none
Receive connector - Allow only one account

    Question

  • I need to create a recieve connector which only allows one domain account the ability to relay externally. The account will authenticate from many different IP's

    I created the connector. If I allow "Exchange Users" in the Permissions Group I am able to relay as that account, including other domain accounts (as expected).

    I tried setting security on the connector Get-ReceiveConnector "EX13CA\External-Relay" | Add-ADPermission -User "DOMAIN\AllowRelayAccount" -ExtenddRights "ms-Exch-SMTP-Accept-Any-Recipient". I then removed the group permission for "Exchange Users". I tried sending mail as AllowRelayAccount and I get  "The Server Response was not available".

    How can I restrict this connector to just a single account?

    Thanks

    Monday, November 7, 2016 6:12 PM

Answers

  • you need to setup authenticated smtp relaying.

    found this...

    prerequisites:

    A mailbox enabled account,
    A group which contains all relay accounts,  example "Relay Accounts"

    start off with adding the right permissions to the receive connectors.
    To allow relaying at the "Default Frontend" receive connector submit to server right assigned to our group "Relay Accounts" no other permissions are required yet.

    The following PowerShell Command will set this right for our group.

    Get-ReceiveConnector "default frontend*" | Add-ADPermission -User "contoso\relay accounts" -ExtendedRights ms-Exch-SMTP-Submit

    For the "Client Proxy" receive connector we need to hand out the actual relay permissions, in our case we allowed the accounts to send from any address to any address but this might be different, see the list below for what each permission gives you.

    • ms-Exch-SMTP-Submit – allow to submit messages (required permission)
    • ms-Exch-SMTP-Accept-Any-Recipient – allow messages to be sent to email addresses unknown to the local server (known as relaying)
    • ms-Exch-SMTP-Accept-Any-Sender – allow sending as any email address that is unknown to the local organization
    • ms-Exch-SMTP-Accept-Authoritative-Domain-Sender – allow sending as any email address that is constructed with the authoritative domain (in our environment contoso.com)
    • ms-Exch-Accept-Headers-Routing – to keep all routing headers in the email, not required but can be nice for troubleshooting.

    We picked the all of the above options and set the permissions with the next PowerShell command.

    Get-ReceiveConnector "client proxy*" | Add-ADPermission -User "contoso\relay accounts" -ExtendedRights ms-Exch-SMTP-Submit,ms-Exch-SMTP-Accept-Any-Recipient,ms-Exch-SMTP-Accept-Any-Sender,
    ms-Exch-SMTP-Accept-Authoritative-Domain-Sender,ms-Exch-Accept-Headers-Routing

    Ok so we configured the correct permissions now, and that should be enough to allow authenticated relaying of email messages, but reality is that not all devices on our network support NTLM authentication and our TLS encryption.
    For our environment it was an acceptable risk to allow basic authentication, and especially for testing purposes this can be helpful as well.

    To allow basic authentication we needed to alter the "default frontend" security settings from basic authentication only after offering TLS to allow basic authentication always.
    This change can be made using the following PowerShell command

        Get-ReceiveConnector "default frontend*" | Set-ReceiveConnector -AuthMechanism Tls, Integrated, BasicAuth, ExchangeServer

    • Proposed as answer by David Wang_Moderator Tuesday, November 22, 2016 9:13 AM
    • Marked as answer by BTRowdy1 Monday, December 12, 2016 5:00 PM
    Sunday, November 13, 2016 5:29 AM

All replies

  • The best way is to add the IP into the list whom can relay to the connector and if the relay client is authenticated by using exchange mailbox then please provide permission to "Exchange Users".

    In that case, if other client who is using different IP can't success to relay email for Internet.


    Mihir Nayak If a post is helpful, please take a second to vote

    • Proposed as answer by David Wang_Moderator Tuesday, November 8, 2016 6:29 AM
    • Unproposed as answer by BTRowdy1 Wednesday, November 9, 2016 3:42 PM
    Tuesday, November 8, 2016 6:22 AM
  • Thanks for your response, however your answer does not meet my needs.

    The machine sending will never be the same system. I only want one service account to be able to relay from any internal IP without allowing any other exchange user to relay.

    Wednesday, November 9, 2016 3:42 PM
  • you need to setup authenticated smtp relaying.

    found this...

    prerequisites:

    A mailbox enabled account,
    A group which contains all relay accounts,  example "Relay Accounts"

    start off with adding the right permissions to the receive connectors.
    To allow relaying at the "Default Frontend" receive connector submit to server right assigned to our group "Relay Accounts" no other permissions are required yet.

    The following PowerShell Command will set this right for our group.

    Get-ReceiveConnector "default frontend*" | Add-ADPermission -User "contoso\relay accounts" -ExtendedRights ms-Exch-SMTP-Submit

    For the "Client Proxy" receive connector we need to hand out the actual relay permissions, in our case we allowed the accounts to send from any address to any address but this might be different, see the list below for what each permission gives you.

    • ms-Exch-SMTP-Submit – allow to submit messages (required permission)
    • ms-Exch-SMTP-Accept-Any-Recipient – allow messages to be sent to email addresses unknown to the local server (known as relaying)
    • ms-Exch-SMTP-Accept-Any-Sender – allow sending as any email address that is unknown to the local organization
    • ms-Exch-SMTP-Accept-Authoritative-Domain-Sender – allow sending as any email address that is constructed with the authoritative domain (in our environment contoso.com)
    • ms-Exch-Accept-Headers-Routing – to keep all routing headers in the email, not required but can be nice for troubleshooting.

    We picked the all of the above options and set the permissions with the next PowerShell command.

    Get-ReceiveConnector "client proxy*" | Add-ADPermission -User "contoso\relay accounts" -ExtendedRights ms-Exch-SMTP-Submit,ms-Exch-SMTP-Accept-Any-Recipient,ms-Exch-SMTP-Accept-Any-Sender,
    ms-Exch-SMTP-Accept-Authoritative-Domain-Sender,ms-Exch-Accept-Headers-Routing

    Ok so we configured the correct permissions now, and that should be enough to allow authenticated relaying of email messages, but reality is that not all devices on our network support NTLM authentication and our TLS encryption.
    For our environment it was an acceptable risk to allow basic authentication, and especially for testing purposes this can be helpful as well.

    To allow basic authentication we needed to alter the "default frontend" security settings from basic authentication only after offering TLS to allow basic authentication always.
    This change can be made using the following PowerShell command

        Get-ReceiveConnector "default frontend*" | Set-ReceiveConnector -AuthMechanism Tls, Integrated, BasicAuth, ExchangeServer

    • Proposed as answer by David Wang_Moderator Tuesday, November 22, 2016 9:13 AM
    • Marked as answer by BTRowdy1 Monday, December 12, 2016 5:00 PM
    Sunday, November 13, 2016 5:29 AM