A very common scenario for Exchange Server 2013 administrators is the need to allow applications and devices on the network to use the Exchange server as an SMTP service.
There are generally two specific business requirements:
- Internal SMTP relay – the ability to make an SMTP connection to an Exchange 2013 server and send email to recipients that are internal to the organization (for example, a “scan to email” feature on a multi-function print device)
- External SMTP relay – the ability to make an SMTP connection to an Exchange 2013 server and send email to recipients that are outside the organization (for example, applications or hardware that sends automated reports or alerts to external vendors or consultants)
In this article I will demonstrate how to meet both of those requirements in Exchange Server 2013.
But first, let’s cover some of the fundamental Exchange 2013 concepts that apply here.
Frontend Transport vs Transport vs Mailbox Transport
Looking at the Exchange 2013 transport architecture there are multiple services involved.
The Client Access server role hosts the Frontend Transport service, which provides filtering of email traffic (eg antispam agents), and routing of email between the internal Exchange servers and the outside world
The Mailbox server role hosts two additional services:
- Transport service – performs email routing within the organization, and between the Front End transport service and the Mailbox Transport service
- Mailbox Transport service – passes email messages between the Transport service and the mailbox database. This is actually two separate services, Mailbox Transport Submission and Mailbox Transport Delivery.
On a multi-role server this adds up to four services (Transport Log Search is not relevant to mail flow):
PS C:\> Get-Service | Where DisplayName -like "*Transport*" | Select DisplayName DisplayName ----------- Microsoft Exchange Frontend Transport Microsoft Exchange Mailbox Transport Delivery Microsoft Exchange Mailbox Transport Submission Microsoft Exchange Transport Microsoft Exchange Transport Log Search
On a Client Access server there is only one service.
PS C:\> Get-Service | Where DisplayName -like "*Transport*" | Select DisplayName DisplayName ----------- Microsoft Exchange Frontend Transport
No matter whether the server is multi-role or only installed with the Client Access server role, the Frontend Transport service is the only service already listening on TCP port 25 (SMTP). The other services listen on a variety of other ports (for example TCP 2525 for the Transport service).
For both internal and external SMTP relay scenarios the Frontend Transport service will be handling the connections. So whether you’ve deployed multi-role or CAS-only servers we’ll only be referring to the Client Access server role from now.
Allowing Internal SMTP Relay via the Frontend Transport Service
The Client Access server role is configured with a receive connector called “Default Frontend SERVERNAME” that is intended to be the internet-facing receive connector, so is already set up to receive SMTP connections from unauthenticated sources and allow them to send email to internal recipients.
220 E15MB1.exchange2013demo.com Microsoft ESMTP MAIL Service ready at Mon, 7 Oct 2013 23:49:54 +1000 helo 250 E15MB1.exchange2013demo.com Hello [192.168.0.181] mail from: test@hotmail.com 250 2.1.0 Sender OK rcpt to: administrator@exchange2013demo.com 250 2.1.5 Recipient OK data 354 Start mail input; end with . . 250 2.6.0 <df2bd0b4-08be-4b48-be83-c52e63721a4c@E15MB1.exchange2013demo.com> [In ternalId=19911468384257] Queued mail for delivery
This means that the only additional (and optional) step for making internal SMTP relay available to your applications and devices is to provide a DNS name for them to connect to. You can just use the name of an Exchange 2013 server that is installed with the Client Access server role, or you can set up a more generic host record in DNS for them to use (which I recommend, as this makes it easier to migrate the service in future).
Allowing External SMTP Relay via the Frontend Transport Service
Although the default Frontend Transport receive connector allows internal SMTP relay it will not allow external SMTP relay. Here is an example of what happens if I use Telnet to try and send an email to an address that is external to the organization.
220 E15MB1.exchange2013demo.com Microsoft ESMTP MAIL Service ready at Tue, 8 Oct 2013 00:05:04 +1000 helo 250 E15MB1.exchange2013demo.com Hello [192.168.0.181] mail from: administrator@exchange2013demo.com 250 2.1.0 Sender OK rcpt to: exchangeserverpro@gmail.com 550 5.7.1 Unable to relay
To permit specific applications and devices to relay to external recipients we need to configure a new receive connector.
In the Exchange Admin Center navigate to Mail Flow -> Receive Connectors. Select the server that you wish to create the receive connector on. Remember, the server should be either a multi-role server or a Client Access server.
Click the + icon to create a new receive connector.
Give the new connector a name. Exchange names the various default connectors using a standard of “Purpose SERVERNAME”, for example “Client Frontend E15MB1”. So I tend to stick with that convention.
If the server you chose is multi-role you’ll need to select the Frontend Transport role. If the server is CAS-only then Frontend Transport will already be selected.
Leave the Type set to Custom, and then click Next.
For servers with a single network adapter the default binding will usually be fine.
For the remote network settings, click the – icon to remove the default IP address range. Then click the + icon and add at least one IP address of an application server or device that requires external SMTP relay access.
Click Finish to create the new receive connector.
Next we need to configure some additional settings for the receive connector. Highlight the connector and click the “pencil” icon to edit its settings. Select Security and tick the Anonymous Users box.
Click Save to apply the settings.
The final step involves granting anonymous users (such as the unauthenticated SMTP connections coming from applications and devices on your network) the ability to send to external recipients.
In the Exchange Management Shell run the following command, substituting the name of your receive connector.
[PS] C:\>Get-ReceiveConnector "Relay E15MB1" | Add-ADPermission -User 'NT AUTHORITY\Anonymous Logon' -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient Identity User Deny Inherited -------- ---- ---- --------- E15MB1\Relay E15MB1 NT AUTHORITY\ANON... False False
As with the internal relay example I recommend creating a DNS record for a generic name for SMTP. For most environments there is no need to create separate DNS names for internal vs external SMTP.
Where previously the server responded with “550 5.7.1 Unable to relay”, now an SMTP connection from the IP address 192.168.0.181 is allowed to relay successfully.
220 E15MB1.exchange2013demo.com Microsoft ESMTP MAIL Service ready at Tue, 8 Oct 2013 21:11:04 +1000 helo 250 E15MB1.exchange2013demo.com Hello [192.168.0.181] mail from: administrator@exchange2013demo.com 250 2.1.0 Sender OK rcpt to: exchangeserverpro@gmail.com 250 2.1.5 Recipient OK data 354 Start mail input; end with . . 250 2.6.0 <3fe0353b-1e2a-4a6d-9e08-f7744621a0e1@E15MB1.exchange2013demo.com> [In ternalId=20005957664769] Queued mail for delivery
How Does Exchange 2013 Know Which Receive Connector to Use?
You may be wondering how the server knows which receive connector should handle the incoming SMTP connection, considering that both the “Default Frontend E15MB1” and “Relay E15MB1” connectors are listening on all IP addresses and on the same port (TCP 25).
Simply put, receive connector selection is on a “most specific match wins” basis. The connector with remote network settings that most closely match the IP of the connecting server/device will be the one that handles the connection.
The “Default Frontend” receive connector has remote network settings equivalent to “anything”.
The “Relay” connector we just created has remote network settings that list specific IP addresses.
So, if two SMTP connections are inbound, one from 192.168.0.180 and the other from 192.168.0.181, the server knows to handle 192.168.0.181 with the “Relay” connector as it is the more specific match, and handle the other connection with the “Default Frontend” connector.
With the relay connector in place the ongoing management is simple.
- If an application or device needs internal SMTP relay, simply configure it to use the DNS record you configured (eg smtp.exchange2013demo.com) and port 25.
- If an application or device needs external SMTP relay, simply add the IP address of the application server or device to the remote network settings of the relay connector, and then configure the application or device to use the DNS record you configured.
Dear Paul,
I’m an exchange server, 2016 admin, configure SMTP relay and working fine with sending mail to internal but when the SMTP server tries to external mail its not send or send it in the next day
DEBUG SMTP: use8bit false
MAIL FROM:NoReplyTo@^M
250 2.1.0 Sender OK^M
RCPT TO:fissehawelu2@gmail.com^M
550 5.7.54 SMTP; Unable to relay recipient in non-accepted domain^M
DEBUG SMTP: Invalid Addresses
DEBUG SMTP: fisseha w fissehawelu2@gmail.com
DEBUG SMTP: Sending failed because of invalid destination addresses
RSET^M
but the destination mail address is valid i checkd it by mail
Good morning Paul, I am new to the Exchange administration, I find the following problem, in my organization there is a team that sends notifications via SMTP, but they do not reach the recipients, check the SMTP LOGS of the server and this appears:
2021-07-29T23: 56: 54.678Z, XXXXX \ Default Frontend XXXXX, 08D9014954C35895,18,127.0.0.1: 25,127.0.0.1: 17531, <, MAIL FROM: inboundproxy@contoso.com,
2021-07-29T23: 56: 54.678Z, XXXXX \ Default Frontend XXXXX, 08D9014954C35895,19,127.0.0.1: 25,127.0.0.1: 17531, *, SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders, set session permissions
08D9014954C35895,22,127.0.0.1: 25,127.0.0.1: 17531, , 250 2.1.5 Recipient OK,
2021-07-29T23: 56: 54.678Z, XXXXX \ Default Frontend XXXXX, 08D9014954C35895,24,127.0.0.1: 25,127.0.0.1: 17531, <, DATA,
But if I try the notifications from another computer if they arrive in advance, thank you very much for the help.
Good morning Paul, it’s the first time i contact you, your articles are very nice, is it possible if you could help with some article to configure a connector with the port 587, we need to implement a relay connector with authentication, we have two servers exch 2013 dag, ths. for your comments
Quito-Ecuador,
Bladimir Trujillo Vinueza
Thank you so much Paul
Muchas gracias por el aporte, pude solucionar el problema de mi conector relay para enviar a correos externos.
Nice article, but what to do if there are nmessed up connectors?
I am trying to get a list of all IPs that are sending mails trough an “open relay” connector to secure it.
because I am not very firm in Powershell I’ve tried the simple way:
Get-MessageTrackingLog -Start “03/01/2020 00:00:01” -ResultSize unlimited -EventID Receive |where {$_.ConnectorId -like “SERVERNAME\CONNECTOR”} |Select-Object Timestamp,ServerIp,ClientIP,ConnectorID,Sender,@{l=”Recipients”;e={$_.Recipients -join ” “}}, EventID | Export-Csv -Path C:\_Scripts\Results\RECEIVE_by_IP.txt
But there are more than 850000 entries.
How can I add a filter so that I’ll give me IPs only once?
I followed this article step by step and it worked for internal emails. but when i use the external user, it give the error:
rcpt to: testsmpt@gmail.com550 5.7.1 Unable to relay
please help.
Hi Paul,
Thanks for the guide. Works perfectly 🙂
Cheers
I have been an admin for Exchange since the early 2003 days; Paul, this article was absolutely wonderful. This was exactly what I was looking for and it worked first time using two CAS servers, two mailbox servers, and a DNS DAG needing the frontend SMTP relay. You took something that so many people make confusing and did two key things:
1.) Simple to follow and accurate
2.) Explained the why without all of the stupid babble that others try to confuse folks with
I am going to follow this site and read more of your articles specifically because of how good this was. From one engineer to another, thank you.
I have created a relay connector that mail sql server uses to send mails to external recipients. Some of those mail are rejected because for spf. In the NDR I can see that it is because the .local names and local IP addresses are showen and not the public name like .dk.
This was exactly what I needed! I didn’t realize you still had to run that command even though the anonymous box was checked in Exchange admin. Thank you for your articles!
Pingback: FET ports « rakhesh.com
Hello,
Very good article, get here because I need to define routing rules that assign a mail host and / or port for address areas (parts of generic addresses, usually the domain), for example:
*@crm-prod.company.com -> SAPWASHost: 25000
*@crm-test.company.com -> SAPWASHost: 25001
It is not entirely clear to me how to create this routing.
You should connect to my SAPConector that is already configured in my SAP system (crm-prod.company.com and aother SAP crm-test.company.com)
Any help with this. Thank you.
thanks, Paul,
I have a question, please
in the connector options, in the security section there are many options permission groups ( Specify who is allowed to connect to this receive connector.) :
-exchange server
-legacy exchange servers
-partners
-exchange users
-Anonymous users
and as you mentioned we should always allow (Anonymous Users)
can you explain why, please? and what if I did not select any of the above options what will be the relay behavior and what security setting is applied if I did not select any option?
thank you for your reply.
Paul, I currently have two relay connectors on our Exchange 2013 environment: 1) AnonymousSecIP (Authentication: Transport Layer Security & Externally secured; Permission group: Exchange servers & Anonymous)
2) Anonymous Relay (Authentication: Transport Layer Security; Permission group: Anonymous users.
Our KMs can scan and send to anywhere without any restrictions. We would like to restrict the KMs to scan to specific domains only. Can you please provide me with any guidance as to what do I need to make this happen.
Thank you!
Paul – I’ve having an issue with creating the receive connector. I’m setting this up so that an MFP can relay email through our Exchange 2013 server. I’ve went through all of the settings and they are correct. I get a 550 5.7.1 Unable to relay error. I configured the same connector on another Exchange server and it works. I’m not sure what it could be because the servers are set up identical. Is there some security settings that I could check?
Thanks!
hi guys i got confused
i have problem with my 2013 exchange server . i have alot delivery fail massege and how can i configure smart host ?
and another question is how to close open smtp relay?
would you help me please ?
Update:
Just made some configurations. Before that, it was impossible to send mail to outside (and this is what we need – The server response was: 5.7.54 SMTP; Unable to relay recipient
in non-accepted domain).
Just configured the receive connector: Add: Externally secured + Exchange servers, and now the users are able to receive mails from scanners with the transport rule enabled.
