP addresses to use it, and having it forward all email over an authenticated connection to the exchange server.

    You can also use the SMTP services built into IIS to do the same thing, but I've found it to be a bit unreliable.

    Wednesday, January 6, 2016 4:07 PM
  • Yes that would be it, thank you very much.  BTW, if one connector has a scope set something like 10.0.0 /24 Then another one is created for a specific ip inside that subnet, say 10.0.0.5 with different authentication settings, what is the behavior?  Does the transport service shuffle through connectors or stop at the first one that matches the scope of the sender? Or will it check multiple connectors to see if relay is possible?

    Wednesday, January 6, 2016 4:11 PM
  • You can setup an unauthenticated relay to allow application to send outbound emails without requiring credentials and then you can setup a transport rule to limit the outgoing scope for that particular sender.
    Wednesday, January 6, 2016 8:27 PM
  • Thanks to all!
    Wednesday, January 6, 2016 8:47 PM
  • If you want senders to authenticate, simply have them connect to TCP port 587 and use the client receive connector, which works fine out of the box with no configuration required.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, January 6, 2016 9:10 PM
    Moderator
  • You're welcome.  Happy to have helped.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, January 6, 2016 9:10 PM
    Moderator
  • The problem I have is that we took over IT services for another company. They have Exch2013. They have Symantec as a backup product. Email notification is set to their engineers email addy which works fine. I wanted to add my email addy, external domain, and I don't get the email.

    After testing manually using telnet I get the following error 550 5.7.1 unable to relay, but testing his address 250 2.1.5 Recipient OK.  So it didn't like my email on that connector. 

    Wednesday, January 6, 2016 9:24 PM
  • Create a mail-enabled contact and send to that.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, January 6, 2016 9:48 PM
    Moderator
  • I knew I was going to feel dumb at the end of this thread.  I think my vacation got the best of me.  That's a great idea, in fact we already do that allot for SharePoint mail delivery.

    Thanks!

    Wednesday, January 6, 2016 10:07 PM
  • You're welcome again!

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, January 6, 2016 10:09 PM
    Moderator