Allow a Server to “Relay” Through Microsoft Exchange

KB ID 0000542

Problem

Back in the early days of email, just about all mail servers let you relay mail though them. That was fine until someone worked out you could then get someone else to send out your “spam”, and they would look like the guilty party. Even today people misconfigure their Exchange servers and make them an open relay.

But what happens if you have a particular server or machine that you want to let use your Exchange server as a relay? e.g. a Linux server that sends mail, or a SQL server running SQLMail? Then you need to allow relaying from either that IP address, or the network it’s on.

Allow Relay from an IP with Office 365 (Exchange Online)

Allow Relay from an IP with Exchange 2016 & 2013

Allow Relay from an IP with Exchange 2010

Allow Relay from an IP with Exchange 2007

Allow Relay from an IP with Exchange 2003

Allow Relay from an IP with Exchange 2000

Solution

Allow Relay from an IP with Exchange 2010 and 2007

1.From the Exchange Management Console > Server Configuration > Hub Transport > New Receive Connector.

2. Give the connector a name and select Custom > Next.

3. Next.

4. Add > Add in the IP address(s) or network you want to allow relay from > OK.

5. Select the 0.0.0.0 255.255.255.255 entry and click DELETE.

Warning: Leaving this entry in will make your Exchange Server an Open Relay. (Note: This does NOT mean that your default connector is an “Open Relay” as this uses “authentication”

6. Next.

7. New.

8. Finish.

9. Select your new connector then right click > Properties.

10. On the Permission Groups tab ensure “Exchange Servers” is selected.

11. On the Authentication Tab > Tick “Externally Secured (for example with IPSEC).” > Apply > OK.

Allow Relay from an IP with Powershell

The following Powershell does the same as above;

[box]New-ReceiveConnector -Name “Server2 Allow Relay” -usage Custom -Bindings ’0.0.0.0:25′ -RemoteIPRanges 172.16.254.207 -server DC2A – -permissiongroups ExchangeServers -AuthMechanism ‘TLS, ExternalAuthoritative’[/box]

Allow Relay from an IP with Exchange 2003 and 2000

1. Launch Exchange System Manager > Administrative Groups > Administrative group Name > Servers > Servername > SMTP > Right click Default SMTP Virtual Server > Properties.

Note: If you can’t see administrative groups right click the top level (in this case “First Organization (Exchange)) and tick the box to show administrative groups.

2. Access Tab > Authentication > Ensure “Anonymous Access” is enabled.

3. Click Relay > Ensure the default of “Only the list below” is selected > Add.

4. Add in the IP addresses(s) networks or domains you want to allow ‘relaying’ from > OK.

5. OK > Apply > OK.

 

Related Articles, References, Credits, or External Links

Exchange – Are you an Open Relay?

Exchange – Are you an Open Relay?

KB ID 0000087 

Problem

When Email was a new medium, pretty much all mail servers were open relays, and nobody really cared, after all if someone in Nigeria wanted to relay mail through a college server in Manchester then why shouldn’t they? Sadly with the explosion of Email and internet use this is no longer an option, because all those annoying Emails you get for Viagra or insider stock tips have probably been sent to you through an open relay. That’s to say someone like you with a mail server that’s happily sending out someone else’s mail.

Now you may be the sort of person who does not care, if that’s true then “be warned” Major ISP’s and Email handlers are routinely blocking “Suspect” mail servers, you might not even know you had a problem, and the first thing you know about it is,you cant send mail to a particular domain because you are on a blacklist, or worse your ISP cuts off your internet access, or you get an early knock on the door from some nice men in suits wanting to know why 400Gb of “dodgy photos” was sent from your IP address this morning.

Solution

Test your Mail Server with Telnet

 

1. OK – the first thing we need to do is get on a PC that isn’t logged into the domain (Exchange can be set to relay mail from a client that’s authenticated to the domain regardless) – So take that out of the equation by not being in the domain. Now open a good old fashioned command window . Click Start > Run > CMD {enter}
Alert! – To put “Run” on your start menu > Right click your task bar > Properties > Start Menu Tab > Customise > Tick “Run Command” > OK > OK.

2. You now need to connect to your mail server using a telnet command, to do this you need to know either the name or the IP address of the server. the command is,
telnet <IP Address or Server Name> 25 {enter}

Telnet’ is not recognized as an internal or external command

3. The server should respond with a “Banner” this lets you know you connects successfully NOTE some anti virus programs block this (McAfee for example) you need to go to its access protection settings and untick “Prevent mass mailing worms from sending mail”. Don’t forget to turn it back on again later 🙂

4. You are going to send an Email from command line, the first thing you need to do is say hello to the server, though being an exchange server the command is,
ehlo {enter}
What we want to see are 250 messages in our example we got,
250-server1.petenetlive.com Hello [10.254.254.60]

5. Type the following,
mail from:test@test.com{enter}
again we want to be seeing a 250 message, if you didn’t get one you made a spelling mistake start again 🙁
In our example we got,
250 2.1.0 test@test.com….Sender OK

6. Now we are going to attempt to relay mail for a different domain this will tell us if the server is an open relay or not. Type the following,
rcpt to:badperson@nastyspammer.com{enter}
Note if the Server gives you a message like,
550 5.7.1 Unable to relay for badperson@nastyspammer.com
THIS MEANS YOU ARE NOT AN OPEN RELAY.

