How to Configure a Relay Connector in Exchange Server 2013

A very common scenario for Exchange Server 2013 administrators is the need to allow applications and devices on the network to use the Exchange server as an SMTP service.

There are generally two specific business requirements:

  • Internal SMTP relay – the ability to make an SMTP connection to an Exchange 2013 server and send email to recipients that are internal to the organization (for example, a “scan to email” feature on a multi-function print device)
  • External SMTP relay – the ability to make an SMTP connection to an Exchange 2013 server and send email to recipients that are outside the organization (for example, applications or hardware that sends automated reports or alerts to external vendors or consultants)

exchange-2013-smtp-relay

In this article I will demonstrate how to meet both of those requirements in Exchange Server 2013.

But first, let’s cover some of the fundamental Exchange 2013 concepts that apply here.

Frontend Transport vs Transport vs Mailbox Transport

Looking at the Exchange 2013 transport architecture there are multiple services involved.

The Client Access server role hosts the Frontend Transport service, which provides filtering of email traffic (eg antispam agents), and routing of email between the internal Exchange servers and the outside world

The Mailbox server role hosts two additional services:

  • Transport service – performs email routing within the organization, and between the Front End transport service and the Mailbox Transport service
  • Mailbox Transport service – passes email messages between the Transport service and the mailbox database. This is actually two separate services, Mailbox Transport Submission and Mailbox Transport Delivery.

On a multi-role server this adds up to four services (Transport Log Search is not relevant to mail flow):

PS C:\> Get-Service | Where DisplayName -like "*Transport*" | Select DisplayName

DisplayName
-----------
Microsoft Exchange Frontend Transport
Microsoft Exchange Mailbox Transport Delivery
Microsoft Exchange Mailbox Transport Submission
Microsoft Exchange Transport
Microsoft Exchange Transport Log Search

On a Client Access server there is only one service.

PS C:\> Get-Service | Where DisplayName -like "*Transport*" | Select DisplayName

DisplayName
-----------
Microsoft Exchange Frontend Transport

No matter whether the server is multi-role or only installed with the Client Access server role, the Frontend Transport service is the only service already listening on TCP port 25 (SMTP). The other services listen on a variety of other ports (for example TCP 2525 for the Transport service).

For both internal and external SMTP relay scenarios the Frontend Transport service will be handling the connections. So whether you’ve deployed multi-role or CAS-only servers we’ll only be referring to the Client Access server role from now.

Allowing Internal SMTP Relay via the Frontend Transport Service

The Client Access server role is configured with a receive connector called “Default Frontend SERVERNAME” that is intended to be the internet-facing receive connector, so is already set up to receive SMTP connections from unauthenticated sources and allow them to send email to internal recipients.

220 E15MB1.exchange2013demo.com Microsoft ESMTP MAIL Service ready at Mon, 7 Oct
 2013 23:49:54 +1000
helo
250 E15MB1.exchange2013demo.com Hello [192.168.0.181]
mail from: test@hotmail.com
250 2.1.0 Sender OK
rcpt to: administrator@exchange2013demo.com
250 2.1.5 Recipient OK
data
354 Start mail input; end with .
.
250 2.6.0 <df2bd0b4-08be-4b48-be83-c52e63721a4c@E15MB1.exchange2013demo.com> [In
ternalId=19911468384257] Queued mail for delivery

This means that the only additional (and optional) step for making internal SMTP relay available to your applications and devices is to provide a DNS name for them to connect to. You can just use the name of an Exchange 2013 server that is installed with the Client Access server role, or you can set up a more generic host record in DNS for them to use (which I recommend, as this makes it easier to migrate the service in future).

Adding a DNS alias for Exchange 2013 SMTP relay

Adding a DNS alias for Exchange 2013 SMTP relay

exchange-2013-smtp-relay-internal-dns-record-2

Allowing External SMTP Relay via the Frontend Transport Service

Although the default Frontend Transport receive connector allows internal SMTP relay it will not allow external SMTP relay. Here is an example of what happens if I use Telnet to try and send an email to an address that is external to the organization.

220 E15MB1.exchange2013demo.com Microsoft ESMTP MAIL Service ready at Tue, 8 Oct
 2013 00:05:04 +1000
helo
250 E15MB1.exchange2013demo.com Hello [192.168.0.181]
mail from: administrator@exchange2013demo.com
250 2.1.0 Sender OK
rcpt to: exchangeserverpro@gmail.com
550 5.7.1 Unable to relay

To permit specific applications and devices to relay to external recipients we need to configure a new receive connector.

In the Exchange Admin Center navigate to Mail Flow -> Receive Connectors. Select the server that you wish to create the receive connector on. Remember, the server should be either a multi-role server or a Client Access server.

exchange-2013-smtp-relay-connector-01

Click the + icon to create a new receive connector.

exchange-2013-smtp-relay-connector-02

Give the new connector a name. Exchange names the various default connectors using a standard of “Purpose SERVERNAME”, for example “Client Frontend E15MB1″. So I tend to stick with that convention.

exchange-2013-smtp-relay-connector-03

If the server you chose is multi-role you’ll need to select the Frontend Transport role. If the server is CAS-only then Frontend Transport will already be selected.

exchange-2013-smtp-relay-connector-04

Leave the Type set to Custom, and then click Next.

exchange-2013-smtp-relay-connector-05

For servers with a single network adapter the default binding will usually be fine.

exchange-2013-smtp-relay-connector-06

For the remote network settings, click the - icon to remove the default IP address range. Then click the + icon and add at least one IP address of an application server or device that requires external SMTP relay access.

exchange-2013-smtp-relay-connector-07

Click Finish to create the new receive connector.