Seems to be nice, but this configuration permit to send mail to outside, via “ehlo\mail from\rcpt to…..”.
Any suggestion please?)
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
The problem with your transport rule is that Exchange treats mail relaying through an anonymous receive connector (which is what the article above demonstrates) as external email.
What you have done by changing the connector configuration to externally secured is allow the mail from those scanner IPs to be treated as authenticated/internal email.
Yes, such email would be allowed to relay to external domains as well. The anonymous connector demonstrated in the article also allows that. If you don’t want the scanners to send mail outside your accepted domains, you don’t need to create a special receive connector at all (that is also explained in the article above – see the section on internal relay).
The connectors are behaving as they should. The issue is really with your transport rule. A solution would be to add an exception to the rule if the sender IP address is in your internal IP address ranges.
Edit: another option is to have the scanners use an authenticated SMTP connection (i.e. they connect with a username and password). This means they’ll be treated as internal mail. There is already a client receive connector ready for such authenticated SMTP connections, but it listens on port 587 not 25, so you’ll need to reconfigure all your scanners to use the different port (and the username/password(s) as well).
Post 2
As you can see, it’s possible to receive mail from outside, only if the domain account is a member of two domain groups. In our company, we have many scanners, and we need that users that are not members of those two domain groups, to be able to receive mails from those scanners. And they are able to receive if a disable the transport rule. When I activate the rule, they can’t receive mails. In message tracking logs i see:
Transport Rule Agent,,AGENT,FAIL,2680059592709,,18186c54-3b27-4fc2-9be9-08d5d675178e,admin2@corporate.com,'[{LED=550 5.2.1 Message deleted by the transport rules agent};{MSG=};{FQDN=};{IP=};{LRT=}]’
==================
I don’t know why, the transport service percept those messages as from outside. (The default receive connectors i didn’t modify)
I tried already many types of receive connectors for that: Frontend internal, Frontend custom, HubTransport custom (TLS+anonymous users) + 0.0.0.0-255…
The results are the same on all the scenarios.
Post 3
https://technet.microsoft.com/en-us/library/jj657467%28v=exchg.150%29.aspx?f=255&MSPPError=-2147217396 – does not work also.
I don’t want to modify the rule, adding exceptions, because i’m sure there are other solutions. On Ex2010 this rule worked without problems.
Please help me with this situation. Thanks a lot.
Post 1
Hello. Thanks to your articles, I have been able to migrate from Ex2010 to Ex2016.
But please help with this situation, because i’m very confused.
I have a transport rule:
Description : If the message:
Is sent to ‘Inside the organization’
and Is received from ‘Outside the organization’
Take the following actions:
Delete the message without notifying the recipient or sender
Except if the message:
Is sent to a member of group ‘Internet.Mail.Users@corporate.com’ or
‘Internet.Incoming.Mail.Users@corporate.com’
Hi Paul,
Wanted to confirm if we need to renew trusted public 3rd party certificate for SMTP relay server. Please note that this Exch server is just for user management purpose, mail flow is pointing to O365. Hybrid Exchange server works as an internal SMTP relay for our internal servers only, and no 365 services or external servers are involved. It only forwards emails from internal applications that need to send us alerts. Please note that we must authorize the IP address of the servers that are allowed to send us emails internally, within the SMTP/Network properties in the Hybrid Exchange (EMC). Please let me know if i still need to renew my certificate.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
If the same certificate is also used for hybrid mail flow and hybrid free/busy, then you should renew it.
HI, Paul
Whats the best article/link to list/show the way you can setup multiple exchange 2013 servers.
If I did not see it earlier in the posts, I apologize. right now I have 3 with all roles loaded. only one with mailboxes on it. which is not directly pointing to the internet.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Set them up for what exactly? What are you trying to achieve?
In EAC, only option “Hub Transport” is available. “FrontEnd Transport” is greyed out. To solve this i used shell to create the connector via command line and it worked perfectly and allowed me to set the new connector as “FrontEnd Transport”.
Perfect guidance, it helped me a lot. Everything worked perfectly. Thank you very much!
Hi Paul
Ive setup the receive connector as you showed, and the email does now get accepted with no 550 error.
However, they all end up in our default mailbox, even though they have external addresses!
Sending from outlook is fine, its just the auto emails we are trying to send.
Even if I telnet an email now it ends up in the default mailbox!
Do you have any suggestions why it would do this?
Paul
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
What is the “default mailbox”?
Hi Paul,
I’m in the middle of a 2007 to 2013 migration and am trying to set up external relay per this article. I have followed the steps and created the new External Relay FET receive connector on the 2013 server (multi-role), and applied just one specific remote IP address on the new receive connector. I still cannot send anonymous external relays from that remote IP.
I turned on Protocol Logging and I discovered that the connection is still being made through the Default Front-End Transport connector instead of my new External Receive connetor. The Default FET is set up per the Exchange defaults and I have not changed them. It has all remote IPs added with the default authentication and permission settings.
I have re-created the relay connector several times and made sure it is set to FET and not Hub. No change.
Only other thing I can think of is some kind of (mis)configuration problem related to the co-existence between our old 2007 server which is still online (have not yet moved Public Folders) and our new 2013 server (which now holds all the mailboxes).
Any ideas? Thanks. Love your articles btw, very helpful and well-written.
Errr…. belay that. I found the problem. And the problem was me, of course.
Of all the stupid things…. I had put the wrong IP address in the remote IP list — each of the 4 times I created the stinkin’ receive connector! I had it in the wrong VLAN (last digits of the IP were .99 as they should have been, just wrong subnet). Gahh!
I have been looking at this stuff too long, things are running together.
Crisis averted, sorry to take up space in the comments and thanks again for your great articles.
Hi All
I have added the following for my invoices to go out to my clients from a linux box.
Receive connector external smtp relay : Anonymous
Accepted domain added : yes
How ever when i get a new client from new domains i have to go and add the accepted domain each time so the email can successfully reach its destination.
How can i set it up on the receive connector external smtp relay to send to all domains? so i dont have to go and add the accepted domain each time?
Kind regards
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
You shouldn’t need to add other people’s domains to your accepted domains list for anonymous relay to work. I suspect you haven’t set up the relay connector correctly.
Hi Paul, it is a great article. Anyway I am little bit confusing about “default frontend connector” configuration on exchange 2013, why does it allow internal relay by default, i thought it is unsecure design. is there a way to make authentication internal relay, I already disabled anonymous permission group, but then another issue found where I cannot receive email from external/public mail.
Thanks in advance
Best Regards,
Inc
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
It’s not insecure. External senders need to be able to send email to your users without authenticating, and that connector config is what makes that possible. That’s not a security problem, it’s how email works.
Used your article to configure Relay for 2 Internal Servers/Apps on Exchange 2007 quite some time ago. App is configured to connect to an IP Address on the Old Exchange Server and everything worked well. In the Process of upgrading to Exchange 2013(then eventually to 2016) and ran into a strange issue I am hoping you can assist with. We set up the New Server, still no issues and everything worked. After moving a couple of Mailboxes to the New Server, we discovered that Users who’s Mailboxes have been moved can no longer send emails via the App. They receive no errors/bounces, but the Recipient does not receive the Email and I am unable to find any reference to the Emails in Message Tracking on either server. Thanks in advance for any advice/direction you may be able to provide.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
You’re just going to have to turn on protocol logging on the receive connectors and start troubleshooting. I can’t think of a specific issue, but that’s where I’d start.
I would like to make the external relay but with authentication, is that possible?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
You don’t need a custom receive connector for that. There’s already a client receive connector for authenticated SMTP clients to use.
Hi Paul,
I am trying to follow your instructions on how to setup the receive connector for external relaying but I hit a snag.
I created the connector through ECP and I checked through PS that it’s recognized (Get-ReceiveConnector “SMTPrelay”) but when I run the command to add the permissions, the command errors out and states the connector “SMTPrelay” cannot be found.
I noticed that when running Get-ReceiveConnector the Identity returned is prefixed with the hostname of the Exchange server so I tried the permissions command using that as identity “exchhostrname\connectorname” but I get the same result, connector not found.
Any ideas what I am missing?
Kind regards
Steve
Hi Paul, figured it out. It did not work when connectin to exchange ps using the ps on my laptop but it worked when performing the command on the exchange management shell on the server itself.
Problem solved 🙂
Kind regards
Steve
G’day Paul,
What are the downsides to enabling the default receive connector to send externally?
Is it just that it’s best practice to have separate internal/external connectors?
Reason I ask is because although our AOS’s are permitted to send via the new receive connector, when emailing using the workstation-installed AX client, the outbound IP address of the email is that of the workstation not the AOS so it’s defaulting to the default receive connector which of course is internal only.
Without adding all of the workstations to the “allowed list” is there anything you would suggest I could do?
Thanks in advance,
Al
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
I don’t know what an AOS and AX are, but as a general answer, if you want a client to be able to send externally it can do so by authenticating the SMTP connection. Authenticated clients don’t need to be allowed by IP, because they’re being authenticated by their credentials instead. There’s a client receive connector preinstalled on the Exchange server that is designed for that purpose. It listens on port 587 and is setup for secure authentication.
Hi Paul,
I need to use my exchange server to relay mail from my website that is external to my network, how I have to set up exchange so my page would be able to send mail through my exchange?.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
You should read the blog post above.
Hi Paul,
Thank you for the great article. I woul like to send notification e-mails to an external e-mail address from local devices (these devices are located in different local subnets).
I created the receive connector as you described, but it works only, when the sender ip address is in the same subnet as the Exchange server is.
If I configure a sender ip address from another ip subnet (I have more, than one local subnets), it does not work. What I’m missing?
(Examples: server has an internal ip: 192.168.200.3/24. When I test the settings from client 192.168.200.50, the anonymous receive connector works as expected, the mail sent out. When I test it from client 10.10.10.11, I always get “Unable to relay” error.
What I’m missing?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Is there any network devices that are NATing the connections from the remote subnets?
after spending 2 days our vendor engineer use these commands on edge server to work fine. obviously the steps you mentioned in your article as well
can you tell me why below commands required ??????
New-ReceiveConnector -Name “erelay” -TransportRole HubTransport -Custom -Bindings 0.0.0.0:25 -AuthMechanism None -PermissionGroups AnonymousUsers -RemoteIpRanges xxxx.xxxx.xxxx.xxxx
Then configure the AD permissions for anonymous relay on the new Receive connector
Get-ReceiveConnector “erelay” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”
Pingback: Exchange 2007 to 2013 migration – A random blog from a sysadmin
Hello Paul,
Thanks for the article .
I’ve a server that cannot send external emails to public domains like google ,Hotmail and yahoo .
I already have a receive connector created in my exchange server to enable relay its enabled .and the settings are as below.
Protocol Logging level : None
Security : Transport Layer Security (TLS)
Anonymous users
Scoping :
Remote Network settings : List of Internal servers IPs
Network Adapter binding : Exchange IP Address PORT:25
FQDN: Mail.electrolux.com.eg
All servers are sending to our internal domain normally, yet the emails are not sent to external emails.
Any suggestions?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
You’ll need to be more specific. Are your emails to those email hosts being rejected? Is there a rejection or non-delivery report that provides more detail about the reason for being rejected?
the below error is received : ORA-29279: SMTP permanent error: 550 5.7.1 Unable to relay
to be more specific:
we have only 2 servers that require sensing to external Domains ,both are added to the same receive connector rule using thier IPs.
Server 1 : Required to send to external trusted domains.
Server 2 : Reruired to send to non trusted external domains.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
What’s the ORA part of that error? Where do you see that? In the logs of the servers trying to send email?
It honestly looks to me like your Exchange server is just rejecting the messages because you haven’t configured the relay connector correctly.
Hi Paul ,
excellent tutorial , i have created SMTP relay now i want to add another IP as well so my question is ” is it possible to add more then one IPs to receive connector.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Yes.
Hi Paul,
I have setup the receive connector as you have demonstrated and added in the IP for my machine to test the relay.
I am still getting the error ‘550 5.7.1 Unable to relay’
Do the settings take effect straight away or do I need to wait?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
They take effect straight away. If it’s not working then you’ll need to turn on protocol logging on the receive connectors, do some test connections, and then look at the protocol logs to see which connector name is handling the connections.
I’ve turned on protocol logging and the right connector is picking up the connection. I notice when I check the extended permissions I have the following:
Identity User ExtendedRights
——– —- ————–
Mail-13Anonymous Relay External NT AUTHORITYANONYMOUS LOGON {ms-Exch-SMTP-Accept-Any-Sender}
Mail-13Anonymous Relay External NT AUTHORITYANONYMOUS LOGON {ms-Exch-Accept-Headers-Routing}
Mail-13Anonymous Relay External NT AUTHORITYANONYMOUS LOGON {ms-Exch-SMTP-Submit}
Mail-13Anonymous Relay External NT AUTHORITYANONYMOUS LOGON {ms-Exch-SMTP-Accept-Authoritative-D…
Mail-13Anonymous Relay External NT AUTHORITYANONYMOUS LOGON {ms-Exch-Store-Create-Named-Properties}
Mail-13Anonymous Relay External NT AUTHORITYANONYMOUS LOGON {ms-Exch-Create-Public-Folder}
Mail-13Anonymous Relay External NT AUTHORITYANONYMOUS LOGON
Mail-13Anonymous Relay External NT AUTHORITYANONYMOUS LOGON
Would not adding the AD permission not allow the relay?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
“Would not adding the AD permission not allow the relay?”
I don’t understand what you mean.
Sorry, I realize that the question was not specific enough. What I meant was, I had not run the following command:
Add-ADPermission -User ‘NT AUTHORITYAnonymous Logon’ -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient
In my lab, I was able to get to anonymous relay working internally without this permission but the lab does not have any external send connectors
Is this permission required for external relay?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Yes, that’s all covered in the article.