 

NOTE if the server responds with
250 2.1.5 badperson@nastyspammer.com
Then either you ignored me in step 1 and your in the domain – or YOU ARE AN OPEN RELAY.

Officially there are three things, that if set wrong can leave you as an open relay,

1. Your Default SMTP Virtual Server.

2. Your SMTP Connector.

3. You have ISA server installed and set incorrectly.

Step 1 – Check the SMTP Virtual Server

1. On the Exchange Server Click Start > All Programs > Microsoft Exchange > System Manager.

2. Expand Administrative Groups > First Administrative group > Servers > {your server name} > Protocols > SMTP > Right Click “Default SMTP Virtual Server” > Properties.

3. On the properties window select the Access tab > Click the “Relay” Button.

4. On the “Relay Restrictions” window Check that, “Only the list below” is selected > It’s not unusual (in fact its the default) that the window is empty, you may see the Exchange server IP addresses in here – or in some cases other hosts on your network that have been set up to relay mail – (Backup software that emails you, or SQL servers that email events for example) > And ensure the box at the bottom that says “Allow all computers that successfully authenticate to relay, regardless of the list above” IS TICKED.

Step 2 – Check the SMTP Connector

NOTE: You might not have an Exchange connector don’t panic if its not there 🙂

1. On the exchange Server Click Start > All Programs > Microsoft Exchange > System Manager.

 

2. Expand Administrative Groups > First Administrative group > Routing Groups > First Routing Group > Connectors. > {your connector name}
NOTE – you may have many different routing groups and the path in your exchange system manger might be under Servers > {your server name} > Connectors.

3. Right click your connector and select Properties.

4 Select the “Address Space” Tab > You should see the following > Address Type = SMTP > Address = * > Cost = 1 > Connector Scope = “Entire Organisation” > “Allow Messages to be relayed to these domains” IS NOT TICKED.

Step 3 – Check ISA

ISA Server 2000 – had a problem where if you had a mail publishing rule for SMTP it set an open relay -check! Also make sure make sure 127.0.0.1 is NOT in the list of IP addresses that are allowed to relay in the the properties section of the default SMTP Virtual server.

Related Articles, References, Credits, or External Links

NA

Exchange 2019, 2016, 2013 – Allowing a Host/IP to Relay Mail

KB ID 0000891 

Problem

There a a few more hoops to jump through to allow a host to relay though Exchange 2013. For earlier versions of Exchange see the links below.

Allow Relay from an IP With Office 365 (Exchange Online)

Allow Relay from an IP with Exchange 2010

Allow Relay from an IP with Exchange 2007

Allow Relay from an IP with Exchange 2003

Allow Relay from an IP with Exchange 2000

Solution

How to create a ‘Relay’ Receive Connector

 

1. Connect to the Exchange admin center > Mail flow > receive connectors > Add.

2. Give the connector a name (take note of it, you will need it in a minute) > Select ‘Frontend Transport’ > Custom > Next.

3. Accept the default of TCP Port 25 (SMTP) > Next.

4. REMOVE the 0.0.0.0-255.255.255.255 range. (WARNING: If you do not do this you will become an open relay).

5. Add in the IP address of the host (from which you want to allow relaying) > Save.

6. Open the properties of the connector you just created > Security > Under Authentication select ‘Externally Secured (for example with IPSEC) > Under Permission groups, select ‘Exchange servers’ and ‘Anonymous users’ > Save.

7. At this point, you may find that when you test from the host you get the following error;

421 4.4.1 Connection timed out

I would suggest you change some parameters of the receive connector. Execute the following PowerShell command;

[box]

Get-ReceiveConnector -Identity “Relay-Connector-Name” | Set-ReceiveConnector -TarpitInterval 00:00:00 -ConnectionTimeout 00:30:00 -ConnectionInactivityTimeout 00:20:00 -MaxAcknowledgementDelay 00:00:00 -MaxInboundConnection 10000 -MaxInboundConnectionPercentagePerSource 100 -MaxInboundConnectionPerSource unlimited

[/box]

8. Restart the Microsoft Exchange Transport Service on the Exchange server.

[box]Restart-Service MSExchangeTransport[/box]

Exchange 2013 – Test Email Relaying from your ‘Allowed IP’

1. Go to the machine you have allowed relaying from, and attempt to ‘relay’ mail. In the example below I’m attempting to send an email to test@relay.com. In the first example we cannot relay, so something has been misconfigured.

2. However this time we CAN relay so our connector is configured properly.

 

Related Articles, References, Credits, or External Links

NA