Next we need to configure some additional settings for the receive connector. Highlight the connector and click the “pencil” icon to edit its settings. Select Security and tick the Anonymous Users box.

exchange-2013-smtp-relay-connector-08

Click Save to apply the settings.

The final step involves granting anonymous users (such as the unauthenticated SMTP connections coming from applications and devices on your network) the ability to send to external recipients.

In the Exchange Management Shell run the following command, substituting the name of your receive connector.

[PS] C:\>Get-ReceiveConnector "Relay E15MB1" | Add-ADPermission -User 'NT AUTHORITY\Anonymous Logon' -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient

Identity             User                 Deny  Inherited
--------             ----                 ----  ---------
E15MB1\Relay E15MB1  NT AUTHORITY\ANON... False False

As with the internal relay example I recommend creating a DNS record for a generic name for SMTP. For most environments there is no need to create separate DNS names for internal vs external SMTP.

Where previously the server responded with “550 5.7.1 Unable to relay”, now an SMTP connection from the IP address 192.168.0.181 is allowed to relay successfully.

220 E15MB1.exchange2013demo.com Microsoft ESMTP MAIL Service ready at Tue, 8 Oct
 2013 21:11:04 +1000
helo
250 E15MB1.exchange2013demo.com Hello [192.168.0.181]
mail from: administrator@exchange2013demo.com
250 2.1.0 Sender OK
rcpt to: exchangeserverpro@gmail.com
250 2.1.5 Recipient OK
data
354 Start mail input; end with .
.
250 2.6.0 <3fe0353b-1e2a-4a6d-9e08-f7744621a0e1@E15MB1.exchange2013demo.com> [In
ternalId=20005957664769] Queued mail for delivery

How Does Exchange 2013 Know Which Receive Connector to Use?

You may be wondering how the server knows which receive connector should handle the incoming SMTP connection, considering that both the “Default Frontend E15MB1″ and “Relay E15MB1″ connectors are listening on all IP addresses and on the same port (TCP 25).

Simply put, receive connector selection is on a “most specific match wins” basis. The connector with remote network settings that most closely match the IP of the connecting server/device will be the one that handles the connection.

The “Default Frontend” receive connector has remote network settings equivalent to “anything”.

exchange-2013-default-receive-connector

The “Relay” connector we just created has remote network settings that list specific IP addresses.

exchange-2013-smtp-relay-connector-07

So, if two SMTP connections are inbound, one from 192.168.0.180 and the other from 192.168.0.181, the server knows to handle 192.168.0.181 with the “Relay” connector as it is the more specific match, and handle the other connection with the “Default Frontend” connector.

exchange-2013-smtp-relay-connector-selection

With the relay connector in place the ongoing management is simple.

  • If an application or device needs internal SMTP relay, simply configure it to use the DNS record you configured (eg smtp.exchange2013demo.com) and port 25.
  • If an application or device needs external SMTP relay, simply add the IP address of the application server or device to the remote network settings of the relay connector, and then configure the application or device to use the DNS record you configured.
About Paul Cunningham

Paul is a Microsoft Exchange Server MVP and publisher of Exchange Server Pro. He also holds several Microsoft certifications including for Exchange Server 2007, 2010 and 2013. Find Paul on Twitter, LinkedIn or Google+, or get in touch for consulting/support engagements.

Comments

  1. Mike DiVergilio says:

    Isn’t it still best practice to lock down anonymous access by IP address? Any ExRAP will flag an internal open relay as Bad. I have over 3000 unique IPs hitting my internal 2007 relay and I would like to lock it down on the 2013 one before cutover. There are entirely too many Devs sending mail to my relay from their workstation.

    • Are you referring to internal relay or external relay?

      Internal relay (ability to send to internal recipients) is going to be available to anybody who connects to the Default Frontend connector on the CAS.

      External relay (ability to send to external recipients) is certainly worth locking down by IP, which is demonstrated above.

      • Mike DiVergilio says:

        I’m refering to both. My Default FrontEnd connector is locked down to only accept mail from Exchange Servers and EOP. I want my application relay to be able to send to internal recipients and external customers but locked by source IP address. I know you said if the IP is listed in the connector then it will use that connector, it is the IPs not in the connector I’m worried about. By adding a DNS name and assigning it my VIP address, as long as one connector on port 25 is open to 0.0.0.0-255.255.255.255 then I have an nice big hole in my environment for explotation.

  2. Itworkedinthelab says:

    Hi Paul
    I think you have a little mistake in this line:
    “The Client Access server role hosts the Frontend Transport service, which provides filtering of email traffic (eg antispam agents), ”

    anti spam on exchange 2013 can only be installed on the mailbox role.

  3. Hi Paul,

    I am trying to send and receive email using exchange 2010 setup on my home lab. I am using no-ip since i don’t have public ip and i have created wild card send connector, mx record pointing to my internal server on my home Windows DNS, I have created host in no-ip and added that host name into my godaddy dns.

