Internal relay and authentication on external


  • Hi Everyone,

    We're running Exchange Server 2013, and I'm trying the following on the SMTP:

    • Connecting from internal address should allow anonymous sending emails
    • Connecting from external address should force authentication if "mail from" is our domain

    If I follow all the basic guides out there, I've created a "FrontendTransport" for the relay, which has ip-rules for our internal addresses and "anonymous users" allowed - and that works. When I connect from an internal ip-address it gives me the "relay" name and I can send without logging in.

    However, if I untick "Anonymous" at "Default Frontend", everyone connecting requires to authenticate which stops all new incoming emails.

    Is it possible to make it force logins only if "mail from:" is our domain? Currently I can telnet to the smtp from any external ip-address and specify "mail from" and "rcpt to" as our domain and the email gets delivered.

    Thanks in advance.

    Best regards,


    Friday, October 14, 2016 6:35 AM


  • Allowing sending of mail to Exchange recipients--including mail contacts with external addresses--is called "submission" and there's nothing involving "relay" required for them.  "Relay" pertains to sending mail to recipients not in Exchange.

    Anonymous is required to submit mail without having to log on.  You pretty much need a connector that has Anonymous permission to send mail from the Internet to Exchange.

    The way to regulate who can relay anonymously is to create a relay connector and restrict it to the IP addresses of the hosts you want to be able to relay with the "RemoteIPRanges" property of the receive connector.

    It's really easy to have an authenticated relay connector.  Just have them send using port 587, which is configured by default to allow authenticated relay.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Saturday, October 15, 2016 5:06 PM