How to Configure a Relay Connector in Exchange 2013

A common need that often an Exchange administrator has to satisfy is the creation of a relay connector to allow applications or hardware appliances to send emails, usually this can be broken into two main scenarios

  • Internal Delivery Relay Connector – In this scenario you have an application, like backup software, that needs to send emails to recipients that are internal to the Exchange organization
  • External Delivery Relay Connector – In this scenario the application needs to be able to send emails to recipients which are external to the Exchange organization like for example when using an application to send newsletter to your customers

In the post I will show you how to configure the Exchange 2013 Relay Connector to cover both the scenarios, to fully understand the components and services involved I suggest you to read the Exchange 2013 Transport Architecture article.

It does not matter if you have deployed a multi role Exchange 2013 server or you have deployed multiple servers to split the roles when configuring a mail relay connector there will be multiple services involved for the delivery of the message, the involved services can easily be enumerated with the following commands

Get-Service | Where-Object DisplayName -like "*Transport*" |Select DisplayName

Microsoft Exchange Mailbox Transport Delivery
Microsoft Exchange Frontend Transport
Microsoft Exchange Mailbox Transport Submission
Microsoft Exchange Transport
Microsoft Exchange Transport Log Search

It has to be noted that the Exchange Frontend Transport is displayed as the machine where I’ve run the command is multi role server hosting the CAS role independently of this it is very important to know that the Frontend Transport service is the only one listening on SMTP port 25 so the one that is relevant to us.

Internal Delivery Relay Connector

When the Client Access Role is installed the server is configured with a Received Connector named Default Frontend listening on Port 25 allowing anonymous connections as you can easily verify via a telnet connection

220 SZHV-EXM01.mcse.lab Microsoft ESMTP MAIL Service ready at Fri, 12 Jun 2015 17:33:35 +0200
250 SZHV-EXM01.mcse.lab Hello [::1]
mail from:<>
250 2.1.0 Sender OK
rcpt to:<lethe@mcse.lab>
250 2.1.5 Recipient OK
354 Start mail input; end with .
subject:Test Relay
Just testing anonymous relay
250 2.6.0 <bac81545e9344c97b27ebea4629735cc@szhv-exm01.mcse.lab> [InternalId=64424509441, Hostname=SZHV-EXM01.mcse.lab]
Queued mail for delivery
221 2.0.0 Service closing transmission channel

As the Frontend Trasnsport Service is the entry point for any external SMTP connection it is logical that it allows relay of messages to internal recipients so the only thing that optionally you need to take care of is creating  necessary DNS records so that devices and applications can connect to the Exchange relay connector via a name rather than an IP.

External Delivery Relay Connector

Although Frontend Trasnport Service allows relay for internal recipients it will now allow relay to external recipients again you can use telnet to verify this

220 SZHV-EXM01.mcse.lab Microsoft ESMTP MAIL Service ready at Fri, 12 Jun 2015 17:42:27 +0200
helo mcse.lab
250 SZHV-EXM01.mcse.lab Hello [::1]
mail from:<lethe@mcse.lab>
501 5.1.7 Invalid address
mail from:<lethe@mcse.lab>
250 2.1.0 Sender OK
rcpt to:<>
550 5.7.1 Unable to relay

As you can see Exchange refused to deliver my message to the external recipient with the Unable to relay error message to configure the relay connector to allow external delivery you need to configure a new Receive Connector which can be done either via the GUI or using Exchange Management shell.

Open Exchange 2013 Administration Center and go to Mail Flow → Receive Connectors click the sign

Relay Connector - GUI External

In the New Receive Connector window give the new connector a descriptive name and, like in the example below, you are using a multi role server, select Front End Transport under Role and Custom under Type

Relay Connector - New Connector

If the server has a single network interface the default binding will do just fine otherwise select the network adapter binding accordingly

Relay Connector - Binding

By default all IP addresses will be allowed to relay through the newly created relay connector most of the times this is not the desired configuration so you will need to specify the IP address or IP range that will be allowed to send email through the relay connector

Relay Connector - Remote Network


Once the allowed IP Addresses have been specified the new receive connector will appear in the Receive Connectors list

Relay Connector - Summary

To allow relay of message outside the Exchange organization you have to specify the Permissions group, in this scenario anonymous users, and grant anonymous users permissions to use the connector highlight it, select the pencil icon, select the Security tab and tick the Anonymous Users check box

Relay Connector - Anonymus Users


Finally to grant necessary permissions open a Management Shell session and issue the following command

Get-ReceiveConnector "External Relay Connector" | Add-ADPermission -User 'NT AUTHORITYAnonymous Logon' -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient

Identity             User                 Deny  Inherited
--------             ----                 ----  ---------
SZHV-EXM01Extern... NT AUTHORITYANON... False False

[su_note note_color=”#ffff96″ text_color=”#000000″ radius=”5″]Note: When you enable Anonymous Users checkbox the following permissions are added to the connector 

  • Ms-Exch-SMTP-Submit
  • Ms-Exch-SMTP-Accept-Any-Sender
  • Ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
  • Ms-Exch-Accept-Headers-Routing

As you can see MS-Exch-SMTP-Accept-Any-Recipient  is not among these so it is necessary to add it manually via Exchange Management Shell [/su_note]

The configuration can be easily validated again using telnet

220 SZHV-EXM01.mcse.lab Microsoft ESMTP MAIL Service ready at Fri, 12 Jun 2015 20:17:19 +0200
helo mcse.lab
250 SZHV-EXM01.mcse.lab Hello []
mail from:lethe@mcse.lab
250 2.1.0 Sender OK
250 2.1.5 Recipient OK

As you can see above the server accepted the message and queued it up for delivery.

What matters is being specific

Once of the questions I receive more often is “How does Exchange knows which connector to use if both the Default Connector and the newly created one are listening on all IP addresses?” the answer to the question lies in how specific you are with the configuration.

The Default Front End connector has the following configuration under Remote Network which can be translated to anything Relay Connector - Remote Network DefaultWhere the connector we created has more specific Remote Network settings in my lab

Relay Connector - Custom Settings

If the server accepts two connections one from IP and the other from IP it will know to handle the latter via the External Relay connector that we created.



One thought on “How to Configure a Relay Connector in Exchange 2013

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s