    No ip app is running. But my emails are not working what am i missing?

    thanks
    nick

  4. Hi Paul,

    In Exchange 2013, send email from Exchange 2013 to external users (ex: gmail.com), we create Receive Connector to do that. What the purpose of Send Connector ? Send Connector can do this ? If not, why ?

    Thanks,
    Kevin.

    • Outbound email (eg gmail.com) is controlled by send connectors.

      http://exchangeserverpro.com/configuring-outbound-mail-flow-in-exchange-server-2013/

      • Hi Paul,

        Yes, Exchange is quite new to me. So, I think:
        - Receive Connector: used for receiving mail from external mail (external Exchange domain) and internal mail (internal Exchange domain)

        - Send Connector: used for sending mail to external mail (external Exchange domain) and internal mail (internal Exchange domain).

        Thus, from your comments, using Receive Connector to replay mail, others word: send mail to external Exchange domain — this is new feature ? does it make sense ?

        THanks,
        Hung.

        • It isn’t a new feature. This is basically how it has been done since Exchange 2007.

          A *receive* connector is used to receive email. The server then processes that email and delivers it wherever it needs to go.

          This article describes a type of *receive* connector that would allow an application or server to relay email to external recipients, because of its specific configuration and security settings.

  5. Hello Paul,

    i have a question regarding the receive connectors. I’ve set all SMTP-Banners on the mailservers receive connectors. When connect to it via telnet on port 25 from an internal subnet everythings fine, it shows the configured banner.

    But when i connect via telnet on port 25 from an external server it only shows the following:

    220 ****************************************************************************************

    Do you have an idea what this could cause?

    BR
    Christian

  6. Hi Paul,

    great article
    could you please make a guide about receive connectors in Exchange 2013?
    A good explanation about those different receive connectors that is configure by default.
    I still have some problem to get a good overview of which connectors is used for what.

    Keep up the good work Paul!

  7. Hi Paul,

    Your articles have been invaluable to me as I have been installing and configuring our new EX2013 environment. My current frustration is with anonymous relay between my exchange 2010 and 2013 servers. I have many anonymous relays, both internal and external that were configured in a receive connector on my Exchange 2010 server. I do not want to change those replays to point to my Exchange 2013 server quite yet. The relay still works as it should for mailboxes on the 2010 server but messages destined for mailboxes on the 2013 server hang up in the 2010 server queue under “hub version 15″. I know it is a simple configuration fix, but I am stuck. Any help would be greatly appreciated.

    Keep up the great articles!

    • Just needed to add EX2010 ip to the frontend default receiver connector. Thank you again for the articles! My mail would not be flowing without you!!

  8. This is my case:Using VM workstation 9.
    I have setup 2 domain controllers each running exchange 2010.one has IP 192.168.1.1 and the other 192.168.2.1.MSExchange 2010 is running fine and the users in the respective domains can email each thru outlook.but the problem is; how do I route the 2 networks to have users email across the domains.I tried to configure 2 servers as routers but am stuck..
    Now I wana try pfsense to use a virtual router.But I am stranded in the middle. I have issues with setting new virtual network adapters to connect the two networks.
    And since these are Two Separate Host-Only Networks for testing purposes with no real internet connection to outside world, I cant send emails to the other domain users, I setup send connectors and added trusted domains in the exchange 2010 management console.I also setup the mx and dns and ns records..still no luck:-(…This my school project.

    • Can they ping each other? If so then all you need is Send Connectors for each other’s domain that point to each other as the smart host for that Send Connector.

      Isolated VMs like that won’t need public DNS/MX records.

      If they can’t ping each other you need to work out your VM networking.

      • Thanks Paul,
        I will try to fix my send connectors, though I had already configured them.And yes the Domain controllers can ping each other.I just setup one server running win server 2008R2, It has 2 NIC, VMnet1(domain 1 network adapter)&VMnet2(domain 2 network adapter). These 2 NICs are bridged together.And I enabled routing and remote access on this server which acts as my router.But still the clients in domain one cant ping other clients in the domain 2.And still they cant email across domains.I guess its something to do with my gateways..I will try to figure it out.Maybe I need secondary dns…I don’t know what the issue is:-(
        I cant see your email anywhere, I would send you the network layout of my test network

      • Thanks Paul for the”smart host for that Send Connector”configuration method. I finally have my separate Exchange domains able to email each other.I setup a windows server as my router which enabled me to route the traffic btn these networks, i had to added persistent static routes on the router and the DCs and client s

  9. Rob de Haan says:

    Very nice article. I do have a question though. If you have a specific application that has the ability to send mail authenticated from a server (For instance a Citrix Host), and you do not want to add the IP for this server to the Relay Connector, is it possible to send to external addresses? I don’t want to add Authenticated users to the Default connector. I’ve tried to set it to port 587, so that it uses the Client Frontend Connector, because Authenticated Users is added there, but it doesn’t work…

    • You may find that the Client connector is requiring TLS/SSL for Basic auth and perhaps your sending server/app is either not supporting that or not configured to use it.

      You could check the sending server/app or turn of the TLS/SSL requirement for Basic auth (which carries risks of course).

