Exchange 2010 and External Relays (Migration – Part 3)

The “Receive” Connector is a funny thing in Exchange 2010. The receive connectors on my system seem to double as “Send” connectors depending on who’s doing the sending. Once my new server was up and running, it was a no brainer to make a proper “Send” connector so the server could access the Internet to deliver mail to external parties.  I was also able to quickly bring up “Receive” connector to collect mail from our Barracuda appliance.

Then I started tackling the servers within our organization that send alerts and reports via email.  I added their network addresses to the same connector I used for the Barracuda device, since they are all on the same network.

All the devices seemed happy until I ran across one that needed to send messages to external recipients. Turns out that on Exchange 2003, I was using the same connector for both internal and external relaying without issue, but Exchange 2010 is a little pickier from a security standpoint (a good thing) and I had to create a special receive connector to handle external relaying.

So why are we using “receive” connectors to relay external mail?  The receive connectors collect mail coming to the Exchange 2010 server which are then sent out using the Internet send connector.  So while all your devices are sending mail, the Exchange server is both receiving it and sending it.
Of course, I wouldn’t be writing a post about External Relays if there wasn’t something special about them. 

When creating an external relay you want to be sure to un-check all the security mechanisms from the Authentication tab, since it’s likely you are relaying mail for things like your UPS which might be “phoning home” with updates to a support provider or copier/scanners that might need to send a scanned items to an outside party – all types of devices that likely won’t have a mechanism to authenticate to your mail server.

You also need to set your “Permission Groups” to Anonymous, but the configuration doesn’t end there.  Be sure to kick off this little extra PowerShell as well.

Get-ReceiveConnector “External Relay” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”

Now that this relay is pretty wide open, so lock down which IP addresses from your network are allowed to use it so that its well controlled.  If you need some screenshots for the configuration, check out this post from the Lazy Network Admin.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s