Using Exchange Server for Anonymous Mail Relay

From Exchange 2013 onwards, Exchange (by default) has been configured to accept email from any source. And this is true…as long as the recipient of said email is a user who resides in the Exchange Organisation. Should the recipient of the email be an external party, then Exchange will reject the email with the below SMTP Error code message:

550 5.7.54, Unable to relay recipient in non-accepted domain

This is typically found when there is an internal application that sends email to external parties. But I have also stumbled across this in an Exchange Hybrid environment where there was a requirement to route email to a specific domain back on-premises and out through Exchange to another SMTP service.

There are two options available. Authenticated mail relay or anonymous mail relay. For this blog post, we will focus on anonymous relay.

Exchange 2013 and later comes with several Receive Connectors by default. However, these connectors are configured to accept traffic from any location. For an anonymous relay, we want to be specific on what sources we accept anonymous SMTP traffic from.

Firstly, create a new Receive Connector within the Exchange Admin Centre. Give the connector a suitable name (Mail Relay in this example) and ensure the Role is set to Frontend Transport and the Type is Custom. The network adapter bindings can be left as default. It’s the remote network settings we want to be careful on. Remove the default IP range and include only ranges or IP addresses of sources that you want to accept anonymous SMTP traffic from to relay.

Once the connector is created, we jump in to the Exchange Management Shell to complete the configuration by running the two below commands:

Set-ReceieveConnector "SERVER\Mail Relay" -PermissionGroups AnonymousUsers

Get-ReceiveConnector "SERVER\Mail Relay" | Add-ADPermission -User 'NT AUTHORITY\Anonymous Logon' -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient

Once the above commands are run Exchange will accept email from the sources defined in the receive connector and will relay them on to external recipients.

It’s important to note that Receive Connectors are local to each Exchange Server. If you have multiple servers that will receive email from the source, then the receive connector will need to be created on each server.


About the author