  10. Hi,
    would you please explain why it is better for such purposes to go with Frontend transport instead of Hub transport ? Somewhere in your older post I could read that it should be better for this use HUB transport as it is the only one with queue … Thanks a lot for clarification ..
    Peter

    • Yes, that post was speculation based on the Preview build and little documentation available at the time. We now know it is correct to use front end transport for a connector of this type.

  11. Aljoša Agoli says:

    Hi is it possible to force send connector to send mail without using IPv6 address, only by using IPv4 without removing IP v6 protocol from server.

    Thank you

    Aljosa

  12. Pual,

    My client are receiving duplicate emails from my exchange server. Can you please help me.

    Regards,

    Shakeel Shahid

  13. Neil Forrest says:

    I’ve been trying to setup a new internal connector to use with a major software makers fax software. I make a new connector using EMC or Powershell. Setting the scope up to the ip of the exchange box, as the fax software is install on the ex box, etc… however this then seems to stop the default connector working externally. Telnet gets a ‘Service not available’.

    Any ideas, ex2013 – cu3

  14. Hi Paul,

    Regarding SMTP Internal Relay open by dafault for unauthenticated source send emails to internal user, can we disable this feature? I donot want to enable this feature because it will be the point that virus can use to spam mail to all internal users.

    Thank you.

  15. Do you have a guide to configure an Exchange 2013 server to accept emails from applications that are not local? For example a UPS at a client site that wants to use an smtp server (my server) to send emails.

    My thought would be to configure Exchange with a receive connector on a port that is open. Use the public ip or resolved name of my exchange server. Set the connector to work with exchange users and make sure I use a valid user. When I do this though I do not get a connection.

    Do you have guide for this type of connection?

    • There’s no special configuration required. Your server already accepts emails from other senders that are addressed to recipients in your organization without any authentication required. So this could be as simple as configuring the UPS to use one of your MX records as the SMTP server it is connecting to.

      • I have now tried it with my domain account and used my MX record or the A record of my exchange server. I am using my domain account at a public site to email to an email account on my domain. I keep getting invalid username or password.

        I thought it might be send as permission but no luck. I am using MX Logic as a mail filtering service.

        Thanks Daniel

        • You’re pointing your MX records at something other than Exchange? That is a different situation then.

          I assume your MX provider doesn’t require auth for incoming email to your domains, so trying to authenticate is probably the problem there.

  16. Hey Paul,

    Just followed this article, and successfully created the internal relay receive connector.
    However, I have also enabled the anti-spam agents on the Exchange 2013 environment and internal mails are now being rejected by the content filter agent.
    Any hints on how to fix this?

    550 5.7.1 Message rejected as spam by Content Filtering.

    Cheers.

    Arjan

  17. Hi Paul , I have a quick question . I have 2 exchange 2013 servers(CU3) in a Dag . I added the connector for relaying by following your instruction except I created one for each server . As soon as I doo SQL reporting services and other internal application start working but after a couple of minutes both servers stop receiving all email. if I delete the connectors and restart the transport services ( not even sure that the restart is necessary) then email starts flowing again. any idea what I could be dong wrong ?

    • I suspect that when you created the connector you configured it for the Hub Transport role. The correct option is Frontend Transport (shown in the screenshot in the article above).

      • Thanks ! Should I be creating it for each member of the dag or only one member ? Also is it best to specify the internal IP of the host that need to relay or just the address range of the subnet they are in ?

        • Paul ,

          I just have 1 more question , in your article you state “This means that the only additional (and optional) step for making internal SMTP relay available to your applications and devices is to provide a DNS name for them to connect to. You can just use the name of an Exchange 2013 server that is installed with the Client Access server role, or you can set up a more generic host record in DNS for them to use (which I recommend, as this makes it easier to migrate the service in future).”

          that’s all I really need , so do I even need to create a new connecter since I just need it for internal clients? if so how does it know which server to go to since I have 2 servers in a Dag and they both have all roles installed? thank you and I apologize for so many questions !

        • A connector is bound to a server. If you create two for HA purposes you’d need to use some form of load balancing to handle that.

          Using IP ranges may seem easier at a glance, but is less secure, and also problematic if the IP range also includes Exchange Server IP addreses (which causes serious problems). I tend to use specific IP addresses only, or very small ranges if absolutely necessary.

          If all you need is internal relay a new connector is not required.

          “How does it know which server to go to…” – you control that with DNS. If you point your other apps/servers at an SMTP server of “smtp.domain.com”, and that resolves to your Exchange server’s IP address, then that is where they will connect.

  18. Thank you very much Paul . I find your articles very helpful and easy to follow.

  19. Hi Paul,

    Followed your steps, however after about an hour, the clients could not receive email from external sources any idea what would cause that? I had to remove the Conenctor to have it work again.

  20. David Buck says:

    Hi Paul,
    Thanks for an informative article.
    Out of the box Exchange 2010 did not send app emails via relay to internal clients like Exchange 2003 used to do.
    So I set up a receive connector on my Exchange 2010 box for the Payrol app as Anonymous and TLS on Port 25.
    I can get the app to send email to internal recipients correctly but external email like gmail does not work.
    So I changed the port number to 587 for ‘emial submissions’but still no joy….
    Any ideas please?

  21. michael randall says:

    Hello,

    I have a question regarding this topic, I was wondering if it’s possible to find out which domain names are accepted on a smtp server remotly.

    Thank you.

