Allow a Server to “Relay” Through Microsoft Exchange

KB ID 0000542

Problem

Back in the early days of email, just about all mail servers let you relay mail though them. That was fine until someone worked out you could then get someone else to send out your “spam”, and they would look like the guilty party. Even today people misconfigure their Exchange servers and make them an open relay.

But what happens if you have a particular server or machine that you want to let use your Exchange server as a relay? e.g. a Linux server that sends mail, or a SQL server running SQLMail? Then you need to allow relaying from either that IP address, or the network it’s on.

Allow Relay from an IP with Office 365 (Exchange Online)

Allow Relay from an IP with Exchange 2016 & 2013

Allow Relay from an IP with Exchange 2010

Allow Relay from an IP with Exchange 2007

Allow Relay from an IP with Exchange 2003

Allow Relay from an IP with Exchange 2000

Solution

Allow Relay from an IP with Exchange 2010 and 2007

1.From the Exchange Management Console > Server Configuration > Hub Transport > New Receive Connector.

2. Give the connector a name and select Custom > Next.

3. Next.

4. Add > Add in the IP address(s) or network you want to allow relay from > OK.

5. Select the 0.0.0.0 255.255.255.255 entry and click DELETE.

Warning: Leaving this entry in will make your Exchange Server an Open Relay. (Note: This does NOT mean that your default connector is an “Open Relay” as this uses “authentication”

6. Next.

7. New.

8. Finish.

9. Select your new connector then right click > Properties.

10. On the Permission Groups tab ensure “Exchange Servers” is selected.

11. On the Authentication Tab > Tick “Externally Secured (for example with IPSEC).” > Apply > OK.

Allow Relay from an IP with Powershell

The following Powershell does the same as above;

[box]New-ReceiveConnector -Name “Server2 Allow Relay” -usage Custom -Bindings ’0.0.0.0:25′ -RemoteIPRanges 172.16.254.207 -server DC2A – -permissiongroups ExchangeServers -AuthMechanism ‘TLS, ExternalAuthoritative’[/box]

Allow Relay from an IP with Exchange 2003 and 2000

1. Launch Exchange System Manager > Administrative Groups > Administrative group Name > Servers > Servername > SMTP > Right click Default SMTP Virtual Server > Properties.

Note: If you can’t see administrative groups right click the top level (in this case “First Organization (Exchange)) and tick the box to show administrative groups.

2. Access Tab > Authentication > Ensure “Anonymous Access” is enabled.

3. Click Relay > Ensure the default of “Only the list below” is selected > Add.

4. Add in the IP addresses(s) networks or domains you want to allow ‘relaying’ from > OK.

5. OK > Apply > OK.

 

Related Articles, References, Credits, or External Links

Exchange – Are you an Open Relay?

Exchange – 4.5.1. 4.4.0 Primary Target 4.2.1 unable to connect to alternative host

KB ID 0000790 

Problem

My colleague Allen was doing an Exchange 2003 to 2010 migration today, and things were not going well, mail refused to flow from the Exchange 2003 server to the Exchange 2010 server (it flowed from 2010 to 2003 without error). During migrations that’s not unusual, and removing and recreating the routing groups usually fixes it, but he had done that. Mail was sat on the Exchange 2003 Server outbound queues on the queue that matched the routing group connector, but refused to move with the above error.

Solution

For about 45 minutes I was also scratching my head, but then I had a brainwave. If Exchange 2003 has a ‘Smart Host’ Configured on the ‘Default SMTP Virtual Server’ then it attempts to send traffic down the routing group via the smart host, (which will obviously fail). Remove any entry from the smart host section.

When done, restart the SMTP Service, and the Exchange Routing Service, and the queues should start to clear.

Related Articles, References, Credits, or External Links

NA