none
How to configure Edge Transport server to relay external domains

    Question

  • We have an on-premises Exchange 2013 server with a subscribed Edge Transport server. Email flow has been working fine for several years. I now need to allow an external Exchange server to use us as a relay to send external emails. This server is not part of our Exchange organization or AD domain, but we trust it sufficiently to implement this requirement.

    I have added a new FrontEndTransport Receive Connector on our Exchange server, configured it for Anonymous access and set the Scoping to only accept email from the IP address of the remote Exchange server. I have also deselected all authentication mechanisms for the connector - I assume this is correct.

    Unfortunately when I send emails from the external server I keep getting NDRs along the lines of:

    [name of EdgeTXserver] #550 5.7.1 Unable to relay ##

    I have made sure that the Edge Subscription is synchronized but the problem persists.

    Any thoughts?


    • Edited by AndyChips Monday, June 5, 2017 10:01 AM
    Monday, June 5, 2017 10:01 AM

Answers

All replies

  • We have an on-premises Exchange 2013 server with a subscribed Edge Transport server. Email flow has been working fine for several years. I now need to allow an external Exchange server to use us as a relay to send external emails. This server is not part of our Exchange organization or AD domain, but we trust it sufficiently to implement this requirement.

    I have added a new FrontEndTransport Receive Connector on our Exchange server, configured it for Anonymous access and set the Scoping to only accept email from the IP address of the remote Exchange server. I have also deselected all authentication mechanisms for the connector - I assume this is correct.

    Unfortunately when I send emails from the external server I keep getting NDRs along the lines of:

    [name of EdgeTXserver] #550 5.7.1 Unable to relay ##

    I have made sure that the Edge Subscription is synchronized but the problem persists.

    Any thoughts?


    You have to basically give the receive connector the rights to relay mail.  You have to run the following command:

    Get-ReceiveConnector "CONNECTORNAME" | Add-ADPermission -User 'NT AUTHORITY\Anonymous Logon' -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient  


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

    Monday, June 5, 2017 1:12 PM
  • Hinte,

    Thanks for that but I'd already set that permission. The From: is accepted OK but the To: isn't:

    (Following transcript has been sanitized)

    220 mail01.mydomain.com
    ehlo
    250-mailserver01.mydomain.com Hello [21.35.6.13]
    250-SIZE 36700160
    250-PIPELINING
    250-DSN
    250-ENHANCEDSTATUSCODES
    250-STARTTLS
    250-X-ANONYMOUSTLS
    250-X-EXPS NTLM
    250-8BITMIME
    250-BINARYMIME
    250-XEXCH50
    250 XSHADOW
    mail from:andy@contoso.com
    250 2.1.0 Sender OK
    rcpt to:andy@contoso.com
    550 5.7.1 Unable to relay

    Do I need to set another permission?

    Thanks,

    Andy.


    • Edited by AndyChips Monday, June 5, 2017 1:44 PM
    Monday, June 5, 2017 1:37 PM
  • Hinte,

    Thanks for that but I'd already set that permission. The From: is accepted OK but the To: isn't:

    (Following transcript has been sanitized)

    220 mail01.mydomain.com
    ehlo
    250-mailserver01.mydomain.com Hello [21.35.6.13]
    250-SIZE 36700160
    250-PIPELINING
    250-DSN
    250-ENHANCEDSTATUSCODES
    250-STARTTLS
    250-X-ANONYMOUSTLS
    250-X-EXPS NTLM
    250-8BITMIME
    250-BINARYMIME
    250-XEXCH50
    250 XSHADOW
    mail from:andy@contoso.com
    250 2.1.0 Sender OK
    rcpt to:andy@contoso.com
    550 5.7.1 Unable to relay

    Do I need to set another permission?

    Thanks,

    Andy.

    Change the from Address to something else.  Mail from an internal user to another internal user wouldn't get routed through the Edge server, so it's probably blocking it.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

    Monday, June 5, 2017 1:41 PM
  • Still the same, I'm afraid.

    mail from:joe@corporation.com
    250 2.1.0 Sender OK
    rcpt to:andy@contoso.com
    550 5.7.1 Unable to relay

    In fact, out of curiosity I've disabled the RX connector and it has made no difference to the results. That can't be right.
    • Edited by AndyChips Monday, June 5, 2017 2:18 PM
    Monday, June 5, 2017 2:12 PM
  • We have an on-premises Exchange 2013 server with a subscribed Edge Transport server. Email flow has been working fine for several years. I now need to allow an external Exchange server to use us as a relay to send external emails. This server is not part of our Exchange organization or AD domain, but we trust it sufficiently to implement this requirement.

