none
Exchange 2003 to 2010 transition - Smart Host and "Ms-Exch-SMTP-Accept-Any-Recipient" permission. Why? RRS feed

  • Question

  • Hi,

    In my mail flow with internet I have a smart host (Symantec Messaging Gateway).

    As per https://technet.microsoft.com/en-us/library/aa996395(v=exchg.141).aspx :

    "Receive connectors represent a logical gateway through which all inbound messages are received."

    "However, to allow anonymous relay on this Receive connector, you must also grant the following permission to the Anonymous Logon security principal on the Receive connector:

    •Ms-Exch-SMTP-Accept-Any-Recipient"


    This step is also mandatory as per https://technet.microsoft.com/en-us/library/bb738161(v=exchg.141).aspx :
    "Establish Internet mail flow between a Hub Transport server and an external SMTP gateway by using anonymous relay"

    4.For the Receive connector that you just modified, grant the relay permission to the Anonymous logon security principal by following these steps:

    a.Open the Shell.

    b.Run the following command using the name of the Receive connector that you created in step 2 and modified in step 3.

    Get-ReceiveConnector "Receive Connector Name" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

    "


    Now, the receive connector that I create for accepting mails from the smart host has the checkbox "Anonymous users" checked that gives "NT Authority\Anonymous User" various permissions, one of which is "Ms-Exch-SMTP-Accept-Any-Sender" that is what I need to permit the smart host to forward emails from internet to my internal Exchange users. What is the reason why I would have to give the "NT Authority\Anonymous User" the "Ms-Exch-SMTP-Accept-Any-Recipient" permission for the purpose of receive inbound emails from my Smart Host since, if I well understood from what above, receive connectors are inbound connectors (internet -> Exchange). I don't understand why Exchange would use it to send emails to recipients with domains not included in the accepted domain policy.

    Thank you,
    Francesco B.

    Friday, April 29, 2016 11:07 AM

Answers

  • I have found the answer on Supertekboy.com, from the Gareth Gudger reply to a comment of mine posted in his guide:

    https://supertekboy.com/2014/04/14/migrating-exchange-2003-2010-part-iv/#comment-13014

    Basically there is no need to give the "ms-exch-accept-any-recipient" permission to "nt authority\anonymous user" if the goal is to create a receive connector that has to just relay inbound email from your smart host to your Exchange 2010 users.
    So the 4th point in the TechNet article mentioned above is avoidable.

    Thank you Gareth.

    Francesco B.

    • Marked as answer by Francesco BB Thursday, May 5, 2016 9:16 AM
    Thursday, May 5, 2016 9:16 AM

All replies

  • Hi,

    According to the above official article,"ms-Exch-SMTP-Accept-Any-Recipient" permission allows the session to relaymessages through this connector. If this permission isn't granted, only messages that are addressed to recipients in accepted domains are accepted by this connector.

    In addicton, you can refer to the following link to configure a relay connector

    http://exchangeserverpro.com/how-to-configure-a-relay-connector-for-exchange-server-2010/

    Please note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Regards,
    David

    Monday, May 2, 2016 12:36 PM
  • According to the above official article,"ms-Exch-SMTP-Accept-Any-Recipient" permission allows the session to relaymessages through this connector. If this permission isn't granted, only messages that are addressed to recipients in accepted domains are accepted by this connector.

    And that is the point that confuses me. I am configuring a receive connector (inbound mail flow then) to accept anonyms from my smart host (that is, internet messages). Why should a receive connector receive an email message from a smart host and send it to a recipient whose domain is not in the accepted domains?

    For outbound mail flow there will be a send connector that forwards emails to my smart host.

    What am I missing on what instead TechNet says?

    Thank you,

    Monday, May 2, 2016 1:50 PM
  • Please, is there someone that is able to clarify this concept?

    Francesco B.
    Tuesday, May 3, 2016 4:20 PM
  • I have found the answer on Supertekboy.com, from the Gareth Gudger reply to a comment of mine posted in his guide:

    https://supertekboy.com/2014/04/14/migrating-exchange-2003-2010-part-iv/#comment-13014

    Basically there is no need to give the "ms-exch-accept-any-recipient" permission to "nt authority\anonymous user" if the goal is to create a receive connector that has to just relay inbound email from your smart host to your Exchange 2010 users.
    So the 4th point in the TechNet article mentioned above is avoidable.

    Thank you Gareth.

    Francesco B.

    • Marked as answer by Francesco BB Thursday, May 5, 2016 9:16 AM
    Thursday, May 5, 2016 9:16 AM
  • Hi,

    Glad to hear it.

    Thank you for generous sharing.

    Regards,

    David 

    Friday, May 6, 2016 8:24 AM