locked
Exchange 2010sp2 default connector accepts all relayed emails RRS feed

  • Question

  • Hi All,

    Not sure how did it happen but Exchange 2010sp2 default connector accepts all internal relayed emails [pdus, monitoring, printers, ...]. It ignores internal relay connector I have created. So I have lost control over internal relaying.

    Only thing I did was creating "internal relay connector" -> custom receive connector with specified remote servers [ip addresses] which can relay as per many manuals available on-line. As far as I am aware it should refuse relaying by default - same as Exchange 2007sp3.

    Also did this to migrate RemoteIPRanges from Exch2007sp3 but cannot see it to be a problem:

    Set-ReceiveConnector ”SERVERNAME2\CONNECTORNAME” -RemoteIPRanges ( Get-ReceiveConnector “SERVERNAME1\CONNECTORNAME” ).RemoteIPRanges

    Any ideas?

    Thanks,

    Pawel

    Monday, July 2, 2012 1:34 PM

Answers

  • Thanks for correcting. Yes, it is sending to internal recipients. Yes, I did restart Transport Service.

    Remember in Exchange 2007 it refused emails from our devices unless additional connector with remote ip address has been set. Is it different in Exchange 2010?

    Thanks,

    Pawel

    The behaviour hasn't changed between Exchange 2007 and 2010.
    By default, once anonymous had been enabled on the Default Receive Connector, email would be received from both internal and external "servers". if you were seeing something else, then something was wrong with your configuration.
    When it comes to sending to internal recipients, no relaying settings are required, because sending email from a printer/scanner etc to an internal recipient is no different to Hotmail sending an email to an internal recipient.

    However, that doesn't mean the messages would be delivered, because internal sent email can be blocked by antispam filters. Therefore it isn't unusual to have different configurations to ensure the messages got through, but that isn't a connector configuration issue.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    • Marked as answer by P8119L Monday, July 2, 2012 5:40 PM
    Monday, July 2, 2012 3:44 PM

All replies

  • Connectors are chosen by closest match to the listening IP range.


    Mike Crowley | MVP
    My Blog -- Planet Technologies

    Monday, July 2, 2012 1:46 PM
  • If you have devices sending email to internal recipients, then the default connector will accept those because by default its IP range is for everything. That isn't relaying.

    Relaying is sending to external recipients. Did you restart the Transport Service after making the change?

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    Monday, July 2, 2012 1:46 PM
  • Thanks for correcting. Yes, it is sending to internal recipients. Yes, I did restart Transport Service.

    Remember in Exchange 2007 it refused emails from our devices unless additional connector with remote ip address has been set. Is it different in Exchange 2010?

    Thanks,

    Pawel

    Monday, July 2, 2012 2:40 PM
  • Thanks for correcting. Yes, it is sending to internal recipients. Yes, I did restart Transport Service.

    Remember in Exchange 2007 it refused emails from our devices unless additional connector with remote ip address has been set. Is it different in Exchange 2010?

    Thanks,

    Pawel

    The behaviour hasn't changed between Exchange 2007 and 2010.
    By default, once anonymous had been enabled on the Default Receive Connector, email would be received from both internal and external "servers". if you were seeing something else, then something was wrong with your configuration.
    When it comes to sending to internal recipients, no relaying settings are required, because sending email from a printer/scanner etc to an internal recipient is no different to Hotmail sending an email to an internal recipient.

    However, that doesn't mean the messages would be delivered, because internal sent email can be blocked by antispam filters. Therefore it isn't unusual to have different configurations to ensure the messages got through, but that isn't a connector configuration issue.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    • Marked as answer by P8119L Monday, July 2, 2012 5:40 PM
    Monday, July 2, 2012 3:44 PM
  • You have destroyed my world ;-) I was convinced that I need to "safelist" every device even those sending internally...

    Is it possible to set it up the way I thought it works? Just curiosity [not trying to justify my ignorance].

    Many thanks Simon!

    Pawel

     
    Monday, July 2, 2012 5:40 PM
  • SBS 2008 and higher actually does set it up in the way that you think.

    What it does is change the accepted IP range from the default of 0.0.0.0 - 255.255.255.255 to

    0.0.0.0 - 192.168.0.0 - 192.168.2.0 - 255.255.255.255

    where 192.168.0.x is your internal IP address range.

    Then you add in each device that you want to allow to connect to the list.

    If you do that, get it right - otherwise you will be rejecting email from the internet. I had this with an SBS system last year.

    http://blog.sembee.co.uk/post/Odd-SBS-2011-Receiving-Email-Issue.aspx

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    Tuesday, July 3, 2012 7:25 PM