Hi Paul.
Followed the article to the letter but when I try Telnet I keep getting error 501 5.1.3 Invalid address (rcpt to:).
to address is indeed valid (external address), so not sure what the problem is.
Maybe related to this??
https://support.microsoft.com/en-us/kb/944302
Yup. That was it. As soon as I assigned a default domain value to the connector it worked.
Paul – thank you for this article. Struggled with the connectors and was having difficult time finding a solution that made sense. This worked perfectly for our situation!
Hi Paul,
Am Newbie to exchange server 2013 and I have configured and installed exchange 2013 and able to receive and send emails on home lab.
Question :- Do I have to configure SMTP on exchange 2013 since am receiving internal mails.
Thanks
Blaize
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
I don’t understand your question. You’re saying email is working fine… but?
Sorry for that, Here I have installed and configured the Exchange 2013.
But to proceed for the next step, How to setup an outlook in IMAP setting and in server information it ask for outgoing mail server(SMTP) . Do I have to configure a SMTP to access the Outlook. or Where to find the smtp server name in ECA.
Hope this is clear.
Thankyou
Blaize
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
There isn’t anything to find in EAC. You just need a DNS record that points to either your Exchange server, or to a load balancer, e.g. “smtp.contoso.com”.
How will block relay mail exchange server
How will block relay mail
Nice Article!
However there is one scenario that hasn’t been addressed. What in case an external user connect to SMTP server and able to relay a mail from any internal employee mail id to other employee email id without authentication? Kind of impersonation.. is there any way to control it in MX exchange server.
Awaiting for prompt reply as we are facing problem because of this issue.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Are you trying to allow impersonation, or prevent impersonation?
To prevent Impersonation.
I want to restrict any external user(malicious user) to use my mail server to send relay mail within the organization employee without authentication.
Please let me know in case you need any further information.
Thanks
The impersonation is happening as of now and I need to stop it at the earliest.
Kindly help me to get out of this situation.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
You should implement an SPF record for your domain, and then make sure your spam filtering is configured so that the incoming emails that fail SPF lookup will be treated as spam. There’s a bit of research for you to do for all of that.
So its means a user from internet can directly telnet my server and can send mail using any valid email ID to any other email id within the organization??? and that also without any authentication.
Does MX server has no feature to directly control it??? Its leaves the organization at high risk….
Is there any was we can put some kind of authentication to verify the user before he/she sends the mail using the telnet connection????
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Every email from the internet to your organization is unauthenticated. That’s how email works.
If you’re trying to prevent spammers from impersonating your domain when they send spam to your users, that is something that an SPF record can help to prevent (as can a proper antispam product or service).
I understand that every mail comes from internet, but does it mean that external user can use my organization email id without my consent to send emails to my colleague within the organization…???? This is hard to believe….
Nobody must have rights to use my email id without my permission to send mails on my behalf. Correct me if I am wrong, because this is exactly whats happening now.
Request you to suggest some link/blogs addressing the this issue….
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
The SMTP protocol doesn’t prevent someone from sending an email anywhere they like, using any domain as the “from” address. That’s the nature of SMTP.
What you’re referring to is called “spoofing”, when someone is sending email using your domain name.
Like I keep saying, this is something you need to look into stopping with an SPF record and some proper antispam filtering.
Here’s something to get you started:
https://www.practical365.com/exchange-best-practices-spf-records/
Good morning people,
In my organization we are facing a problem since a few months. then we set edege transport and have an open rely, we have found that edge server have used a lot of resources, conditioning the proper functioning of exchange and we have received several event just messaging logs to say that (The Microsoft Exchange Transport service is rejecting message submissions because the service continues to consume more memory than the configured threshold.) we have tried several things and works deppois to and from the same problem.
I need your help to resolve this issue.
Thanks for this article. This is great to understand how internal devices connects to Exchange server and emails are handled.
We have a situation here in our organization where we want to block spoof emails coming from outside based on SPF validation. Our SPF record is fine. Now when I enable sender filtering to Reject spoof-emails by following command, it works, but then it also starts to block internal-devices/applications anonymous emails.
Set-SenderIdConfig -SpoofedDomainAction Reject
How do I resolve this issue? Do I need to create a separate internal relay connector for internal devices/applications? Even if I create a separate internal-relay connector, the SpoofedDomainAction Reject settings will still likely be blocking those emails I guess. Do you have any suggestion how can we resolve this? We need to take advantage of SPF validation to stop spoof emails from outside.
Thanks.
I’ve tried the above but from an external location e.g. to user@aaa.mydomainx.com it says 550 5.7.1 Unable to relay – When i use the same connection and send an email to user@mydomainx.com it works..
Primary Domain is mydomainx.com
I have two email servers on my network. one which handles an sms relay server (x.x.254.3 with an internal dns entry of aaa.mydomainx.com) and the other my main exchange 2013 server (x.x.254.x with an internal dns of exchangeserver.domain.com)
I have a send connector which routes any email addressed to user@aaa.mydomainx.com to the sms relay server
Internally routing email to the aaa.mydomainx.com is not an issue and works fine.
What I want to do is allow specific external locations to be able to relay through my exchange server exchangeserver.mydomainx.com to the sms relay server aaa.mydomainx.com
any idea’s
Thanks
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Turn on protocol logging for the receive connector, perform some tests, and then look at the protocol logs. If the receive connector is correctly configured, and it has the correct external IP address(es) added for permitted relay sources, then it will work. The protocol logs should give some clues as to why it isn’t working.
Paul we are actually attempting the same to connect to Exchange 2010 from an app over port 25. The app sits in a DMZ and exchange in internal. The Receive connectors are configured to allow traffic from the DMZ IP. What we are seeing is that the app will kick back a 550 error. I looked at the logs and could not see any 550 connection errors. I hope someone has some idea or direction to look at.
Regards
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Unless you can share more information about the error message there’s not much I can suggest.
Thanks Paul..Precisely what I was looking for..Always the best place to find Exchange related answers.. 🙂
hello
after the creation of receive connector i have insered in power shell Get-ReceiveConnector “Receive Connector Name” | Add-ADPermission -User “NT AUTHORITYANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient” but it tell me thay are an Error that the user NT AUTHORITYANONYMOUS LOGON is not found..
pleeae help me
I have the same Problem :/
You should use your language for “AUTHORITYANONYMOUS LOGON ” that was my Problem.
Is it possible to log when a connection request is denied by Exchange?
Thanks for this, exactly the steps I needed to solve my issue with anonymous SMTP relay to external e-mail addresses.
Hi Paul,
Got bump in some issues recently, It might be off topic. I dunno..
I was integrating a third party archiving in exchange 2010 and configured smtp forwarding. Basically, we configured journaling account and smtp connector and when all is up running. Someone shutsdown the archiving server and emails started to build-up in exchange. So we got traffic congestion. Please tell me if your encountered something like this.. Thanks!
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
So you’ve got journaling that is sending items to an archiving server… the archiving server is shut down… and you’re now seeing all that journaling accumulating in your transport queues?
That makes perfect sense. With the archiving server shut down the emails have nowhere to go, and will queue instead.
Hi Paul,
Need information on customer are having SMTP Relay in place now but it needs to be setup somewhere besides the 07 exchange servers. What should be best solution for doing ?
Thanks Jatin kakkar
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Set it up on a different Exchange server? Maybe I don’t understand your question, but that seems like the simplest solution to me.
Setting a receive connector on Exchange 2016 getting this error: The values you specified for the Bindings and RemoteIPRanges parameters conflict with the settings on receive connector “serverdefault Frontend Server” A receive connector must hae a unique combination of local IP address and port bindings and remote IP Ranges.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Sounds like you’ve missed a step or tried to set the remote IP range as the existing connector. You need to remove the default 0.0.0.0-255.255.255.255 entry and replace it with at least one IP that you want to be allowed to relay through that connector.
Paul, I have a working External Mail Relay receive connector working. This relay is for internal systems and printer to send to any email address. Thanks for the easy to follow article on getting that set up. However, I have tried to hand off the task of adding new IP addresses to the help desk to add new IP addresses to the receive connector, but they do not have rights to do so. It seems, unless the user had Enterprise Admin rights, they are not able to modify a receive connector.
Do you know a way in which to change those permissions on a receive connector, so that someone with lower permissions can modify the connector?
Very happy to see your thread is still active
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
They don’t need Enterprise Admins, that’s an AD permission. Exchange has its own permissions groups for different roles. If you’re using the pre-configured ones, I suspect the “Server Management” Exchange group will let them modify connectors. But it will let them do a whole lot more than that, so you’d need to look at configuring a custom RBAC group if you want to limit them to just being able to modify receive connectors.
Hi Paul,
Thanks for the detailed article it helps a lot. I was able to configure relay for specific IP on my Exchange Server 2013 and under Security, Authentication is set to TLS and Permissions group is set to Anonymous users, but application (ME Security Manager Plus) was unable to send external email though internal was working fine even without the relay.
I had to run mentioned command on Exchange Management Shell to grant permissions for anonymous users and external emails worked like a charm. Now my question is how good is this work around as a security perspective as we’re giving permissions to Anonymous users? Or it’s just Anonymous Users for that particular relay allowing application to relay emails externally?
Could you please elaborate?
Regards
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
If you’ve set up the connector by following the steps in the article, then the only IP addresses that will be allowed to anonymously relay through the connector are the Remote IP Ranges that you configured on the connector.
Thanks for the response. I’ve tested telnet and I could only “rcpt to: ….” from the relayed IP server and it only worked for that server. I’ve also tested from a different server and rcpt to: was unable to relay, so it’s all looking good.
Cheers
Hi Paul, Thanks for this tut. I was able to create the connector and allow the DBmail to send.
Regards;
Carlos
Pingback: Configure Microsoft Exchange Smtp Relay – Fighting Share
HI Paul, I have followed the exact steps to work my printers. But had no luck yet.Could you please help. Thanks
Hi paul ,
Thanks for wonderful article
I have on premises exchange 2013 server .
how can I setup for receive emails on particular email A/C from public web server (web query form using the standard .Net SmtpClient).
ailMessage message = new MailMessage();
message.From = new MailAddress(“sales@xyz.com”);
message.To.Add(new MailAddress(“jason@abc.com”));
message.Subject = “New Enquiry – ” + model.First_Name + ” , ” + model.Last_Name;
message.Body = request;
SmtpClient smtpClient = new SmtpClient(“mail.xyz.com”);
smtpClient.Port = 25;
smtpClient.DeliveryMethod = SmtpDeliveryMethod.Network;
smtpClient.UseDefaultCredentials = false;
smtpClient.Credentials = new NetworkCredential(“sales@xyz.com”, “user101.”);
smtpClient.Send(message);
Pingback: Godaddy Smtp Server Response 550 5.7.1 Unable To Relay For – +ADw-/title+AD4 HACKED BY +AD4 ant07alya +ADw TURKHACKTEAM// HACKED BY +AD4 ant07alya +ADw TURKHACKTEAM// HACKED BY +AD4 ant07alya +ADw TURKHACKTEAM//+ADw-DIV style+AD0AIg-DISPLAY: none+AC
Pingback: Godaddy Relay Server Blacklisted – Cyber Sun
hello Paul. thanks for the article, actually i have 2 queries
1- how to identify and track a particular message/email is using which connector by powershell
2- how to identify which receive connector has an external relay access, also by powershell and incase there`s another way
Many thanks
Hi Paul. Great article. We currently have an Ex2010 environment with a DNS name pointing to an anonymous receive connector for anonymous internal SMTP communication. We have a separate AD site in the same Datacenter with 2 servers that are configured for anonymous External communications that is used for bulk email communications to external customers. We have a scoped send connector for default * (all domains) for those 2 servers that sends it direct to the internet rather than through our normal egress. There’s a different DNS name for app servers to use this environment. This prevents our normal egress IPs from getting blacklisted due to mass communications. How would we set up exchange 2013 receive connectors to accomplish the same goal? Do we have to maintain the separate AD site or is there a different way to accomplish this? Many thanks!
Pingback: Incorrectly Adding New Receive Connector Breaks Exchange 2013 Transport | Troubleshooting Exchange
Hi Paul,
We see a 30 second delay on e-mails traveling through the relay.
1. I have heard through the grapevine that there is a relay time setting, is this true?
2. If there is a relay time setting can you show where to set it?
3. Are there risks to consider by changing this setting?
Thanks in advance for your time.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
You might be thinking of the tarpit interval, which is 5 seconds by default. But it shouldn’t be causing 30 second delays. In your situation I would look at the message tracking logs for a test message and see which step in the pipeline the delay is occurring at.
Thanks for your informative post!
Summary:
What is the most secure way to relay messages from a non-Exchange server through an Exchange server? Can this be restricted to only relay mail coming from user@googledomain.com, and send it out as user@exchangedomain.com, using the Exchange credentials of that user?
Detail:
My boss recently recently acquired a company that uses Exchange. Our company uses Google Apps, and he gets his email from boss@exchangedomain.com forwarded to his current address, boss@googledomain.com, so they’re all in one place. He would like to use the “send mail as” feature in Gmail, to respond to emails with the address they were sent to. That feature requires an SMTP server address, username/password, and TLS- or SSL- secured connection.
Would an External SMTP Relay work for this? From what I understood, I’d have to create a DNS alias for the existing CAS, then configure a new receive connector for that CAS. The type should be “Custom”, Security should be “Transport Layer Security (TLS)” and the Permission group “Anonymous Users”.
My question is, would the above configuration work with the connector Type being “Client”, or Permission group “Exchange Users”, since the user in question does have credentials for an Exchange accoutn?