  22. When I execute the Exchange Management Shell command in the final step to grant anonymous users the ability to send to external recipients (for alerts from a backup system at a client), I get the following error, even though I’m sure my syntax is right;

    “User or Group “NT AUTHORITY\Anonymous Login” wasn’t found. Make sure you typed it correctly”

    Do I need to add the user “Anonymous Login” into AD? Sorry if this is a naive question.

  23. I am routing outbound mail thought our cas servers. The security on the “Outbound Proxy Frontend” receive connector for permission groups is set to Anonymous (This is default, I think). I think this is allowing external relay of our scanner. I want to restrict the scanner to internal only. Am I correct in my assessment? Is it OK to remove Anonymous users from the “Outbound Proxy Frontend” receive connector?

    • The “Outbound Proxy Frontend SERVERNAME” connector exists so that the back end server (Mailbox server role) can send mail via a front-end proxy (CAS) when the send connector(s) for outbound internet email are configured for proxying.

      It listens on port TCP 717, not 25, so unless you’ve specifically configured your scanners to connect to port 717 I doubt that is the cause of your issue. You should not modify that receive connector at all.

      Your scanners, if they are making anonymous/unauthenticated SMTP connections to your CAS, should be getting handled by the “Default FrontEnd SERVERNAME” receive connector. Anonymous connections are only able to deliver email to internal recipients in the organization.

      If you’re finding that your scanners are in fact able to relay externally via the CAS, it is more likely that they are being handled by a relay connector that has remote IP addresses or ranges that include the IP addresses of your scanners and has been configured to allow anonymous external relay (eg following the steps in the article above).

      Ultimately if you want to troubleshoot which receive connector is handling the connections from the scanners I recommend you turn on protocol logging for the connectors, then analyse the resulting log files.

      There’s more info here on protocol logging:
      http://exchangeserverpro.com/exchange-server-protocol-logging/

      (the screenshots are Exchange 2010 but the info is relevant to Exchange 2013 as well)

  24. Malik Ferdinand says:

    Hi Paul,

    Ive been following your work and i have only to thanks the good job you have be doing. But i have a question for you too.

    I have a private domain xxxxx.local and sometime ago i installed exchange 2013 server on it and everything seems to work just fine. Now my boss wants to be able to send mails to external services like gmail, yahoo mail and all others, but my difficulty its to configure the MX records. Do i have to have them configured in my service provider or in my domain definitions? I have a domain that i bought and its working, but it end in xxx.com, so my question again is, How can i have my internal mails from xxxx.local be translated to xxxx.com when they arrive in public servers.

    Thank you

  25. Hi Paul

    I appreciate that good explanation and I have only one question: this configuration might work to send the email to a spam scanner? I am new to exchange, and try to generate a laboratory with exchange 2013 and spam analyzer.

  26. Based on your article, can I do like this?

    1. Allowing Internal relay via Transport Services. How to configure?same as trick done in Exchange 2010/2007 allow anonymous relay.

    2. Allowing External SMTP Relay via the Frontend Transport Service

  27. Hello,

    I have a 2003 server and a 2013 server. I need to put 1 user only on the new server right away. I can send emails from the old 2003 server to external and internal – including the person on the new server. let’s say the email domain is acme.com on both.

    On the 2013 server, I can send externally but I cannot send emails to people on the old 2013 server –
    Delivery has failed to these recipients or groups:

    I can send to test@acme.com (on 2003) from the outside but when I try to send from the new server

    test@acme.com (test@acme.com)
    The email address you entered couldn’t be found. Please check the recipient’s email address and try to resend the message. If the problem continues, please contact your helpdesk.

    Diagnostic information for administrators:

    Generating server: acm-EXCH.acm.lan

    test@acme.com
    #550 5.1.1 RESOLVER.ADR.RecipNotFound; not found ##

    Original message headers:

    Received: from acm-EXCH.acm.lan (10.200.1.44) by acm-EXCH.acm.lan
    (10.200.1.44) with Microsoft SMTP Server (TLS) id 15.0.516.32; Tue, 18 Mar
    2014 22:34:00 -0700
    Received: from acm-EXCH.acm.lan ([::1]) by acm-EXCH.acm.lan ([::1]) with mapi
    id 15.00.0516.029; Tue, 18 Mar 2014 22:34:00 -0700
    Content-Type: application/ms-tnef; name=”winmail.dat”
    Content-Transfer-Encoding: binary
    From: boe dillard
    To: “test@acme.com”
    Subject: test1
    Thread-Topic: test1
    Thread-Index: AQHPQzTSx8BW8ZljpUaMmirC7LYAmw==
    Date: Tue, 18 Mar 2014 22:34:00 -0700
    Message-ID:
    Accept-Language: en-US
    Content-Language: en-US
    X-MS-Has-Attach:
    X-MS-TNEF-Correlator:
    MIME-Version: 1.0
    X-Originating-IP: [10.200.1.44]
    Return-Path: bdillard@acme.com
    X-Brightmail-Tracker:
    H4sIAAAAAAAAC+NgFrrHqsTGxcJ1glFH10NHM9jgw1Ixi/cbe9kdGAMYolgz85LyKxJYM169amMr+Cxd8eT2XPYGxiXSXYxcHEICSxglVp5oZIFwmhgl/jxfytjFyMnBLGAqceUrSALEVpS4cK8BzGYT0JFY9W8TK4gtIqApceraEjBbWIBP4v7WK8wQcWGJS1PWMUHYehLH508H62URUJWYvPYXmM0rYC/xe99msF5GATGJ76fWMEHsEpe49WQ+mC0hICCxZM95ZghbSaL39juouKfEsb3NjBBzBCVOznzCAhE3k9j7YAlUja7Eke

  28. Never mind – I set the accepted domains to internal relay on the new server and it resolved the issue.

  29. William Dickinson says:

    Thanks very much. Exactly the help I needed.