    I have added a new FrontEndTransport Receive Connector on our Exchange server, configured it for Anonymous access and set the Scoping to only accept email from the IP address of the remote Exchange server. I have also deselected all authentication mechanisms for the connector - I assume this is correct.

    Unfortunately when I send emails from the external server I keep getting NDRs along the lines of:

    [name of EdgeTXserver] #550 5.7.1 Unable to relay ##

    I have made sure that the Edge Subscription is synchronized but the problem persists.

    Any thoughts?


    What server are you testing from?

    Unless its the remote Exchange server or you added the IP of the server you are testing from, you are hitting the wrong connector and you wont be able to relay.

    Monday, June 5, 2017 3:16 PM
  • I'm testing from the external Exchange server and also a test laptop on an ADSL line. I've added both respective IP addresses to the RX Connector scoping.
    Tuesday, June 6, 2017 7:11 AM
  • Hi,

    Please change the settings as below of your receive connector for the relay and then check the results:

    Hope it helps.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 6, 2017 7:23 AM
    Moderator
  • Jason, thanks. I tried that but still no joy. I'm also wondering why I should need those two authentication mechanisms and not Anonymous (as per most online examples).

    In each case, the NDR message I get back from the client is generated by the Edge Transport server. Is that to be expected?

    In case it's any use, here is the config of my RX Connector now:

    RunspaceId                              : 4b7daa3a-294d-48e5-bf7f-2231e2cac19f
    AuthMechanism                           : Tls, ExternalAuthoritative
    Banner                                  :
    BinaryMimeEnabled                       : True
    Bindings                                : {0.0.0.0:25}
    ChunkingEnabled                         : True
    DefaultDomain                           :
    DeliveryStatusNotificationEnabled       : True
    EightBitMimeEnabled                     : True
    SmtpUtf8Enabled                         : False
    BareLinefeedRejectionEnabled            : False
    DomainSecureEnabled                     : False
    EnhancedStatusCodesEnabled              : True
    LongAddressesEnabled                    : False
    OrarEnabled                             : False
    SuppressXAnonymousTls                   : False
    ProxyEnabled                            : False
    AdvertiseClientSettings                 : False
    Fqdn                                    : mailserver01.mydomain.com
    ServiceDiscoveryFqdn                    :
    TlsCertificateName                      :
    Comment                                 :
    Enabled                                 : True
    ConnectionTimeout                       : 00:10:00
    ConnectionInactivityTimeout             : 00:05:00
    MessageRateLimit                        : Unlimited
    MessageRateSource                       : IPAddress
    MaxInboundConnection                    : 5000
    MaxInboundConnectionPerSource           : 20
    MaxInboundConnectionPercentagePerSource : 2
    MaxHeaderSize                           : 128 KB (131,072 bytes)
    MaxHopCount                             : 60
    MaxLocalHopCount                        : 12
    MaxLogonFailures                        : 3
    MaxMessageSize                          : 35 MB (36,700,160 bytes)
    MaxProtocolErrors                       : 5
    MaxRecipientsPerMessage                 : 200
    PermissionGroups                        : ExchangeServers, Custom
    PipeliningEnabled                       : True
    ProtocolLoggingLevel                    : Verbose
    RemoteIPRanges                          : {165.175.70.17, 172.36.228.33, 211.32.65.56}
    RequireEHLODomain                       : False
    RequireTLS                              : False
    EnableAuthGSSAPI                        : False
    ExtendedProtectionPolicy                : None
    LiveCredentialEnabled                   : False
    TlsDomainCapabilities                   : {}
    Server                                  : mailserver01
    TransportRole                           : FrontendTransport
    SizeEnabled                             : Enabled
    TarpitInterval                          : 00:00:05
    MaxAcknowledgementDelay                 : 00:00:30
    AdminDisplayName                        :
    ExchangeVersion                         : 0.1 (8.0.535.0)
    Name                                    : Allow relayed email from ext. Exchange server
    DistinguishedName                       : CN=Allow relayed email from ext. Exchange server,CN=SMTP Receive Connectors,CN=Protocols, mailserver01,CN=Servers,CN=Exchange
                                              Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=CoName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=CoName,DC=local
    Identity                                : mailserver01\Allow relayed email from ext. Exchange server
    Guid                                    : f91cb4ee-b7ef-443c-84e7-38528bb2479f
    ObjectCategory                          : CoName.local/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
    ObjectClass                             : {top, msExchSmtpReceiveConnector}
    WhenChanged                             : 06/06/2017 09:18:32
    WhenCreated                             : 05/06/2017 09:48:43
    WhenChangedUTC                          : 06/06/2017 08:18:32
    WhenCreatedUTC                          : 05/06/2017 08:48:43
    OrganizationId                          :
    Id                                      : mailserver01\Allow relayed email from ext. Exchange server
    OriginatingServer                       : DomainController.CoName.local
    IsValid                                 : True
    ObjectState                             : Unchanged



