|
|
| Written: 06 Jun 2008 | Last Updated: 31 Oct 2008 | Author: Nitin Gupta |
|
How to Allow Application Servers to Relay via Exchange 2007 Server
|
In almost every organization that deploys a messaging server like Exchange 2007.
there is a need to use the Server as SMTP Server for sending Alerts//Mails/Notifications from
Application Servers like Helpdesk Management, CRM, Financial Application, Project Management servers etc.
Out of box configurations in Exchange (all versions) allow authenticated relaying. In case your internal
servers are able to authenticate; then without any modifications they should be able to relay.
Well, if the Server/Device is unable to authenticate and you try to relay, then you would get the SMTP error message "550 5.7.1 Unable to relay"
Business scenario [A]:
Grant the minimum required permissions for relay to a printer (or any server)
that cannot authenticate but needs to relay.
- Domain: nitingupta.in
- Exchange Server (Hub/Edge) IP: 192.168.1.2
- Printer IP: 192.168.1.33
- Receive Connector Name: AllowPrinterRelay
How to go about it:
- Verify that necesary permissions are in place to perform the activity
- Exchange Server Administrator
- Membership in the local Administrators group for Hub/Edge server
- Create a new Receive connector and add Anonymous permission group
New-ReceiveConnector -Name "AllowPrinterRelay" -usage Custom -Bindings '192.168.1.2:25' -RemoteIPRanges 192.168.1.33 -permissiongroups AnonymousUsers
- Assign Relay permission to Anonymous Logon to connector
Get-ReceiveConnector "AllowPrinterRelay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"
Business scenario [B]:
Configure Externally secured Receive connector to allow a Web server to relay via Exchange and treat messages as authenticated messages, so as to
- Bypass anti-spam checks
- Avoid Message size limit checks
- Resolve anonymous senders
- Domain: nitingupta.in
- Exchange Server (Hub/Edge) IP: 192.168.1.2
- Webserver IP: 10.0.0.2
- Receive Connector Name: AllowWebServerToRelay
How to go about it:
- Verify that necesary permissions are in place to perform the activity
- Exchange Server Administrator
- Membership in the local Administrators group for Hub/Edge server
- Create a new Receive connector, add ExchangeServers permission group and
assign ExternalAuthoritative to connector
New-ReceiveConnector -Name "AllowWebServerToRelay" -Usage Custom -AuthMechanism ExternalAuthoritative -PermissionGroups ExchangeServers -Bindings 192.168.1.2:25 -RemoteIpRanges 10.0.0.2
Note: I wouild always avoid Option B, and always follow option A
|
|
Reference and Links
|
How to Allow Anonymous Relay on a Receive Connector
http://technet.microsoft.com/en-us/library/bb232021(EXCHG.80).aspx
Managing Accepted Domains
http://technet.microsoft.com/en-us/library/bb124423(EXCHG.80).aspx
|
|