  30. This article was very helpful but still very confused on what the difference is on creating a receive/relay connector on CAS vs. creating on Mailbox. Can you help clarify a few things?

    If you wanted to relay and send mail to external recipients for device/application notifications, I would imagine you would want to create the connector like this article describes (Front-End Transport role on CAS), correct? Would relaying external also work if connector was created on Mailbox? What’s the difference??? I’ve read something about mail not being able to be “queued” if created on Mailbox…

    I’ve also read that if you specify the “Hub Transport” role for the connector and the server is multi-role (CAS and Mailbox), the services will fight over which is using port 25. Therefore I’d imagine you would again have to use Front-End Transport role, correct?

    Lastly, what if the applications needing to relay external use different ports other than port 25? Does it matter where it gets created or same procedure?

    Thanks much!

  31. NATHANBOSTIC says:

    I have done all the above and I still can not relay…. anyone got any suggestions….

  32. Jeremy Skyrme says:

    Hi Paul, great article – I tried adding my own internal SMTP connector before but screwed it up, so disabled it. Your article helped with creating it from scratch and actually get it working this time, so thanks. My router has the .1 address (which is the exception), then I configure all network devices with .210-255 addresses so following your instructions saves a lot of time enabling things like NAS, network cameras etc. to be able to send SMTP without worrying about further authentication.

    Just one question though: you mention setting up a DNS alias e.g. smtp.example.com – that’s fine. In your example, your server is clearly shown to be 192.168.0.181 but your image that shows the DNS alias is 192.168.0.187 – yet when you telnet to it, it’s showing .181 again. Is that a typo in the image or have I missed something? I didn’t see you refer to adding an additional IP address to the adaptor or anything you see…

    Thanks again,
    Jeremy

  33. Vincent says:

    Hi Paul,
    Thanks for this article, this really helped me fine creating the smtp connector.

    i now have a new problem. A few customers are receiving the internal code of pdf attachments instead of the attachment itself.
    Those quite strange events are really annoying.

    Do you think it can come from parameters of the smtp reciever itself ?

    Regards,

    Vincent

    • I’d be more inclined to think the sending application/system is the problem. I can’t think of anything in a receive connector config that would cause this.

      • Vincent says:

        Thanks for reply,

        My dev team is having a look on the app.
        I’ll try to test with another smtp relay to the same Customer.

        Vincent

  34. Tiberius says:

    Hi Paul,
    Good article.
    I have a challenge for you :)
    I use a lot the Client Connector, because for me is safer to filter who can relay on a per user base instead of per IP base, and it give advantages like passing thru some anti-malware schemes.of Exchange.
    Until Exchange 2010 never had a problem and has a best practice I always used UPN for user auth.
    Now I have a an Exchange 2013 that I designed the same way and strange enough I can only auth with domain\user a not with UPN anymore.
    I can see in the frontend protocol log that the user Auth Login (with starttls) {SMTPsvc.userx@upn-a.com authenticated } but then on the next line I see that the Frontend just cant handout the auth to the backend {Setting up client proxy session failed with error: FindMiniRecipientBySmtpProxyAddress(SMTPsvc.userx@upn-a.com) returned null} and returns a {451 4.7.0 Temporary server error. Please try again later. CPRX2 Remote(SocketError)}
    In the eventvwr I can see ONE audit failure 4625 (I think that is just because the domain part of the UPN is not the FQDN for the ADDS, but one of several UPN domains created for this ADDS):
    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name: SMTPsvc.userx
    Account Domain: UPN-A.com
    Failure Information:
    Failure Reason: Unknown user name or bad password.
    Status: 0xC000006D
    Sub Status: 0xC0000064
    Network Information:
    Workstation Name: MyPC
    Source Network Address: -
    Source Port: -
    Detailed Authentication Information:
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0

    And then I see several successful logon audit with the correct user and domain (NETBIOS)
    Account Whose Credentials Were Used:
    Account Name: SMTPsvc.userx
    Account Domain: DOMAIN
    Logon GUID: {4e457923-2116-3cb3-6578-d8d3f22e5a91}
    Target Server:
    Target Server Name: localhost
    Additional Information: localhost
    Process Information:
    Process ID: 0x1b50
    Process Name: E:\Program Files\Microsoft Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe

    This SMTPsvc.userx account is not a mailbox user but rather a ADDS user with ad.adpermission so it can use the connector:
    Identity User Deny IsInherited ExtendedRights
    ——– —- —- ———– ————–
    SRV1\Client Frontend SRV1 DOMAIN\SMTPsvc.userx False False {ms-Exch-SMTP-Accept-Authoritative-Domain-Sender}
    SRV1\Client Frontend SRV1 DOMAIN\SMTPsvc.userx False False {ms-Exch-SMTP-Submit}
    SRV1\Client Frontend SRV1 DOMAIN\SMTPsvc.userx False False {ms-Exch-Bypass-Anti-Spam}
    SRV1\Client Frontend SRV1 DOMAIN\SMTPsvc.userx False False {ms-Exch-SMTP-Accept-Any-Recipient}
    SRV1\Client Frontend SRV1 DOMAIN\SMTPsvc.userx False False {ms-Exch-SMTP-Accept-Any-Sender}

    As I said it always worked in previous versions of Exchange, only in 2013 with a stateless CAs that this problem aroused.
    Can you shed any light on US?
    BEst Regards ;)

    • Does it work if the UPN matches the FQDN of the AD domain?