Thanks Paul. We have multi role exchange servers but the two Edge servers in the DMZ. Just one more question on the receivers…Frontend transport for internal relay and hub transport for external relay?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
On a CAS/MBX the only correct answer is Frontend, even though Hub is there as an option.
https://exchangemaster.wordpress.com/2014/01/24/incorrectly-adding-new-receive-connector-breaks-exchange-2013-transport/
Thanks Paul. Great help as always.
Scott
Hi Paul, Great Article as usual. I have a question on the receive connectors. My company has taken over the support of an exchange 2013 environment. Its in the process of migrating from 2010. We only have to move the current Receive connectors to the new environment. We are having issues with this and have found that the current ones are created on the Edge Transport servers. You don’t mention doing this in this article. is this something you have come across?
Regards
Scott
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
What do you need the connectors to do?
The connectors need to relay internally and externally
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Same concepts should apply here. Your choice whether to place the new connector on an Edge (ie in DMZ) or on a CAS/MBX (internal to the network). Consider where the SMTP connections will be coming from.
Hi Paul;
Thanks for the good article. In regard to the DNS record. I have 2 CAS and 2 Mailbox servers and want to provide high availability for the smtp relay. Can I create 2 DNS record for smtp.domain.com that points to the IPS of my 2 CAS servers?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
You can do that, but many applications and devices that use SMTP are not smart enough to handle round robin DNS. So if one server is down they may try the wrong IP, fail to connect, and just fail or error out entirely instead of retrying or trying the other IP.
Thanks Paul.
This works perfectly for our scanners, voicemail etc. One application is giving us a problem however that is using the server as relay and about 25% of time will error out.
error: Error in processing. The server response was: 4.7.0 Temporary server error. Please try again later. PRX5
If we resend it will go thru. The IP address of that server is listed in the new receive connector. We have also tried changing the network adapter bindings to the specif IP address of the server. You mentioned that the most specific match wins. Is there a log file that we can check to see which connector a particular email tried using. Or do you have any other suggestions?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Protocol logs will give you the picture from the server side of things.
Your place is valuable for me. Thanks!!
http://www.google.com
Hi Paul
I hope you are well. Can you point out or direct me in setting up exchange 2013 smtp server. so that clients and other devices not in the network can connect to my smtp.domain.com and send mail.
I have published port 587 on the TMG to forward to exchange. but the smtp account details don’t seem to work.
Regards
Hi Paul,
I am deploying Exchange 2013 (Upgrading from 2010). There are some applications that require SMTP relay to be sent internally as well externally. When I configure SMTP relay on my CAS servers and use smtp command line test I get the message that email is queued however I don’t receive email at all. This is happening for both, internal and external email.
Any suggestions?
Vic
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
If it’s being queued but not delivered you should be able to see it in the output of Get-Queue and Get-Message.
Eg, Get-Queue SERVERQUEUEID | Get-Message
If it’s not still in the queue then I would run a message tracking log search to try and find where it went.
Thanks Paul,
There is nothing in the queue however message tracking shows the following for the test message. Fourth one from the top is showing as “Fail” in EventID field.
Timestamp : 8/4/2015 12:38:11 PM
ServerHostname : PRDMBX2
ClientHostname : prdmbx1.domain.com
Source : SMTP
EventId : HARECEIVE
Recipients : {user@domain.com}
Timestamp : 8/4/2015 12:38:12 PM
ServerHostname : PRDMBX1
ClientHostname :
Source : SMTP
EventId : HAREDIRECT
Recipients : {user@domain.com}
Timestamp : 8/4/2015 12:38:12 PM
ServerHostname : PRDMBX1
ClientHostname : PRDCAS1.domain.com
Source : SMTP
EventId : RECEIVE
Recipients : {user@domain.com}
Timestamp : 8/4/2015 12:38:12 PM
ServerHostname :
ClientHostname : PRDMBX1
Source : AGENT
EventId : FAIL
Recipients : {user@domain.com}
Timestamp : 8/4/2015 12:38:12 PM
ServerHostname :
ClientHostname : PRDMBX1
Source : AGENT
EventId : AGENTINFO
Recipients : {user@domain.com}
Timestamp : 8/4/2015 12:39:43 PM
ServerHostname : PRDMBX2
ClientHostname :
Source : SMTP
EventId : HADISCARD
Recipients : {user@domain.com}
Any suggestions where to look?
Thanks,
Vic
I think I just found what is causing this issue…..McAffee anti spam rule is marking it as spam and doesn’t allow it to be delivered.
Hello Paul,
Any last minute suggestions?
Thanks! George
Hi Paul,
I have used this article for reference. Followed it to the letter and I still cannot relay to external email addresses. It is a corporate environment with a load balancing CAS cluster telnet returns cannot relay in your example above. the purpose is to forward requests from an application, internal email addresses work as expected. If you have any suggestions, they are greatly appreciated.
Kind regards,
George
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Is there a load balancer involved?
Yes, I can telnet to the fqdn and test fails. I have set up each CAS server the same. Thanks for the reply.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
100% of the time I find this is due to the connector not having the correct IP range specified. I can’t think of any other causes I have seen in the past.
Turn on protocol logging for the connectors. The protocol logs on the server include the name of the connector handling a particular SMTP connection. Look at the logs and make sure that the correct connector is actually handling those connections.
When a load balancer is involved, depending on your load balancer config, the CAS might see the original source IP or it might just see the load balancer IP if source NATing is being used, so keep that in mind as well.
Paul, you are on the money. The default connector is handling these messages. I have verified the source IP addresses for the “relay” connector. If you have any further insight regarding this, it is immensely appreciated.
Kind regards,
George
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
So you’ve added the IP of the application server to the “remote network settings” of the connector?
Are you using a single IP or trying to specify an IP range/subnet? Could there be anything else that is changing the source IP (eg the application sends as different IP also assigned to that server, or a NAT device is in between the two servers)?
Hi Paul,
NAT rule… Admittedly I was stumped the public IP of the app server needed to be added to the scope. Simple solution.
Thank you for pointing me in the right direction.
Many thanks!
George
Hi Paul,
Great article! Thank you for all your insight and expertise.
We are configure custom receive connector but I have below Message when send email
Remote Server returned ‘550 5.7.1 TRANSPORT.RULES.RejectMessage; the message was
rejected by organization policy’
Can you help Please
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Looks like you’ve got a Transport Rule in your organization that is rejecting the messages.
Hi Paul
Yes good article but have a question and a problem;
I wish to do as your article suggest , i.e internal app sending to external recipients (CAS server exchange 3013), why do I need a receive connector NOT an send?
Is the mail picked up by the “receive” & forwarded to the “send”- basic I’m sure but confusing.
2 When I set up as per your instructions all inbound external mail stopped, I had to delete the new external relay, on the receive connector- client front end transport service, to get it back. I believe this is because the default client front end transport role is using port 25 already by default so there is a conflict?
Can you help please
Hello Paul , is necessary add new interface network from Relay Connector? Or not problem use some Default IP Exchange Server.
Thanks , nice post.
Hi Paul,
Great article! Thank you for all your insight and expertise.
We are currently finishing our 2010 to 2013 migration (6 multi roles servers in a DAG with CU 8). We still have 2 – 2010 edge servers subscribed which utilize a relay connector for our apps and devices such as copiers. I seem to understand the steps you laid out for creating the new connectors on the 2013 servers however, are there any steps I should consider during the migration and eventual elimination of the 2010 edge servers?
We plan to move to EOP and decommission the edges. Would creating the new connectors in 2013 with an updated DNS record to have their IPs suffice? Would there be any overlap with the relay connectors on both the edges and 2013 multi role servers?
Thank you for any insight you can offer.
We are creating an external relay and getting issues. Currently our mail server resides outside our network we are able to receive relayed emails internally but not able to relay them out ( from our application servers) We have configured the external relay just how you have it mentioned above but we still can not get our application servers to send to external domains.
Any thoughts?
When we try and telnet we get the 550: unable to relay error.
Our current setup is each role is on its own server. Edge has its own server as well as the mailbox servers and the Client Access server.
Is there something we are missing.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
“our mail server resides outside our network”
What does that mean? Your Exchange server is outside your network? Is there a firewall or NAT device between you and the server?
Pingback: How to Configure an SMTP Relay Connector in Exchange Server 2013 | maksimusprime
I am facing the same problem, My company have Web Shop outside country and that Web Shop need’s to send email to customer & Purchase office in our company when any order is created.
We got the Real IP for the Web Shop and I have created the Relay Connector for that IP as suggested in this blog, still I am getting below error message while sending email through Web Shop to customer
” Transaction failed. The server response was: 5.1.2 Recipient address rejected: User unknown”
When I send to internal email through Web Shop it works, but for external it doesn’t work.
I have Symantec Messaging Gateway in between and I have added the Real IP in SMTP in that application also.
Kindly any one can let me know the solution..
Thank you
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Your Symantec Messaging Gateway is rejecting the emails to customers because the customer’s email address doesn’t exist in your organization.
Either turn off recipient validation in your Symantec Messaging Gateway, or just let your web server send the emails directly to the recipient’s server instead of trying to relay through your server.
Hi Paul, how come in your Exchange 2010 relay article you choose to use Exchange Server for the authentication permission group, but for Exchange 2013 you choose to use Anonymous for the permission group? Thanks.
I followed your instructions, but it’s still not working for me, in my logs, it still says “relaying not permitted”.
Not sure what else to do.
Hi Paul, I’ve created a receive connector for SMTP Auth (External) and setup the TLS security & Basic Authentication for except Anonymous users. After restarting the MS Exchange Transport service, while performing the SMTP telnet test, it showing only AUTH NTLM capability. What is the difference between AUTH PLAIN LOGIN and AUTH NTLM? how we can setup those? I need to setup External SMTP Auth for Exchange server 2013 on premise installation.
Thank you
Logendra
Paul,
I do not want to specify IP address to the connector. That means maintenance of unexpected problems in the future.
What happen when I execute the Add-ADPermission command on the automatically created receive connector called “Default Frontend SERVERNAME”
Get-ReceiveConnector “Default Frontend SERVERNAME” | Add-ADPermission -User ‘NT AUTHORITYAnonymous Logon’ -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient
That evey device is able to send internal and external mail using TELNET?
Regards, Hans.
Hi Paul,
Good article. I’ve seen other articles that mention that the best way to enable an EXTERNAL SMTP relay is to use Authentication type of Externally Secured (for example with IPSec” option and then select “Exchange Servers” as the Permission Groups. I’ve always used this for Exchange 2007 and 2010 but then came across your method of doing it via Anonymous.
Secondly, with an unauthenticated external relay that is locked down to IP, which option would you need to tick to require TLS (ie. block if TLS is not used). There’s an option for Basic Authentication to require TLS, but not sure how you’d do it for an unauthenticated relay.
Cheers,
Sam
Hi Paul,
A quick question to ease my mind please…
My current Exchange 2013/2010 environment is as follows:
2 member DAG – 2 x Front End 2013, 2x Mailbox 2013 and 2x edge 2010.
Where is the best practice location for custom receive connectors ( ie. server alerts to outside addresses), the FrontEnd server or the Edge server?
Also, the Edge servers are in a DMZ if that has any bearing.
Thanks very much,
Martin
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
There’ll be less firewall config for internal apps to send via the CAS.
Any apps/servers in the DMZ may be easier to hit the Edge.
Dear Paul,
We created recieve connector on both Client Access Servers but We are getting following error while run this command: get-receiveconnector “Relay” | add-adpermission -user “NT AUTHORITYAnonymous Logon” -ExtendedRigh
ts MS-Exch-SMTP-Accept-Any-Recipient
Error: The operation couldn’t be performed because object ‘MB1.Contoso.comExternalAppRelay’ couldn’t be found on
‘DC.Contoso.com’.
+ CategoryInfo : NotSpecified: (:) [Get-ReceiveConnector], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : [Server=MB1,RequestId=683ec413-c7ae-4f9c-968e-160b829af8d0,TimeStamp=1/14/2015 6:22:4
2 AM] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] 4F346B2D,Microsoft.Exchange.Management.SystemConf
igurationTasks.GetReceiveConnector
+ PSComputerName : CAS1.contoso.com
Please advise…..
Best Regards,
Mohamed Shuaib
Hi I am having the same exact issue
The operation couldn’t be performed because object ‘exc02.workgroup.comScanRelay’ couldn’t be found on ‘NYDC01.workgroup.com’.
+ CategoryInfo : NotSpecified: (:) [Get-ReceiveConnector], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : [Server=EXC02,RequestId=0a0d55bd-8194-4112-b5ae-3b4ccafd38e3,TimeStamp=3/31/2015 3:56:03 PM] [FailureCategor
y=Cmdlet-ManagementObjectNotFoundException] C4CB8D4C,Microsoft.Exchange.Management.SystemConfigurationTasks.GetReceiveConnector
+ PSComputerName : exc00.workgroup.com
I’m having the same issue. Were you able to figure out what is causing this error? I have a couple a couple CAS servers and a couple Mailbox Servers in my environment. I’m setting this up on the frontend server.
[PS] C:\Windows\system32>get-Service | Where DisplayName -like “*Transport*” | Select DisplayName
DisplayName
———–
Microsoft Exchange Frontend Transport
I run this command on the server with the connector I created we’ll call it server_A
Get-ReceiveConnector “ATF External Relay” | Add-ADPermission -User ‘NT AUTHORITY\Anonymous Log
n’ -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient
And in the error it specifies a different Exchange server name we’ll call it Server_B
The operation couldn’t be performed because object ‘Server_B\ATF External Relay’ couldn’t be found
on ‘DomainController_A’.
