none
Internal Relay with Hybrid 365 deployment

    Question

  • Hi. I need to allow internal services to send email to internal recipients. Trouble is that these recipients are all on 365. Is it possible to configure the receive/send connectors to allow an arbitrary internal service (for example, a Linux service using postfix) to relay off our internal Exchange servers and send email to an internal (365) user but importantly NOT be able to send email to external (ie gmail) recipients?

    Every time I set up a receive connector, it can relay externally without any problem. I have it attached to a dedicated test IP so I can change it around all I want. Thanks.

    Friday, August 11, 2017 3:29 PM

All replies

  • If you have a hybrid configuration, then the on-premises Exchange server should work fine for submission of internal mail to Office 365 users.  Remember, mail submitted to internal recipients--including Office 365 recipients in a hybrid configuration--is not "relay".  Relay is only mail sent outside your organization.

    Your Exchange server may have its default receive connector enabled for relay.  You might want to check that and disable it if that's not the behavior you want.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Friday, August 11, 2017 9:53 PM
    Moderator
  • Hi Harry,

    If an application or device needs internal SMTP relay, simply configure it to use the name of the on-premise Exchange 2013 that is installed with the CAS role and port 25.

    Best Regards,


    Niko Cheng
    TechNet Community Support


    Please remember to mark the replies as answers.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 14, 2017 7:03 AM
    Moderator
  • Thanks for the response. I am still a little unclear as to how to prevent external relaying - the desired behaviour is for an internal service to use the exchange server to relay mail to 365 users (ie "mydomain.com") but NOT be able to relay mail to the outside world. Currently services can relay to 365 and also to outside domains. EDIT: I should specify that these services would generally use the anonymous permission set, so no auth at all.


    Monday, August 14, 2017 1:59 PM
  • If a receive connector that's used by a client or server is configured for relay, then it will accept mail destined to addresses outside your organization.  If it isn't configured for relay, then it won't.  It's pretty much as simple as that regardless of whether or not you're in Hybrid mode.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Tuesday, August 15, 2017 8:29 PM
    Moderator
  • Ok thanks. We've decided to go for a couple of tiny postfix instances to filter for domains. They can then pass the messages on to the receive connectors that accept only from the postfix IPs. Solution!
    Wednesday, August 16, 2017 9:43 AM
  • Hi Harry,

    Glad you have found a solution. BTW, do you mind marking the helpful replies as answers? this will make answer searching in the forum easier and be beneficial to other community members as well.

    Thanks for your understanding,

    Best Regards,


    Niko Cheng
    TechNet Community Support


    Please remember to mark the replies as answers.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, August 17, 2017 2:41 AM
    Moderator