      • Paul,
        Yes it works with the ADDS fqdn (ex: SMTPsvc.userX@DOMAIN.acme.com) I have just changed the UPN for the user (on the ADDS user object and on the MUA app) and now I see in the SMTP receive log:
        ,,334 ,
        ,>,334 ,
        ,*,SMTPSubmit SMTPSubmitForMLS SMTPAcceptAnyRecipient SMTPAcceptAuthenticationFlag SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender BypassAntiSpam BypassMessageSizeLimit SMTPSendEXCH50 SMTPAcceptEXCH50 AcceptRoutingHeaders AcceptForestHeaders AcceptOrganizationHeaders SendRoutingHeaders SendForestHeaders SendOrganizationHeaders SMTPSendXShadow SMTPAcceptXShadow SMTPAcceptXProxyFrom SMTPAcceptXSessionParams SMTPAcceptXMessageContextADRecipientCache SMTPAcceptXMessageContextExtendedProperties SMTPAcceptXMessageContextFastIndex SMTPAcceptXAttr SMTPAcceptXSysProbe,Set Session Permissions
        ,*,DOMAIN\SMTPsvc.userX,authenticated
        ,*,,Proxy session was successfully set up. Outbound session will now be proxied
        ,>,235 2.7.0 Authentication successful,

        The normal UPN for 99% of the Exchange/ADDS users is not the FQDN for the ADDS domain, and its used for everything like OWA/mobileDevices/ADFS, etc… (use your email for auth is the rule here :) ):
        > get-user SMTPsvc.userX@UPN-A.com | fl *auth*,*principal*,*upn*
        IsSecurityPrincipal : True
        UserPrincipalName : SMTPsvc.userX@UPN-A.com

  35. ultimate says:

    Hi Paul,

    How to configure received connector to accept Outgoing server SMTP 25 and no Encryption for Outlook IMAP Client? Although I check My Outgoing Server Requires Authentication (Use same settings as my incoming mail server), Outlook IMAP Clients is still not able to send , always show pop up to input username and password?
    Thank you

    • ultimate says:

      I use exchange 2013 with SP1

      • Tiberius says:

        Ultimate,
        That is not a secure configuration and not a best practice at all!!! Just think how do you will differentiate between an SMTP client (used by IMAP users for example) and a Mail Spammer if you do not use AUTH????
        Just have this in mind IMAP protocol ha nothing to do with the SMTP protocol, the first is for users access to their messages and the last is for mail flow.
        http://en.wikipedia.org/wiki/Internet_Message_Access_Protocol
        http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol

        The best way to NOT mismatch these configurations is separating the TCP ports (and thus the SMTP connectors), and that’s why SMTP-TCP587 appeared (the so called CLIENT SMTP receive connectors). This way you can configure a dedicated CLIENT SMTP receive connector without having overlapped/mismatched configuration with the default MTA receive connector.

        I advise you to configure your SMTP clients (for example used by IMAP/POP3 users) to connect to the TCP port 587 that exchange has already has configured for exchange user auth

        Best Regards

        • Ultimate says:

          Tiberius,

          I just wanted to test all case :D And in my case, clients still using authenticate info to connect to SMTP server ( as using Outgoing server require authenticate option) , only problem here how to use port 25 with no Ssl or TLS.
          After try several times to configure Receive Connector I found a solution to resolve my case: just delete Default Frondend (sever name) connector and re-create it! i donot know what Microsoft pre-configure in this connector, but after re-create it everything work like a charm! :)

        • Tiberius says:

          Ultimate,
          Normally that kind of action just breaks what the software house decided to be the best practice, and in your case doesn’t seam to be a needed post-install configuration.
          I advise you to check http://technet.microsoft.com/en-us/library/aa996395(v=exchg.150).aspx
          The info is all there.

          The default receive connector that listens on TCP25 is not advised to receive client connections as a best practice, you should always use the TCP587 one.

          As it is said:
          Default FrontEnd Accepts connections from SMTP senders over port 25. This is the common messaging entry point into your organization..

          Typically this default SMTP connector only permits the following identities to connect:
          PermissionGroups : AnonymousUsers, ExchangeServers, ExchangeLegacyServers

          So the only authenticated objects allowed are the Exchange servers (not the users)… Once more BEST PRACTICE.

          Best Regards

        • Ultimate says:

          Tiberius,

          Yes, of course I know it’s not best practice. I just want to know why can not use this port by default and how can use it. This is lab environment, not in production.
          Thanks for your information and advice.

          Best regards

  36. Hi Paul,

    Thanks for your informative message. I have an issue with in my exchange environment. (i.e) when I test the mail sending via telnet, I am getting following error. Please guide me. If it’s possible to resolve with out anonymous users security setting enable. because for secure reason, I don’t want to enable anonymous user settings.