+ CategoryInfo : NotSpecified: (:) [Get-ReceiveConnector], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : [Server=Server_B,RequestId=09ad5289-f4b7-42bc-9788-bda86824a512,TimeStamp=8/2/2017
8:53:30 PM] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] 9002CE25,Microsoft.Exchange.Management.Syst
emConfigurationTasks.GetReceiveConnector
+ PSComputerName : Server_A
Never mind I figured it out. You just need to specify the server name in the command.
Get-ReceiveConnector “Server_A.domain.com\ATF External Relay” | Add-ADPermission -User ‘NT AUTHORITY\Anonymous Log
n’ -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient
i try to install the relay connector.
i got this error when changing the rights for the user anonymous:
[PS] C:Windowssystem32>get-receiveconnector “po” | add-adpermission -user “NT AUTHORITYAnonymous Logon” -ExtendedRigh
ts MS-Exch-SMTP-Accept-Any-Recipient
User or group “NT AUTHORITYAnonymous Logon” wasn’t found. Please make sure you’ve typed it correctly.
what is going wrong?
I’m having this issue as well, did you ever find a fix for it?
Nevermind, I figured it out. I actually copied the command from a different website detailing the same steps, where they left out a backslash in the -User switch. the command should be:
Get-ReceiveConnector “SuiteCRM Relay” | Add-ADPermission -User ‘NT AUTHORITY\Anonymous Logon’ –
ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient
-note the “\” character between AUTHORITY and Anonymous.
The same article I copied the command from also left out the hyphen beween Any and Recipient at the end.
Hi Paul,
So we have an application that sends email to exchange 2013 going out to external client.
our application is actually a mailer that sends notifications, username and passwords to our external clients.
My question is: How can i track all those messages if they are really delivered or not?
Thank you.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Message tracking logs will tell you whether the message departed your network successfully or not. Beyond that you can’t reliably confirm it was delivered to the recipient’s mailbox.
Hello Paul,
I have a question about external relay.
Is it possible to relay only e-mail from our accepted domains to the outside world?
Now we have a relay connector on the mailbox server (not the CAS) that will relay e-mail for several devices within our network (Printers mainly) but that connector even relays mail from domains outside of our company, we don’t want that.
Hope to hear from you.
Thanks!
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Yes, do authenticated SMTP from the devices/apps sending email instead of allowing anonymous relay from their IPs.
Inherited a working MS Exchange 2013 installation on a single Windows 2012 server using eXchange POP3 as a relay. Due to performance issues it was decided to upgrade the MS Exchange 2013 server to SP1 and subsequently to CU5. According to Microsoft any upgrade on the Exchange 2013 server will basically be a new installation. Added to this the SP1 saw the return of the Edge Transport role, which was missing in the RTM release. Needless to say my installation is no longer working and I spent some very frustrating hours trying to get it going again. Configured the Edge Transport role as per instructions found online and can see that eXchange POP3 is having a proper hand shake with the Exchange server’s SMTP port 25 but doesn’t complete the transfer resulting in the following error message.
“Negative response from the SMTP server: 451 4.7.0 Temporary server error. Please try again later. PRX4”
Have gone through every online support information I could find, issues like making sure that only one IP is mentioned in the DNS query, etc, etc, but have still difficulties
Believe that my problem could be with the configuration of the “receive connectors” configuration. Have right now the following five (5) configured:
Receive Connectors
Name Role
Client Frontend FrontendTransport
Client Proxy HubTransport
Default Frontend FrontendTransport
Default HubTransport
Link FrontendTransport
But I am struggling with the >security >Authentication setup for each of them since I am not 100% sure which options to tick (activate) individually for each one. For example when configuring the last one to be used for the “Edge Transport role” I used only “Anonymous users” following guidelines found on the Internet as well and did subsequently the required settings. Also, I am not sure if the “Edge Transport” is now replacing the “Default Frontend FrontendTransport”?
Unfortunately there is very little fully documented and “screen shot” supported documentation available online for the MS Exchange 2013 SP1 configuration. except what I generally find here on Paul’s site.
Outside help in this matter is highly appreciated!
Hi Paul,
I have been following your tutorials for setting up Exchange Sever 2010 and I am new to this Server. I have setup my lab server in my home with one server and one client and it does not have any Internet connections for these two servers. Is it possible to configure everything and run this demo server like a live running server.
Could you please let me know the steps I need to follow and the requirements to start learning this new server.
Regards,
Balaji.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Are you asking about Exchange 2010 or 2013? I have two separate training courses available for those.
Exchange 2010 Boot Camp:
https://practical365.com/exchange-2010-boot-camp/
Exchange 2013 Boot Camp:
https://practical365.com/exchange-2013-boot-camp-special-offer/
Hi Sir,
Just want to ask how will i know if i set up my exchange server 2013 SMTP send and Receive connector correctly?
I can send email to gmail, yahoo and internal domain using outlook and OWA but
my problem is i cannot send email using sql database mail to gmail or yahoo.com .
and when i try to test my domain in mxtoolbox.com it shows
dns denizentechs.net SOA Expire Value out of recommended range More Info
smtp mail.denizentechs.net Warning – Reverse DNS does not match SMTP Banner
smtp mail.denizentechs.net 8.720 seconds – Not good! on Transaction Time More Info
Please help me
thank you so much!
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Fixing those issues identified by MXToolbox would be a good idea regardless.
For your SQL server, make sure you’ve set up a relay connector as the article above demonstrates.
Hello friend thought its very interesting and good articles, I wonder how to use Exchange 2013 with service No-Ip, Dynamic IP and my internet being so it changes, however it seems that the MXs for the NO-IP agradesco attention
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Use a router on your internet connection that will update No-IP each time your IP changes. Point your MX record at the DNS alias for your No-IP account.
Hello Paul,
So I fuz that too, however I got no result
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Do the inbound SMTP test at exrca.com
In our 2010 environment, we use our Edge servers to relay unauthenticated mail through a second connector. After reading this article, from what I gather, the default connector on the client access server performs internal unauthenticated relay and creating a DNS entry is recommended should you have a few client access servers in an NLB for instance.
What happens if you have 2013 Edge servers in a DMZ? Should the unauthenticated relay receive connectors be created on them for devices such as scanners and applications internal to the company that need to relay externally? Or should that still be created on the client access servers as seperate connectors as described in the article with their own seperate DNS entry (for NLB). I’m just not clear as to where I should create the external connector (client access server or edge). Thanks!
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Whichever makes sense for your network topology. I would tend to put them on the CAS to lessen the likelihood that a misconfiguration allowed an open relay on the internet.
However, if the Edge is doing some type of filtering or whatever that you want the relay traffic to be subject to, then putting them on Edge makes some sense there.
Thanks for the feedback.
Pingback: Software Top Hacking
Pingback: advertise new business
thanks for this post , it save me hours!!!!
best regards,
I just completed migrating from 2007 to 2013 and am in coexistence.
One of our web developers uses an smtp server on our dmz to relay email to internal users, as well as external recipients.
I migrated the custom receive connector from 2007 to 2013 following the advice here. The smtp server can send through my 2013 Edge Transport to internal users no problem.
Internally I also used the telnet test above after issuing the powershell command on the receive connector. I can relay through the receive connector to external recipients now from an internal address.
The web app however sends email through my edge transport then on to my internal servers and then specifies an internal user as the MAIL FROM and an external user as the RCPT TO
This is where things seem to blow up. I get the following error:
Remote Server returned ”
Message-ID:
Subject: Delivery Status Notification (Failure)
Return-Path:
Received-SPF: TempError (su1ex2013edge-1.domainname: error in
processing during lookup of postmaster@BEAR: DNS timeout)
Somehow this worked in 2007 with the same connector. Not sure if Exchange 2013 is treating this differently since it originates on another network.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Received-SPF: TempError (su1ex2013edge-1.domainname: error in
processing during lookup of postmaster@BEAR: DNS timeout)
Looks to me like the Edge server is trying to check SPF for the sender’s domain (which means a DNS lookup) and failing.
If postmaster@BEAR is the sender address I would fully expect that to fail. Using a validly formed sender address would be recommended.
So I resolved the dns issues with the smtp domain on my dmz iis smtp server, but still received unable to relay going through the edge box.
If I bypass the edge box and point directly to my internal box it works fine, but I have to open port 25 on my firewall from this ip which I’d rather not do if I don’t have to.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Unable to relay to external recipients only?
I would turn on protocol logging on the receive connectors and use those to make sure the correct connector was handling the SMTP connections.
OK got it.
The MS article I was referring to is: http://technet.microsoft.com/en-us/library/aa998359(v=exchg.150).aspx
It says to ‘Disable SSL’ and ‘Enable HTTP Re-Direct’ on the Default Web Site and then to remove the re-direction on the specified sub-directories which is why I was asking.
Previously in Exchange 2010, I used to do the same thing but an extra step was to re-enable SSL on certain sub-directories because removing it from the Default Web Site removes it also from sub-directories hence my question. This was covered in the following article: http://briandesmond.com/blog/redirecting-owa-urls-in-exchange-2010/
Thanks Paul, appreciate it.
Hey Paul,
If we wish to use the smtp.domainname.com for smtp, do you see any issues in updating the ‘Default Frontend SERVERNAME’ FQDN to smtp.domainname.com rather than the servername? If we leave the servername present, it will have to be included on our SSL cert.
Or is it better to just create a custom receive connector for incoming mail from the internet with the required fqdn and untick ‘anonymous users’ on the Default Frontend SERVERNAME connector?
Thanks.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Changing the FQDN on the default connector is fine.
Great, thanks for the reply.
Do you have or know of any good blog on how to configure http redirection and ssl settings for Exchange 2013 SP1? The MS article I found only shows how to configure http redirect and ssl settings for the default web site, but doesn’t mention anything about sub-directories or whether we need to configure the same settings on the Back-End Exchange website also i.e. for cas and mbx combined servers.
Thanks in advance.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Don’t touch the back end website at all. And you shouldn’t need to modify any of the folders under the default website.
friend you saved me from a lot of headaches, thanks
Paul,
I am needing to do what you described for internal email from a Toshiba multi-function printer on my network so that scans from the MFP device are only allowed to relay email to internal recipients of the domain and block attempts to send out to the recipients on the internet which is currently happening. We are running Exchange 2010 on a single server so all roles are on the one server. Would this work the same way you have described for a 2010 Exchange server or was this not possible to configure for only internal delivery in Exchange 2010? Do you know? Thanks.
Good day,
I have a strange issue. Been struggling for days now to fix. But no success.
I have a Exchange server 2010 which I am busy upgrading to Exchange 2013. I have already loaded the new server. Migrated a test account from the 2010 server over to the 2013 server.
The issue that I have is the follow: I cannot send anything from the old 2010 to the 2013 boxes. I just get a error saying its been delayed.
I can send via telnet if I do it manually. Then it works. From 2013 I can send to 2010 and to and from internet. I just struggle with my 2010 sending to 2013.
Can you please send me in a direction to search for the issue.
Thank you in advance.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Use Get-Queue | Get-Message | fl to see all the details of messages stuck in the queue. Usually there is some info there that will give you a hint.
Check the receive connectors on Exchange 2013, especially if you’ve created a custom one.
Hi Paul, thanks for this article, it’s very helpful.
I do have a question regarding the external relay scenario. I understand the configuration of the additional Receive Connector on the Frontend Transport role – However, I’m just curious how email is then routed to the Internet. It is my understanding that the FET would proxy a connection from an internal device using this newly created connector, to a MB server in the relevant Delivery Group – this MB server’s Transport service would then deal with the email (queuing, rules, categorization etc) then the relevant Send connector would be responsible for the message getting out the Internet. If I’m correct, can I ask which Receive Connector would be used on the MB server that receives the mail from the FET – would it just use the “Default ” receive connector on port 25 (2525 if mutli-roled)? – would there ever be a need to create a Receive Connector on the MB server role in addition to one created on the FET, that you can think of – perhaps if you configured an FET Rec. connector to listen on a non-default port?
Thanks very much
Barry
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
There is no need to create additional receive connectors. Once the email is in your transport pipeline it will route like any other email.
Ok great, thanks for confirming
Hello
I have created the connect for NAV2013 to relay emails through our Exchange 2013 and everything is working fine.
the problem is that now I am able to relay or send emails through PowerShell using 3rd party exchange which is not good for security reason.
Please suggest how i can stop it
Regards
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
What do you mean exactly when you say you can “relay or send emails through PowerShell using 3rd party exchange”?
If you think you’ve created an open relay that is accessible from the internet you should roll back the changes you made immediately.
Do you need NAV2013 to be able to relay to external recipients?
Hello Paul,
Yes i want NAV 2013 to replay email through our Exchange 2013 and it is working fine.
I connect through PS to office 365 and run the CMDLET “Send-MailMessage -To user@externaldomain.com
-From user@otherexternaldomain.com -SmtpServer myexchange.internal.com” and the CMDLET works and the recipient receives email.
Just to test i disable this relay connector and then if i run the above CMDLET it gives and error “5.7 1 unable relay”
How i can i set relay only from NAV2013 and no other
Regards
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Sounds to me like you’ve set the IP addresses incorrectly on the “Remote network settings” of your relay connector.
But is that Office 365 tenant a completely separate tenant or are you running a hybrid configuration?
Note you can also do open relay tests with online tools like mxtoolbox.com and exrca.com.
Hello Paul,
This is only on-premise with Exchange 2013. I have used the Windows Azure PS to test sending emails only.
There is no connection between on-premise and O365 and just used O365 for test email from PS.
Well i used mxtoolbox.com and EXRCA and both show successfully that means it is an open relay and how can i stop it.
With regards to IP for remote network i have added 192.168.1 90/24 which is our NAV2013 machine and removed the 0.0.0.0 255.255.255.255.
On the security page under Authentication I have checked Transport Layer Security (TLS) only and under Permission i have selected Anonymous.
