Anonymous Relay with Exchange 2007/2010

I have seen this situation/question come up over and over again so I decided to write a blog post on it.  The question: “How do I configure Exchange to receive email from the Internet or from a MFP scanner?  You might think this is pretty straight forward, but I have seen this misconfigured over and over. 

Exchange 2007/2010 comes with two default receive connectors installed per HUB Transport server: “Default Servername” and “Client Servername”.  The “Default Servername” connector is used for all connections from other HUB or Edge Transport servers in the organization.  The “Client Servername” connector is used for all SMTP connections from all non-MAPI clients, such as POP or IMAP.  This is the default view for every HUB Transport server.

Most likely a connector from the Internet or a MFP scanner will need to connect to Exchange via SMTP as an anonymous user or with basic authentication.  Let’s discuss anonymous connections.  I have seen other posts instruct administrators to allow anonymous connectivity through the “Default Servername” receive connector.  My advise: Leave the two default receive connectors alone and add a new receive connector to manage all anonymous connectivity and all non-default connectivity.  Allowing anonymous relay is a security risk and should be controlled if needed.  By creating a separate receive connector I get a warm fuzzy because I have segmented off all non-default traffic to its own connector and I can create a whitelist of IP addresses that are allowed to use it.

So, let’s get started… In EMC, navigate to the Server Configuration –> Hub Transport node and select New Receive Connector in the Action pane.  This will open the New Receive Connector wizard.  Let’s name the connector “Anonymous Relay” and select Custom from the drop down.

On the Remote Network Settings page, delete the default all-inclusive IP range and add the IP addresses that you want the connector to allow connectivity.  We will add our MFP scanner and our hosted SPAM/Hygiene service.  Note that you can also add IP ranges and whole subnets.

Complete the wizard.  Once the connector is created it will show along with the default receive connectors.

Now to enable anonymous connectivity, right-click on the connector and select properties.  Select the Permission Groups tab and check the Anonymous Users check box.

We are almost done.  Before the last step, we could have created the exact same connector by running the following command in EMS.

New-ReceiveConnector –Name “Anonymous Relay” –Usage Custom –PermissionGroups AnonymousUsers –Bindings ‘0.0.0.0:25’ –RemoteIpRanges ‘10.1.1.250’,’10.2.2.2-10.2.2.100’.’74.2.2.2’

Now the last step…allow anonymous relay through the connector.  Yes, this is the step that most people forget.  Anonymous relay is not enabled by default.  The previous Anonymous Users setting was just for connectivity permission.  To allow Anonymous relay, the following command is executed from EMS.

Get-ReceiveConnector “Anonymous Relay” | Add-ADPermission –User “NT AUTHORITY\ANONYMOUS LOGON” –ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”

All done, now we have created a specific receive connector for anonymous relay and can control what devices are allowed to use it.