    • Edited by AndyChips Tuesday, June 6, 2017 10:01 AM
    Tuesday, June 6, 2017 9:19 AM
  • I still think you are hitting the wrong connector.

    Add a banner to this connector "220 Remote Exchange" or something similar then check the SMTP protocol logs to see if its being used. ( or verify you see the right banner when telnetting on port 25 from the remote server)

    ALso, how many receive connectors do you have on this thing?


    Tuesday, June 6, 2017 12:02 PM
  • David,

    As per one of my previous examples, I always get the banner '220 mail01.mydomain.com'. As I would expect, this directly corresponds with the Edge server I'm telnetting to. Not fully understanding how the Edge process works in relation to Receive Connectors, it looks to me like the connector I've created never gets a look-in. I also never see anything in the Receive Protocol logs on the MBX/HT servers that indicate the SMTP transaction was rejected.

    With regard to the number of RX connectors: I only have the ones created by Exchange at installation time, i.e:

    • 2 x Client (Frontend and Proxy/HT)
    • 2 x Default (Frontend and Proxy/HT)
    • 1 x Outbound Proxy (Frontend)
    • 1 x Allow External Relay (Frontend) - this is the one I created and am trying to get working.

    Obviously there are also the TX connectors which get automatically created during the Edge subscription process.

    Just thinking aloud... why would externally relayed email even have to go through the MBX/HT servers? Wouldn't it make sense for the Edge Transport servers to do that by themselves?

    This diagram might help.



    • Edited by AndyChips Tuesday, June 6, 2017 2:40 PM Additional thoughts
    Tuesday, June 6, 2017 1:06 PM
  • What I am suggesting is that you set a custom banner for the new receive connector "Allow External Relay"

     If you are seeing "'220 mail01.mydomain.com" in the banner, then you are probably not connecting to the correct receive connector.

    Your permissions on this connector should look like this:

    PermissionGroups        : AnonymousUsers, ExchangeServers, Partners, Custom

    Ensure the remote ips are correct. The auth mechanism should not be ExternalAuthoritative unless you want to treat messages from this server as authenticated.

    and yes, the rec connectors should be edge only...


    Tuesday, June 6, 2017 5:20 PM
  • Hi.

    You are need create SMTP receive connector on Edge Servers for IP address External SMTP server with anonymous connection.

    This is relay on MBX, but you need for EDGE.

    SMTP Relay connectors in Exchange 2016

    How to Configure a Relay Connector for Exchange Server 2010


    MCITP, MCSE. Regards, Oleg

    • Edited by Oleg.Kovalenko Tuesday, June 6, 2017 7:10 PM
    • Marked as answer by AndyChips Wednesday, June 7, 2017 9:48 AM
    Tuesday, June 6, 2017 7:09 PM
  • Oleg,

    That was the conclusion I was starting to come to. I don't think it matters what connector I create on the MBX/HT servers. Externally relayed traffic will never hit them. All my testing so far has been in vain.

    I'll give your suggestion a go. Thank you.
    Andy.

    Wednesday, June 7, 2017 7:09 AM
  • Oleg,

    That was the clue I needed. I've now created new RX Connectors on both Edge servers and it's all working beautifully.

    For reference, this is the command I used on the Edge servers:

    New-ReceiveConnector -Name "Anonymous Relay" -TransportRole HubTransport -Custom -Bindings 0.0.0.0:25 -AuthMechanism None -PermissionGroups AnonymousUsers -RemoteIpRanges {IP address of trusted external SMTP server}

    Then configure the AD permissions for anonymous relay on the new Receive connector
    Get-ReceiveConnector "Anonymous Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

    Many thanks to everyone for their assistance.
    Andy.

    Wednesday, June 7, 2017 9:47 AM