Then i have run the CMDLET Get-ReceiveConnector “Relay E15MB1” | Add-ADPermission -User ‘NT AUTHORITYAnonymous Logon’ -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient
Please let me know if i have set it right?
Regards
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
You don’t need the /24 on the end of a single IP address like that.
Also you don’t need to modify the TLS settings.
I’m not saying either of those are the problem, but they are things you’ve done differently than the tutorial above.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
I’ve done some more thinking about this – the only other thing I can think of is that your network edge device (router, firewall, etc) is proxying the SMTP connections instead of routing them, which may make them appear to Exchange 2013 as though they are coming from a 192.168.1.x IP address on your internal network, rather than from an internet IP.
If that is the case then the /24 may well be the cause of the issue, and you should remove it and only add the specific IP address in to the relay connector.
Hello, first I would like to say I often visit your various articles and find them very informative, thank you! This is my First post.
I have a new install of Exchange 2013 enterprise on premise and started moving a few users from 2010 at a time because I am finding various new issues with each. My newest issue has me perplexed how to continue.
I have a Sharp network scanner, copier, printer that we use to scan documents to email. I have a HUB Transport Relay connector setup for this on exchange 2010. The copier has an AD username (authenticates) and sends to each individual user from an address book on the Sharp copier. I moved two users from 2010 to 2013 and they no longer are able to get those scans from the copier. I recalled the issue moving from Exchange 2003 to 2010 and it was that I didn’t have a connector. But if I change the copier to send to the new Exchange 2013 all the users on 2010 won’t get there scans, correct? I am stuck here. How or why doesn’t 2010 know those users moved to 2013 and forward the messages? Wouldn’t it be the same as any user still on my Exchange 2010 that emails me – now on 2013 server? What am I forgetting?
I get the feeling I know the answer and the light bulb just hasn’t gone on yet, any help getting there would be appreciated!
Thank you,
Mike
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Well I would guess there’s an SMTP connectivity issue between the 2010 and 2013 server. You might even see the mail queuing on the 2010 server with some error details that support that theory.
My suggestion would be to move the mailboxes back to 2010 until you have fixed that problem.
Hi Paul,
I think someone is using our Exchange Server to relay spam mails. How we can find and block whoever is using our mail server to relay the spam mails. It is generating more spam mails even we delete mails in the queue. How can we prevent this? Our email filtration provider Barracuda sent us a warning that if this will not stop, they will be force to block our outbound IP. Thanks for any help you can extend.
Good article
I read in an article by your fellow contribour here on Exchangeserverpro.com, Nuno Mota, that you should choose to use the front end transport or the transport service depending on the need for queuing, do you agree?
We have systems relaying that do not queue them self, should I choose the transport service instead of the front end transport?
As always, well-written. Not only do I get a solution to my problem, but come away understanding why I had the problem and why the solution worked.
Thanks Paul…
Hi Ultimate / Tiberius
Yes, the Java application generate a email with authentication. but it’s getting error …
Messaging Exception in sendPdfByEmail :: com.sun.mail.smtp.SMTPSendFailedException: 530 5.7.1 Client was not authenticated
Error in createPdfInvoice com.sun.mail.smtp.SMTPSendFailedException: 530 5.7.1 Client was not authenticated
com.sun.mail.smtp.SMTPSendFailedException: 530 5.7.1 Client was not authenticated
at com.sun.mail.smtp.SMTPTransport.issueSendCommand(SMTPTransport.java:1388)
at com.sun.mail.smtp.SMTPTransport.mailFrom(SMTPTransport.java:959)
at com.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java:583)
at javax.mail.Transport.send0(Transport.java:169)
at javax.mail.Transport.send(Transport.java:98)
at com.lmr.ems.client.pdf.PDFCreator.sendPdfByEmail(PDFCreator.java:174)
at com.lmr.ems.client.pdf.PDFCreator.createPdfInvoice(PDFCreator.java:72)
at com.test.GenerateMonthlyPDF.sendInvoiceAsMail(GenerateMonthlyPDF.java:91)
at com.test.GenerateMonthlyPDF.generatePDF(GenerateMonthlyPDF.java:60)
at com.test.GenerateMonthlyPDF.main(GenerateMonthlyPDF.java:27)
com.sun.mail.smtp.SMTPSendFailedException: 530 5.7.1 Client was not authenticated.
Note: The Java programmer generating application from them client PC. so that’s the reason am avoiding the anonymous security setting.
Raaja,
When you say “the Java application generate a email with authentication” and you have a SMTP return error of “530 5.7.1 Client was not authenticated” it takes me to believe that there is a mismatch in the auth agreement between the App and the exchange, normally because Exchange is expecting one thing and the code sends another…
I am not a programmer/Coder so what I can say is that the default behavior for the SMTP TCP587 Receive Connector is authentication using Windows Integrated Auth (AUTH GSSAPI/NTLM) or Windows Basic Auth with TLS (STARTTLS+AUTH LOGIN) and this you can see in the Exchange side frontend receive connector logs.
If your code (whatever it maybe, and I see that you use 3rd party PDFCreator code) doesn’t comply with these rules you might need another form of SMTP delivery that do not use Auth (Like in Paul info).
Don’t let you coders fill your head with codding logs, the rules are simple, if you want to use SMTP auth for messaging delivery, so put them to work and force them to demonstrate you that they are using the right API/modules/arguments for the rules that you (MS Exchange) established.
Your log does not show us one line where the app sends/initiates windows auth, so for me this app is not using auth…
Nevertheless cross reference with the Exchange logs as I have stated.
Best Regards
Hi Tiberius,
Thanks for your information. let me check & update you.
Hi Paul,
Thanks for your informative message. I have an issue with in my exchange environment. (i.e) when I test the mail sending via telnet, I am getting following error. Please guide me. If it’s possible to resolve with out anonymous users security setting enable. because for secure reason, I don’t want to enable anonymous user settings.
220 xxx.xxx Microsoft ESMTP MAIL Service ready at Thu, 24 Apr
2014 08:44:50 +0300
helo
250 xxx.xxx Hello [123.123.123.37]
mail from: xyz@xxx.xxx
530 5.7.1 Client was not authenticated
Hi Raaja,
Has stated in your telnet test message, your connector is configured for auth (and that is what you want).
So depending on your connector auth configuration you need to use SMTP verbs for authentihcation testing via telnet (AUTH, STARTTLS, etc…)
If this is too complex for you I advise you to use an SMTP client like outlook to do the auth SMTP test.
Best Regards
Hi Tiberius,
Thanks for your reply. we have a java team, they are generating mails via java. but they are getting error “class javax.mail.MessagingException: 530 5.7.1 Client was not authenticated”.
My concern is avoid the anonymous users authentication. Is there any other ways!!!
Hi Raaja,
Can the Java appication gen a email with authentication info? If not , create a received connector, allow anonymous but grant only ip of java application server
I think that is the only solution for your case!
Raaja,
Like Ultimate said, your JAVA team has to code the windows auth process inside their SMTP alerts coding (using Windows Integrated Auth or Windows Basic Auth in this last case with STARTTLS first).
If auth could not be coded (and for me that is a bad excuse from a programmer), this BLOG has the right information on how to create a receive SMTP connector WITHOUT auth and filtering their use on the originating IP of the sending mailer.
Normally I use a Externaly secured+Partner configuration so it bypasses some exchange malware filtering, but the Paul info is usable for your needs.
Best Regards
Hi Paul,
How to configure received connector to accept Outgoing server SMTP 25 and no Encryption for Outlook IMAP Client? Although I check My Outgoing Server Requires Authentication (Use same settings as my incoming mail server), Outlook IMAP Clients is still not able to send , always show pop up to input username and password?
Thank you
I use exchange 2013 with SP1
Ultimate,
That is not a secure configuration and not a best practice at all!!! Just think how do you will differentiate between an SMTP client (used by IMAP users for example) and a Mail Spammer if you do not use AUTH????
Just have this in mind IMAP protocol ha nothing to do with the SMTP protocol, the first is for users access to their messages and the last is for mail flow.
http://en.wikipedia.org/wiki/Internet_Message_Access_Protocol
http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol
The best way to NOT mismatch these configurations is separating the TCP ports (and thus the SMTP connectors), and that’s why SMTP-TCP587 appeared (the so called CLIENT SMTP receive connectors). This way you can configure a dedicated CLIENT SMTP receive connector without having overlapped/mismatched configuration with the default MTA receive connector.
I advise you to configure your SMTP clients (for example used by IMAP/POP3 users) to connect to the TCP port 587 that exchange has already has configured for exchange user auth
Best Regards
Tiberius,
I just wanted to test all case 😀 And in my case, clients still using authenticate info to connect to SMTP server ( as using Outgoing server require authenticate option) , only problem here how to use port 25 with no Ssl or TLS.
After try several times to configure Receive Connector I found a solution to resolve my case: just delete Default Frondend (sever name) connector and re-create it! i donot know what Microsoft pre-configure in this connector, but after re-create it everything work like a charm! 🙂
Ultimate,
Normally that kind of action just breaks what the software house decided to be the best practice, and in your case doesn’t seam to be a needed post-install configuration.
I advise you to check http://technet.microsoft.com/en-us/library/aa996395(v=exchg.150).aspx
The info is all there.
The default receive connector that listens on TCP25 is not advised to receive client connections as a best practice, you should always use the TCP587 one.
As it is said:
Default FrontEnd Accepts connections from SMTP senders over port 25. This is the common messaging entry point into your organization..
Typically this default SMTP connector only permits the following identities to connect:
PermissionGroups : AnonymousUsers, ExchangeServers, ExchangeLegacyServers
So the only authenticated objects allowed are the Exchange servers (not the users)… Once more BEST PRACTICE.
Best Regards
Tiberius,
Yes, of course I know it’s not best practice. I just want to know why can not use this port by default and how can use it. This is lab environment, not in production.
Thanks for your information and advice.
Best regards
Hi Paul,
Good article.
I have a challenge for you 🙂
I use a lot the Client Connector, because for me is safer to filter who can relay on a per user base instead of per IP base, and it give advantages like passing thru some anti-malware schemes.of Exchange.
Until Exchange 2010 never had a problem and has a best practice I always used UPN for user auth.
Now I have a an Exchange 2013 that I designed the same way and strange enough I can only auth with domainuser a not with UPN anymore.
I can see in the frontend protocol log that the user Auth Login (with starttls) {SMTPsvc.userx@upn-a.com authenticated } but then on the next line I see that the Frontend just cant handout the auth to the backend {Setting up client proxy session failed with error: FindMiniRecipientBySmtpProxyAddress(SMTPsvc.userx@upn-a.com) returned null} and returns a {451 4.7.0 Temporary server error. Please try again later. CPRX2 Remote(SocketError)}
In the eventvwr I can see ONE audit failure 4625 (I think that is just because the domain part of the UPN is not the FQDN for the ADDS, but one of several UPN domains created for this ADDS):
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: SMTPsvc.userx
Account Domain: UPN-A.com
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Network Information:
Workstation Name: MyPC
Source Network Address: –
Source Port: –
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: –
Package Name (NTLM only): –
Key Length: 0
And then I see several successful logon audit with the correct user and domain (NETBIOS)
Account Whose Credentials Were Used:
Account Name: SMTPsvc.userx
Account Domain: DOMAIN
Logon GUID: {4e457923-2116-3cb3-6578-d8d3f22e5a91}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x1b50
Process Name: E:Program FilesMicrosoft Exchange ServerV15BinMSExchangeFrontendTransport.exe
This SMTPsvc.userx account is not a mailbox user but rather a ADDS user with ad.adpermission so it can use the connector:
Identity User Deny IsInherited ExtendedRights
——– —- —- ———– ————–
SRV1Client Frontend SRV1 DOMAINSMTPsvc.userx False False {ms-Exch-SMTP-Accept-Authoritative-Domain-Sender}
SRV1Client Frontend SRV1 DOMAINSMTPsvc.userx False False {ms-Exch-SMTP-Submit}
SRV1Client Frontend SRV1 DOMAINSMTPsvc.userx False False {ms-Exch-Bypass-Anti-Spam}
SRV1Client Frontend SRV1 DOMAINSMTPsvc.userx False False {ms-Exch-SMTP-Accept-Any-Recipient}
SRV1Client Frontend SRV1 DOMAINSMTPsvc.userx False False {ms-Exch-SMTP-Accept-Any-Sender}
As I said it always worked in previous versions of Exchange, only in 2013 with a stateless CAs that this problem aroused.
Can you shed any light on US?
BEst Regards 😉
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Does it work if the UPN matches the FQDN of the AD domain?
Paul,
Yes it works with the ADDS fqdn (ex: SMTPsvc.userX@DOMAIN.acme.com) I have just changed the UPN for the user (on the ADDS user object and on the MUA app) and now I see in the SMTP receive log:
,,334 ,
,>,334 ,
,*,SMTPSubmit SMTPSubmitForMLS SMTPAcceptAnyRecipient SMTPAcceptAuthenticationFlag SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender BypassAntiSpam BypassMessageSizeLimit SMTPSendEXCH50 SMTPAcceptEXCH50 AcceptRoutingHeaders AcceptForestHeaders AcceptOrganizationHeaders SendRoutingHeaders SendForestHeaders SendOrganizationHeaders SMTPSendXShadow SMTPAcceptXShadow SMTPAcceptXProxyFrom SMTPAcceptXSessionParams SMTPAcceptXMessageContextADRecipientCache SMTPAcceptXMessageContextExtendedProperties SMTPAcceptXMessageContextFastIndex SMTPAcceptXAttr SMTPAcceptXSysProbe,Set Session Permissions
,*,DOMAINSMTPsvc.userX,authenticated
,*,,Proxy session was successfully set up. Outbound session will now be proxied
,>,235 2.7.0 Authentication successful,
The normal UPN for 99% of the Exchange/ADDS users is not the FQDN for the ADDS domain, and its used for everything like OWA/mobileDevices/ADFS, etc… (use your email for auth is the rule here 🙂 ):
> get-user SMTPsvc.userX@UPN-A.com | fl *auth*,*principal*,*upn*
IsSecurityPrincipal : True
UserPrincipalName : SMTPsvc.userX@UPN-A.com
Paul,
Any more thoughts?
