none
SMTP Relay Configuration on Default Receive Connector

    Question

  • I want to setup smtp relay in exchange 2013. Default receive connector is having AnonymousUsers permission. Can I use this connector for smtp relay for multiple applications and printers to send emails? or do I need to create a new connector? This connector is already being used for this purpose however some applications and all printers are not able to submit the message. I see below error message on receive connector. This connector is also receiving external emails from Edge server.<o:p></o:p>

    Inbound authentication failed because the client DOMAIN\USERID doesn't have submit permission.
    User Name: NULL
    Tarpit for '0.00:00:05' due to '535 5.7.3 Authentication unsuccessful
    535 5.7.3 Authentication unsuccessful<o:p></o:p>

    I checked receive connector is having Ms-Exch-SMTP-Accept-Any-Recipient, Ms-Exch-SMTP-Submit and ms-Exch-SMTP-Accept-Any-Sender for user "NT AUTHORITY\ANONYMOUS LOGON".<o:p></o:p>

     

    Receive connector settings are as below:<o:p></o:p>

    AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
    Bindings                                : {[::]:25, 0.0.0.0:25}
    Fqdn                                    : Server1.domain.com
    PermissionGroups                        : AnonymousUsers, ExchangeServers, ExchangeLegacyServers, Custom
    RemoteIPRanges                          : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, 0.0.0.0-255.255.255.255}
    TransportRole                           : FrontendTransport<o:p></o:p>

     

    In testing environment I enabled Authentication method as “Externally Secured” and Permission Group as “Anonymous Users” and it started working. I assume it is failing because of AuthMechanism defined for the connector as failed applications/printers are not able to understand the authentication method. How do I achieve this on single receive connector which is already there in place? Any help is much appreciated. Thanks.<o:p></o:p>

    Wednesday, August 17, 2016 6:33 PM

Answers

  • You can enable the AuthMechanism as Externalauthorative which will add the exchange server permission group and allow external users /application/printer to send email.

    AuthMechanism    : Tls, ExternalAuthoritative

    However you have to make sure your server is in trusted and protected network, the scope of the IP is not exposed to internet etc.

    Its not recommended to use default smtp connector for relay

    Let me know if you have any question.

    Thanks,

    • Marked as answer by _MSD Thursday, August 18, 2016 2:25 PM
    • Unmarked as answer by _MSD Thursday, August 18, 2016 2:25 PM
    • Marked as answer by _MSD Thursday, August 18, 2016 2:44 PM
    Wednesday, August 17, 2016 6:47 PM
  • yes, you should create the new receive connector which should be externally secured and have anonymous permission to receive the email from any device and permission.

    If we setup the same permission on default connector which we are using to receive the email on smtp:25 from external network .it will be an open relay and any unauthenticated user can communicate and send the email though.

    I dont find anything specific as of now but we used it for avoiding the open relay situation.

    Thanks,

    • Proposed as answer by Allen_WangJFModerator Thursday, August 18, 2016 12:23 PM
    • Marked as answer by _MSD Thursday, August 18, 2016 2:24 PM
    • Unmarked as answer by _MSD Thursday, August 18, 2016 2:24 PM
    • Marked as answer by _MSD Thursday, August 18, 2016 2:29 PM
    Thursday, August 18, 2016 2:41 AM

All replies

  • You can enable the AuthMechanism as Externalauthorative which will add the exchange server permission group and allow external users /application/printer to send email.

    AuthMechanism    : Tls, ExternalAuthoritative

    However you have to make sure your server is in trusted and protected network, the scope of the IP is not exposed to internet etc.

    Its not recommended to use default smtp connector for relay

    Let me know if you have any question.

    Thanks,

    • Marked as answer by _MSD Thursday, August 18, 2016 2:25 PM
    • Unmarked as answer by _MSD Thursday, August 18, 2016 2:25 PM
    • Marked as answer by _MSD Thursday, August 18, 2016 2:44 PM
    Wednesday, August 17, 2016 6:47 PM
  • Thanks for your reply.

    Yes server is in trusted and protected network.

    So I should create another receive connector for smtp relay?

    Do you have Microsoft recommendation which says not to use default smtp connector for relay and also how it should setup on exchange 2013? I tried but don't see any reference on technet. It will be very helpful as this is what my management is looking for.

    Thanks again in advance.

    Wednesday, August 17, 2016 7:52 PM
  • yes, you should create the new receive connector which should be externally secured and have anonymous permission to receive the email from any device and permission.

    If we setup the same permission on default connector which we are using to receive the email on smtp:25 from external network .it will be an open relay and any unauthenticated user can communicate and send the email though.

    I dont find anything specific as of now but we used it for avoiding the open relay situation.

    Thanks,

    • Proposed as answer by Allen_WangJFModerator Thursday, August 18, 2016 12:23 PM
    • Marked as answer by _MSD Thursday, August 18, 2016 2:24 PM
    • Unmarked as answer by _MSD Thursday, August 18, 2016 2:24 PM
    • Marked as answer by _MSD Thursday, August 18, 2016 2:29 PM
    Thursday, August 18, 2016 2:41 AM
  • Hi,

    Great advice from yspintu.

    There are situations where you want to enable anonymous relay on your Exchange servers, for example when you have applications that need send message by Exchange server, it is a best practice that create a special connectors for every usage instead of change the default connectors.

    More details about Receive Connector in Exchange 2013, for your reference:
    https://technet.microsoft.com/en-us/library/aa996395(v=exchg.150).aspx

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    Thursday, August 18, 2016 12:29 PM
    Moderator

  • I found couple of MS links which are saying the same what you explained however I didn't find any for exchange 2013 but concept should not change. It will help all those who have the same question. Thanks a lot yspintu and Allen

    https://technet.microsoft.com/en-us/library/mt668454(v=exchg.160).aspx - Exchange 2016
    https://technet.microsoft.com/en-us/library/aa996395(v=exchg.141).aspx - Exchange 2010
    https://technet.microsoft.com/en-us/library/aa997163(v=exchg.65).aspx - Exchange 2003


    Regards, Mani

    • Marked as answer by _MSD Thursday, August 18, 2016 2:29 PM
    • Unmarked as answer by _MSD Friday, August 19, 2016 8:34 AM
    Thursday, August 18, 2016 2:29 PM