A common need that often an Exchange administrator has to satisfy is the creation of a relay connector to allow applications or hardware appliances to send emails, usually this can be broken into two main scenarios
- Internal Delivery Relay Connector – In this scenario you have an application, like backup software, that needs to send emails to recipients that are internal to the Exchange organization
- External Delivery Relay Connector – In this scenario the application needs to be able to send emails to recipients which are external to the Exchange organization like for example when using an application to send newsletter to your customers
In the post I will show you how to configure the Exchange 2013 Relay Connector to cover both the scenarios, to fully understand the components and services involved I suggest you to read the Exchange 2013 Transport Architecture article.
It does not matter if you have deployed a multi role Exchange 2013 server or you have deployed multiple servers to split the roles when configuring a mail relay connector there will be multiple services involved for the delivery of the message, the involved services can easily be enumerated with the following commands
Get-Service | Where-Object DisplayName -like "*Transport*" |Select DisplayName DisplayName ----------- Microsoft Exchange Mailbox Transport Delivery Microsoft Exchange Frontend Transport Microsoft Exchange Mailbox Transport Submission Microsoft Exchange Transport Microsoft Exchange Transport Log Search
It has to be noted that the Exchange Frontend Transport is displayed as the machine where I’ve run the command is multi role server hosting the CAS role independently of this it is very important to know that the Frontend Transport service is the only one listening on SMTP port 25 so the one that is relevant to us.
Internal Delivery Relay Connector
When the Client Access Role is installed the server is configured with a Received Connector named Default Frontend listening on Port 25 allowing anonymous connections as you can easily verify via a telnet connection
220 SZHV-EXM01.mcse.lab Microsoft ESMTP MAIL Service ready at Fri, 12 Jun 2015 17:33:35 +0200 helo relay.com 250 SZHV-EXM01.mcse.lab Hello [::1] mail from:<firstname.lastname@example.org> 250 2.1.0 Sender OK rcpt to:<email@example.com> 250 2.1.5 Recipient OK data 354 Start mail input; end with . subject:Test Relay Just testing anonymous relay . 250 2.6.0 <firstname.lastname@example.org> [InternalId=64424509441, Hostname=SZHV-EXM01.mcse.lab] Queued mail for delivery quit 221 2.0.0 Service closing transmission channel
As the Frontend Trasnsport Service is the entry point for any external SMTP connection it is logical that it allows relay of messages to internal recipients so the only thing that optionally you need to take care of is creating necessary DNS records so that devices and applications can connect to the Exchange relay connector via a name rather than an IP.
External Delivery Relay Connector
Although Frontend Trasnport Service allows relay for internal recipients it will now allow relay to external recipients again you can use telnet to verify this
220 SZHV-EXM01.mcse.lab Microsoft ESMTP MAIL Service ready at Fri, 12 Jun 2015 17:42:27 +0200 helo mcse.lab 250 SZHV-EXM01.mcse.lab Hello [::1] mail from:<email@example.com> 501 5.1.7 Invalid address mail from:<firstname.lastname@example.org> 250 2.1.0 Sender OK rcpt to:<email@example.com> 550 5.7.1 Unable to relay
As you can see Exchange refused to deliver my message to the external recipient with the Unable to relay error message to configure the relay connector to allow external delivery you need to configure a new Receive Connector which can be done either via the GUI or using Exchange Management shell.
Open Exchange 2013 Administration Center and go to Mail Flow → Receive Connectors click the + sign
In the New Receive Connector window give the new connector a descriptive name and, like in the example below, you are using a multi role server, select Front End Transport under Role and Custom under Type
If the server has a single network interface the default binding will do just fine otherwise select the network adapter binding accordingly
By default all IP addresses will be allowed to relay through the newly created relay connector most of the times this is not the desired configuration so you will need to specify the IP address or IP range that will be allowed to send email through the relay connector
Once the allowed IP Addresses have been specified the new receive connector will appear in the Receive Connectors list
To allow relay of message outside the Exchange organization you have to specify the Permissions group, in this scenario anonymous users, and grant anonymous users permissions to use the connector highlight it, select the pencil icon, select the Security tab and tick the Anonymous Users check box
Finally to grant necessary permissions open a Management Shell session and issue the following command
Get-ReceiveConnector "External Relay Connector" | Add-ADPermission -User 'NT AUTHORITYAnonymous Logon' -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient Identity User Deny Inherited -------- ---- ---- --------- SZHV-EXM01Extern... NT AUTHORITYANON... False False
[su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note: When you enable Anonymous Users checkbox the following permissions are added to the connector
As you can see MS-Exch-SMTP-Accept-Any-Recipient is not among these so it is necessary to add it manually via Exchange Management Shell [/su_note]
The configuration can be easily validated again using telnet
220 SZHV-EXM01.mcse.lab Microsoft ESMTP MAIL Service ready at Fri, 12 Jun 2015 20:17:19 +0200 helo mcse.lab 250 SZHV-EXM01.mcse.lab Hello [192.168.1.20] mail from:firstname.lastname@example.org 250 2.1.0 Sender OK rcpt to:email@example.com 250 2.1.5 Recipient OK
As you can see above the server accepted the message and queued it up for delivery.
What matters is being specific
Once of the questions I receive more often is “How does Exchange knows which connector to use if both the Default Connector and the newly created one are listening on all IP addresses?” the answer to the question lies in how specific you are with the configuration.
The Default Front End connector has the following configuration under Remote Network which can be translated to anything Where the connector we created has more specific Remote Network settings in my lab
If the server accepts two connections one from IP 192.168.1.10 and the other from IP 192.168.1.20 it will know to handle the latter via the External Relay connector that we created.