Thanks
Hi Paul,
Thanks for this article, this really helped me fine creating the smtp connector.
i now have a new problem. A few customers are receiving the internal code of pdf attachments instead of the attachment itself.
Those quite strange events are really annoying.
Do you think it can come from parameters of the smtp reciever itself ?
Regards,
Vincent
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
I’d be more inclined to think the sending application/system is the problem. I can’t think of anything in a receive connector config that would cause this.
Thanks for reply,
My dev team is having a look on the app.
I’ll try to test with another smtp relay to the same Customer.
Vincent
Hi Paul, great article – I tried adding my own internal SMTP connector before but screwed it up, so disabled it. Your article helped with creating it from scratch and actually get it working this time, so thanks. My router has the .1 address (which is the exception), then I configure all network devices with .210-255 addresses so following your instructions saves a lot of time enabling things like NAS, network cameras etc. to be able to send SMTP without worrying about further authentication.
Just one question though: you mention setting up a DNS alias e.g. smtp.example.com – that’s fine. In your example, your server is clearly shown to be 192.168.0.181 but your image that shows the DNS alias is 192.168.0.187 – yet when you telnet to it, it’s showing .181 again. Is that a typo in the image or have I missed something? I didn’t see you refer to adding an additional IP address to the adaptor or anything you see…
Thanks again,
Jeremy
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
.181 is the IP address I’m connecting *from* when I do those telnet tests.
I have done all the above and I still can not relay…. anyone got any suggestions….
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
I’d suggest sharing with us more details, like any error messages you get when you test the relay.
This article was very helpful but still very confused on what the difference is on creating a receive/relay connector on CAS vs. creating on Mailbox. Can you help clarify a few things?
If you wanted to relay and send mail to external recipients for device/application notifications, I would imagine you would want to create the connector like this article describes (Front-End Transport role on CAS), correct? Would relaying external also work if connector was created on Mailbox? What’s the difference??? I’ve read something about mail not being able to be “queued” if created on Mailbox…
I’ve also read that if you specify the “Hub Transport” role for the connector and the server is multi-role (CAS and Mailbox), the services will fight over which is using port 25. Therefore I’d imagine you would again have to use Front-End Transport role, correct?
Lastly, what if the applications needing to relay external use different ports other than port 25? Does it matter where it gets created or same procedure?
Thanks much!
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Yes using the front end role will cause a port conflict.
Yes you should even create alternative port connectors on the hub transport role.
I guess I’m still confused. Which server is best practice to use (cas or hub)? When to use one over the other.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Use hub.
Thanks very much. Exactly the help I needed.
Never mind – I set the accepted domains to internal relay on the new server and it resolved the issue.
Hello,
I have a 2003 server and a 2013 server. I need to put 1 user only on the new server right away. I can send emails from the old 2003 server to external and internal – including the person on the new server. let’s say the email domain is acme.com on both.
On the 2013 server, I can send externally but I cannot send emails to people on the old 2013 server –
Delivery has failed to these recipients or groups:
I can send to test@acme.com (on 2003) from the outside but when I try to send from the new server
test@acme.com (test@acme.com)
The email address you entered couldn’t be found. Please check the recipient’s email address and try to resend the message. If the problem continues, please contact your helpdesk.
Diagnostic information for administrators:
Generating server: acm-EXCH.acm.lan
test@acme.com
#550 5.1.1 RESOLVER.ADR.RecipNotFound; not found ##
Original message headers:
Received: from acm-EXCH.acm.lan (10.200.1.44) by acm-EXCH.acm.lan
(10.200.1.44) with Microsoft SMTP Server (TLS) id 15.0.516.32; Tue, 18 Mar
2014 22:34:00 -0700
Received: from acm-EXCH.acm.lan ([::1]) by acm-EXCH.acm.lan ([::1]) with mapi
id 15.00.0516.029; Tue, 18 Mar 2014 22:34:00 -0700
Content-Type: application/ms-tnef; name=”winmail.dat”
Content-Transfer-Encoding: binary
From: boe dillard
To: “test@acme.com”
Subject: test1
Thread-Topic: test1
Thread-Index: AQHPQzTSx8BW8ZljpUaMmirC7LYAmw==
Date: Tue, 18 Mar 2014 22:34:00 -0700
Message-ID:
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
MIME-Version: 1.0
X-Originating-IP: [10.200.1.44]
Return-Path: bdillard@acme.com
X-Brightmail-Tracker:
H4sIAAAAAAAAC+NgFrrHqsTGxcJ1glFH10NHM9jgw1Ixi/cbe9kdGAMYolgz85LyKxJYM169amMr+Cxd8eT2XPYGxiXSXYxcHEICSxglVp5oZIFwmhgl/jxfytjFyMnBLGAqceUrSALEVpS4cK8BzGYT0JFY9W8TK4gtIqApceraEjBbWIBP4v7WK8wQcWGJS1PWMUHYehLH508H62URUJWYvPYXmM0rYC/xe99msF5GATGJ76fWMEHsEpe49WQ+mC0hICCxZM95ZghbSaL39juouKfEsb3NjBBzBCVOznzCAhE3k9j7YAlUja7Eke
Based on your article, can I do like this?
1. Allowing Internal relay via Transport Services. How to configure?same as trick done in Exchange 2010/2007 allow anonymous relay.
2. Allowing External SMTP Relay via the Frontend Transport Service
Hi Paul
I appreciate that good explanation and I have only one question: this configuration might work to send the email to a spam scanner? I am new to exchange, and try to generate a laboratory with exchange 2013 and spam analyzer.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
This article is about providing an SMTP service to applications and devices that need the ability to send email to internal or external recipients.
Hi Paul,
Ive been following your work and i have only to thanks the good job you have be doing. But i have a question for you too.
I have a private domain xxxxx.local and sometime ago i installed exchange 2013 server on it and everything seems to work just fine. Now my boss wants to be able to send mails to external services like gmail, yahoo mail and all others, but my difficulty its to configure the MX records. Do i have to have them configured in my service provider or in my domain definitions? I have a domain that i bought and its working, but it end in xxx.com, so my question again is, How can i have my internal mails from xxxx.local be translated to xxxx.com when they arrive in public servers.
Thank you
I am routing outbound mail thought our cas servers. The security on the “Outbound Proxy Frontend” receive connector for permission groups is set to Anonymous (This is default, I think). I think this is allowing external relay of our scanner. I want to restrict the scanner to internal only. Am I correct in my assessment? Is it OK to remove Anonymous users from the “Outbound Proxy Frontend” receive connector?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
The “Outbound Proxy Frontend SERVERNAME” connector exists so that the back end server (Mailbox server role) can send mail via a front-end proxy (CAS) when the send connector(s) for outbound internet email are configured for proxying.
It listens on port TCP 717, not 25, so unless you’ve specifically configured your scanners to connect to port 717 I doubt that is the cause of your issue. You should not modify that receive connector at all.
Your scanners, if they are making anonymous/unauthenticated SMTP connections to your CAS, should be getting handled by the “Default FrontEnd SERVERNAME” receive connector. Anonymous connections are only able to deliver email to internal recipients in the organization.
If you’re finding that your scanners are in fact able to relay externally via the CAS, it is more likely that they are being handled by a relay connector that has remote IP addresses or ranges that include the IP addresses of your scanners and has been configured to allow anonymous external relay (eg following the steps in the article above).
Ultimately if you want to troubleshoot which receive connector is handling the connections from the scanners I recommend you turn on protocol logging for the connectors, then analyse the resulting log files.
There’s more info here on protocol logging:
https://www.practical365.com/exchange-server-protocol-logging/
(the screenshots are Exchange 2010 but the info is relevant to Exchange 2013 as well)
When I execute the Exchange Management Shell command in the final step to grant anonymous users the ability to send to external recipients (for alerts from a backup system at a client), I get the following error, even though I’m sure my syntax is right;
“User or Group “NT AUTHORITYAnonymous Login” wasn’t found. Make sure you typed it correctly”
Do I need to add the user “Anonymous Login” into AD? Sorry if this is a naive question.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Try “Anonymous Logon” instead of “Anonymous Login”.
I’m exhausted, I didn’t notice the spelling mistake, even though I read through it several times! I got the receive connector to work exactly as I needed, thank you so much for a terrific article!
Hello,
I have a question regarding this topic, I was wondering if it’s possible to find out which domain names are accepted on a smtp server remotly.
Thank you.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
None that I’m aware of.
Hi Paul,
Thanks for an informative article.
Out of the box Exchange 2010 did not send app emails via relay to internal clients like Exchange 2003 used to do.
So I set up a receive connector on my Exchange 2010 box for the Payrol app as Anonymous and TLS on Port 25.
I can get the app to send email to internal recipients correctly but external email like gmail does not work.
So I changed the port number to 587 for ’emial submissions’but still no joy….
Any ideas please?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
My article on Exchange 2010 relay connectors is here:
https://www.practical365.com/how-to-configure-a-relay-connector-for-exchange-server-2010/
For anonymous relay to internal recipients all you need to do for Exchange 2010 is tick the box for Anonymous Users on the Default Receive Connector. Basically the same as if you had the Hub Transport server as your internet-facing/inbound SMTP server.
Hi Paul,
Followed your steps, however after about an hour, the clients could not receive email from external sources any idea what would cause that? I had to remove the Conenctor to have it work again.
Never mind, I have resolved the issue.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
What was the solution in your case?
I was being stupid, and thought the 255.255.255.255 was a subnet mask but on further looking at it, it was encompassing ip addresses. So ya stupid me. Great article though it worked perfectly. Thanks!!! Will follow you more.
Thank you very much Paul . I find your articles very helpful and easy to follow.
Hi Paul , I have a quick question . I have 2 exchange 2013 servers(CU3) in a Dag . I added the connector for relaying by following your instruction except I created one for each server . As soon as I doo SQL reporting services and other internal application start working but after a couple of minutes both servers stop receiving all email. if I delete the connectors and restart the transport services ( not even sure that the restart is necessary) then email starts flowing again. any idea what I could be dong wrong ?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
I suspect that when you created the connector you configured it for the Hub Transport role. The correct option is Frontend Transport (shown in the screenshot in the article above).
Thanks ! Should I be creating it for each member of the dag or only one member ? Also is it best to specify the internal IP of the host that need to relay or just the address range of the subnet they are in ?
Paul ,
I just have 1 more question , in your article you state “This means that the only additional (and optional) step for making internal SMTP relay available to your applications and devices is to provide a DNS name for them to connect to. You can just use the name of an Exchange 2013 server that is installed with the Client Access server role, or you can set up a more generic host record in DNS for them to use (which I recommend, as this makes it easier to migrate the service in future).”
that’s all I really need , so do I even need to create a new connecter since I just need it for internal clients? if so how does it know which server to go to since I have 2 servers in a Dag and they both have all roles installed? thank you and I apologize for so many questions !
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
A connector is bound to a server. If you create two for HA purposes you’d need to use some form of load balancing to handle that.
Using IP ranges may seem easier at a glance, but is less secure, and also problematic if the IP range also includes Exchange Server IP addreses (which causes serious problems). I tend to use specific IP addresses only, or very small ranges if absolutely necessary.
If all you need is internal relay a new connector is not required.
“How does it know which server to go to…” – you control that with DNS. If you point your other apps/servers at an SMTP server of “smtp.domain.com”, and that resolves to your Exchange server’s IP address, then that is where they will connect.
Hey Paul,
Just followed this article, and successfully created the internal relay receive connector.
However, I have also enabled the anti-spam agents on the Exchange 2013 environment and internal mails are now being rejected by the content filter agent.
Any hints on how to fix this?
550 5.7.1 Message rejected as spam by Content Filtering.
Cheers.
Arjan
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
You can set an exception for that sender to bypass content filtering.
http://technet.microsoft.com/en-us/library/aa995953(v=exchg.150).aspx
Thanks Paul!
Added my local domain to bypass, which worked for me.
Cheers
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
That may be overkill. Consider that bypassing your entire domain may mean a spammer spoofing an address in your domain is able to bypass filtering. If it were me I would only add a bypass for the specific sender addresses that are relaying.
Do you have a guide to configure an Exchange 2013 server to accept emails from applications that are not local? For example a UPS at a client site that wants to use an smtp server (my server) to send emails.
My thought would be to configure Exchange with a receive connector on a port that is open. Use the public ip or resolved name of my exchange server. Set the connector to work with exchange users and make sure I use a valid user. When I do this though I do not get a connection.
Do you have guide for this type of connection?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
There’s no special configuration required. Your server already accepts emails from other senders that are addressed to recipients in your organization without any authentication required. So this could be as simple as configuring the UPS to use one of your MX records as the SMTP server it is connecting to.
I have now tried it with my domain account and used my MX record or the A record of my exchange server. I am using my domain account at a public site to email to an email account on my domain. I keep getting invalid username or password.
I thought it might be send as permission but no luck. I am using MX Logic as a mail filtering service.
Thanks Daniel
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
You’re pointing your MX records at something other than Exchange? That is a different situation then.
I assume your MX provider doesn’t require auth for incoming email to your domains, so trying to authenticate is probably the problem there.
Pingback: How to Configure Unified Messaging in Exchange 2013 Step by Step | Blog by Raihan Al-Beruni
Hi Paul,
Regarding SMTP Internal Relay open by dafault for unauthenticated source send emails to internal user, can we disable this feature? I donot want to enable this feature because it will be the point that virus can use to spam mail to all internal users.
Thank you.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
That is how email from external domains/servers is able to be received by your organization. So if you disable it, you won’t receive external email.
If you’re worried about viruses and spam use an email security product.
Ok, i got it. Thank you very much.
I’ve been trying to setup a new internal connector to use with a major software makers fax software. I make a new connector using EMC or Powershell. Setting the scope up to the ip of the exchange box, as the fax software is install on the ex box, etc… however this then seems to stop the default connector working externally. Telnet gets a ‘Service not available’.
Any ideas, ex2013 – cu3
Same here. My receive connectors are setup correctly, but I get that error on local 25.
Solved. Seems like my “Default Frontend” receive connector was in fact misconfigured . I just created a new Internet FrontEndTransport Receive connector and works.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
The configuration of the default connectors shouldn’t be modified.
Pual,
My client are receiving duplicate emails from my exchange server. Can you please help me.
Regards,
Shakeel Shahid
Hi,
Q1: I have an Exchange 2007 environment with 2 Hub/Cas, 2 Mailbox, 2 Edge, now I have deployed Exchange 2013 environment in a new AD Site with 4 Frontend, 4 Backend, 2 Exchange 2010 Edge. I can send and receive email from my Exchange 2013 mailbox, but when I check the message header in my internet mailbox, I find that the message is routed from my Exchange 2013 Backend, then to Exchange 2007 Hub, then to Exchange 2007 Edge, then to my internet mailbox. I have made the edgescription on my Exchange 2013 Backend to Exchange 2010 Edge successfully. Why not the message send from my Exchange 2013 Backend to my Exchange 2010 Edge, then to the internet? How can I make that happen? Or it only happens after I uninstall Exchange server2007?
Q2: After configuration, now I can configure outlook to use POP3 mode, but I need to set the FE server as my POP3 server and the BE server as my smtp server. I ever thought I need to set the FE server as my SMTP server, but it doesn’t work after that, so I am confused for the SMTP server, if the FE server should work as the SMTP server, how can I configure it?
Thank you!
Hi is it possible to force send connector to send mail without using IPv6 address, only by using IPv4 without removing IP v6 protocol from server.
Thank you
Aljosa
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Not as far as I know.
Hi,
would you please explain why it is better for such purposes to go with Frontend transport instead of Hub transport ? Somewhere in your older post I could read that it should be better for this use HUB transport as it is the only one with queue … Thanks a lot for clarification ..
Peter
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Yes, that post was speculation based on the Preview build and little documentation available at the time. We now know it is correct to use front end transport for a connector of this type.
Hi Paul –
As always, great article! 🙂 Your ongoing care and feeding of the comments has been invaluable as well.
With regard to Peter’s question about front end versus hub transport receive connectors and queuing, you stated that you now know that it’s correct to use front end transport for smtp relay receive connectors. A question remains in my mind, and that is: will emails using front end receive connectors be queued if need be?
Thanks in advance.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Frontend Transport will proxy to an available Transport service. If none are available the SMTP connection will fail and the email will queue at the sender’s end and retry later.
Very nice article. I do have a question though. If you have a specific application that has the ability to send mail authenticated from a server (For instance a Citrix Host), and you do not want to add the IP for this server to the Relay Connector, is it possible to send to external addresses? I don’t want to add Authenticated users to the Default connector. I’ve tried to set it to port 587, so that it uses the Client Frontend Connector, because Authenticated Users is added there, but it doesn’t work…
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
You may find that the Client connector is requiring TLS/SSL for Basic auth and perhaps your sending server/app is either not supporting that or not configured to use it.
You could check the sending server/app or turn of the TLS/SSL requirement for Basic auth (which carries risks of course).
This is my case:Using VM workstation 9.
I have setup 2 domain controllers each running exchange 2010.one has IP 192.168.1.1 and the other 192.168.2.1.MSExchange 2010 is running fine and the users in the respective domains can email each thru outlook.but the problem is; how do I route the 2 networks to have users email across the domains.I tried to configure 2 servers as routers but am stuck..
Now I wana try pfsense to use a virtual router.But I am stranded in the middle. I have issues with setting new virtual network adapters to connect the two networks.
And since these are Two Separate Host-Only Networks for testing purposes with no real internet connection to outside world, I cant send emails to the other domain users, I setup send connectors and added trusted domains in the exchange 2010 management console.I also setup the mx and dns and ns records..still no luck:-(…This my school project.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Can they ping each other? If so then all you need is Send Connectors for each other’s domain that point to each other as the smart host for that Send Connector.
Isolated VMs like that won’t need public DNS/MX records.
If they can’t ping each other you need to work out your VM networking.
Thanks Paul,
I will try to fix my send connectors, though I had already configured them.And yes the Domain controllers can ping each other.I just setup one server running win server 2008R2, It has 2 NIC, VMnet1(domain 1 network adapter)&VMnet2(domain 2 network adapter). These 2 NICs are bridged together.And I enabled routing and remote access on this server which acts as my router.But still the clients in domain one cant ping other clients in the domain 2.And still they cant email across domains.I guess its something to do with my gateways..I will try to figure it out.Maybe I need secondary dns…I don’t know what the issue is:-(
I cant see your email anywhere, I would send you the network layout of my test network
Now, all clients can ping each other.
but still no luck with cross domain emailing:-(
Can they ping each other? If so then all you need is Send Connectors for each other’s domain that point to each other as the smart host for that Send Connector.
you said Isolated VMs like that won’t need public DNS/MX records. maybe they need local dns/mx records to handle local dns requests from the domain controllers which house exchange server as well
Thanks Paul for the”smart host for that Send Connector”configuration method. I finally have my separate Exchange domains able to email each other.I setup a windows server as my router which enabled me to route the traffic btn these networks, i had to added persistent static routes on the router and the DCs and client s
Hi Paul,
Your articles have been invaluable to me as I have been installing and configuring our new EX2013 environment. My current frustration is with anonymous relay between my exchange 2010 and 2013 servers. I have many anonymous relays, both internal and external that were configured in a receive connector on my Exchange 2010 server. I do not want to change those replays to point to my Exchange 2013 server quite yet. The relay still works as it should for mailboxes on the 2010 server but messages destined for mailboxes on the 2013 server hang up in the 2010 server queue under “hub version 15”. I know it is a simple configuration fix, but I am stuck. Any help would be greatly appreciated.
Keep up the great articles!
Just needed to add EX2010 ip to the frontend default receiver connector. Thank you again for the articles! My mail would not be flowing without you!!
hi there,
i have just installed new Exchange 2013 , my previous exchange 2010 is primary to receive and send email inbound and outbound.
I have to decommission my 2010 once all users mailboxes are transferred to 2013 until then i want 2010 to be used for all email routing incoming /outgoing for itself and users on 2013 (who will be transferred).
the problem is that users on 2013 database are unable to send emails inbound and outbound although they are recieving emails from 2010 users and outside . due to this issue i cant start this user movement.
Please help me with this issue.
PS. i have messed up with the default connectors
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
A common issue is having a receive connector on one of the servers that includes the IP address of the other server(s) in its remote IP range. This will break server-to-server mail flow.
https://www.practical365.com/exchange-server/no-need-create-connectors-internal-exchange-server-mail-flow/
Many Thanks , im able to route emails between 2010 and 2013 exchange and now i have started transferring Mailbox from 2010 to 2013.
I have few question related to this migration :
1) There are few mailboxes that are system generated do i have to move them to on 2013 exchange like :
a) discoverySearchMailbox
b) System Mailbox Microsoft Exchange
c) FederatedEmail Mailbox
d)Exchanage Approval Assistant
e) MSMEODUser
2) (VERY IMP )As i am migrating users from 2010 to 2013 the Database folder is creating very heavy logs , it has already reached to 247 GB and counting , i know the logs are truncated when backup is done , but i dont have my vaeem backup in place right now and im running out of space.
Please suggest any backup mechanism which can truncate these logs so i would be able to continue this migration .
can i use Windows Server backup for this , is it okay to use it for this job?
or i just try to delete those log files?
Please Answer these asap, you are really helping me to complete this migration.
P.S I am using Windows 2012 Datacenter /64 bit with 64 Gb RAM
Kamran
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
1) Yes. In fact you’re supposed to move them first. That is documented in the migration guidance from Microsoft, which hopefully you are following.
2) You’re migrating to a server that isn’t being backed up yet? That sounds very unwise to me. If it were me, I would get backups working first before doing any migrations.
Okay , Should I start the backup through Windows Server Backup while the replication is in progress.
does it effect the mailbox migration/replication?
can you refer the migration guide from Microsoft.
I am migrating from Windows 2010 to 2013.
Kamran
Hello Paul.
I have migrated all the user to Exchange 2013 ,
Now i have to decommision Exch-2010 and make 2013 responsible to send/recieve email directly.
Please guide any steps ; or refer any doc?
And Also ;
Q1)do i have to make any changes in SPF records? MX records
as i have given 2013 mail priority of 30 – and 2010 has 10 in my public DNS records,
Q2)any changes in send and recieve connectors?
Kamran
Hi Paul,
great article
could you please make a guide about receive connectors in Exchange 2013?
A good explanation about those different receive connectors that is configure by default.
I still have some problem to get a good overview of which connectors is used for what.
Keep up the good work Paul!
Hello Paul,
i have a question regarding the receive connectors. I’ve set all SMTP-Banners on the mailservers receive connectors. When connect to it via telnet on port 25 from an internal subnet everythings fine, it shows the configured banner.
But when i connect via telnet on port 25 from an external server it only shows the following:
220 ****************************************************************************************
Do you have an idea what this could cause?
BR
Christian
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
A Cisco firewall with SMTP protocol inspection turned on would cause that.
Hi Paul,
In Exchange 2013, send email from Exchange 2013 to external users (ex: gmail.com), we create Receive Connector to do that. What the purpose of Send Connector ? Send Connector can do this ? If not, why ?
Thanks,
Kevin.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Outbound email (eg gmail.com) is controlled by send connectors.
https://www.practical365.com/configuring-outbound-mail-flow-in-exchange-server-2013/
Hi Paul,
Yes, Exchange is quite new to me. So, I think:
– Receive Connector: used for receiving mail from external mail (external Exchange domain) and internal mail (internal Exchange domain)
– Send Connector: used for sending mail to external mail (external Exchange domain) and internal mail (internal Exchange domain).
Thus, from your comments, using Receive Connector to replay mail, others word: send mail to external Exchange domain — this is new feature ? does it make sense ?
THanks,
Hung.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
It isn’t a new feature. This is basically how it has been done since Exchange 2007.
A *receive* connector is used to receive email. The server then processes that email and delivers it wherever it needs to go.
This article describes a type of *receive* connector that would allow an application or server to relay email to external recipients, because of its specific configuration and security settings.
Hi Paul,
I am trying to send and receive email using exchange 2010 setup on my home lab. I am using no-ip since i don’t have public ip and i have created wild card send connector, mx record pointing to my internal server on my home Windows DNS, I have created host in no-ip and added that host name into my godaddy dns.
No ip app is running. But my emails are not working what am i missing?
thanks
nick
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Your situation really has nothing to do with this article. But my suggestion is to go to the exrca.com website and do the inbound SMTP test.
Hi Paul
I think you have a little mistake in this line:
“The Client Access server role hosts the Frontend Transport service, which provides filtering of email traffic (eg antispam agents), ”
anti spam on exchange 2013 can only be installed on the mailbox role.
Salute hai mera tjhy!
Nice article , I would add two things , explain that all mails sent will be handled by transport before being sent , many ppl might believe it will go directly through the frontend service. 2nd many customers would like to dedicate certain servers to handle relay mails, i.e dedicate certain mailbox servers to handle only relay mails without harming internal mail flow (just like we used to do bu putting certains hub servers in a seperate ad site or execlude through set-mailboxserver)
Isn’t it still best practice to lock down anonymous access by IP address? Any ExRAP will flag an internal open relay as Bad. I have over 3000 unique IPs hitting my internal 2007 relay and I would like to lock it down on the 2013 one before cutover. There are entirely too many Devs sending mail to my relay from their workstation.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Are you referring to internal relay or external relay?
Internal relay (ability to send to internal recipients) is going to be available to anybody who connects to the Default Frontend connector on the CAS.
External relay (ability to send to external recipients) is certainly worth locking down by IP, which is demonstrated above.
I’m refering to both. My Default FrontEnd connector is locked down to only accept mail from Exchange Servers and EOP. I want my application relay to be able to send to internal recipients and external customers but locked by source IP address. I know you said if the IP is listed in the connector then it will use that connector, it is the IPs not in the connector I’m worried about. By adding a DNS name and assigning it my VIP address, as long as one connector on port 25 is open to 0.0.0.0-255.255.255.255 then I have an nice big hole in my environment for explotation.
Was this ever addressed?
Of course I am still the own idiot on the planet cuz’ I type get commands and get not recognized as internal or external command. Need to move to a different product as this is getting to be a very large problem lately.
Really wish someone had a solution after all theses years.
Why do all your solutions never work!!!?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
You probably won’t see this reply since you provided a fake email address, and even though the fake email address throws a few insults at me, I’m going to help you out anyway. Everyone is a beginner at some stage and asking for help politely isn’t difficult.
If you’re trying the commands in the article above and getting an error that they aren’t “recognized as an internal or external command”, then it’s likely that you’re trying to run them in a command prompt. The commands used in this article are PowerShell commands, specifically Exchange management shell commands. To follow the steps in this article you’ll need to use the Exchange management shell, which is installed on Exchange servers or separately on admin workstations.
Hope that helps. Enjoy the rest of your day.