    220 xxx.xxx Microsoft ESMTP MAIL Service ready at Thu, 24 Apr
    2014 08:44:50 +0300
    helo
    250 xxx.xxx Hello [123.123.123.37]
    mail from: xyz@xxx.xxx
    530 5.7.1 Client was not authenticated

    • Tiberius says:

      Hi Raaja,
      Has stated in your telnet test message, your connector is configured for auth (and that is what you want).
      So depending on your connector auth configuration you need to use SMTP verbs for authentihcation testing via telnet (AUTH, STARTTLS, etc…)
      If this is too complex for you I advise you to use an SMTP client like outlook to do the auth SMTP test.
      Best Regards

      • Hi Tiberius,

        Thanks for your reply. we have a java team, they are generating mails via java. but they are getting error “class javax.mail.MessagingException: 530 5.7.1 Client was not authenticated”.
        My concern is avoid the anonymous users authentication. Is there any other ways!!!

        • Ultimate says:

          Hi Raaja,

          Can the Java appication gen a email with authentication info? If not , create a received connector, allow anonymous but grant only ip of java application server
          I think that is the only solution for your case!

        • Tiberius says:

          Raaja,
          Like Ultimate said, your JAVA team has to code the windows auth process inside their SMTP alerts coding (using Windows Integrated Auth or Windows Basic Auth in this last case with STARTTLS first).
          If auth could not be coded (and for me that is a bad excuse from a programmer), this BLOG has the right information on how to create a receive SMTP connector WITHOUT auth and filtering their use on the originating IP of the sending mailer.

          Normally I use a Externaly secured+Partner configuration so it bypasses some exchange malware filtering, but the Paul info is usable for your needs.

          Best Regards

  37. Hi Ultimate / Tiberius

    Yes, the Java application generate a email with authentication. but it’s getting error …

    Messaging Exception in sendPdfByEmail :: com.sun.mail.smtp.SMTPSendFailedException: 530 5.7.1 Client was not authenticated

    Error in createPdfInvoice com.sun.mail.smtp.SMTPSendFailedException: 530 5.7.1 Client was not authenticated

    com.sun.mail.smtp.SMTPSendFailedException: 530 5.7.1 Client was not authenticated

    at com.sun.mail.smtp.SMTPTransport.issueSendCommand(SMTPTransport.java:1388)
    at com.sun.mail.smtp.SMTPTransport.mailFrom(SMTPTransport.java:959)
    at com.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java:583)
    at javax.mail.Transport.send0(Transport.java:169)
    at javax.mail.Transport.send(Transport.java:98)
    at com.lmr.ems.client.pdf.PDFCreator.sendPdfByEmail(PDFCreator.java:174)
    at com.lmr.ems.client.pdf.PDFCreator.createPdfInvoice(PDFCreator.java:72)
    at com.test.GenerateMonthlyPDF.sendInvoiceAsMail(GenerateMonthlyPDF.java:91)
    at com.test.GenerateMonthlyPDF.generatePDF(GenerateMonthlyPDF.java:60)
    at com.test.GenerateMonthlyPDF.main(GenerateMonthlyPDF.java:27)
    com.sun.mail.smtp.SMTPSendFailedException: 530 5.7.1 Client was not authenticated.

    Note: The Java programmer generating application from them client PC. so that’s the reason am avoiding the anonymous security setting.

    • Tiberius says:

      Raaja,
      When you say “the Java application generate a email with authentication” and you have a SMTP return error of “530 5.7.1 Client was not authenticated” it takes me to believe that there is a mismatch in the auth agreement between the App and the exchange, normally because Exchange is expecting one thing and the code sends another…
      I am not a programmer/Coder so what I can say is that the default behavior for the SMTP TCP587 Receive Connector is authentication using Windows Integrated Auth (AUTH GSSAPI/NTLM) or Windows Basic Auth with TLS (STARTTLS+AUTH LOGIN) and this you can see in the Exchange side frontend receive connector logs.

      If your code (whatever it maybe, and I see that you use 3rd party PDFCreator code) doesn’t comply with these rules you might need another form of SMTP delivery that do not use Auth (Like in Paul info).

      Don’t let you coders fill your head with codding logs, the rules are simple, if you want to use SMTP auth for messaging delivery, so put them to work and force them to demonstrate you that they are using the right API/modules/arguments for the rules that you (MS Exchange) established.

      Your log does not show us one line where the app sends/initiates windows auth, so for me this app is not using auth…

      Nevertheless cross reference with the Exchange logs as I have stated.

      Best Regards

  38. As always, well-written. Not only do I get a solution to my problem, but come away understanding why I had the problem and why the solution worked.
    Thanks Paul…

  39. Good article

    I read in an article by your fellow contribour here on Exchangeserverpro.com, Nuno Mota, that you should choose to use the front end transport or the transport service depending on the need for queuing, do you agree?

    We have systems relaying that do not queue them self, should I choose the transport service instead of the front end transport?

  40. Hello, first I would like to say I often visit your various articles and find them very informative, thank you! This is my First post.

    I have a new install of Exchange 2013 enterprise on premise and started moving a few users from 2010 at a time because I am finding various new issues with each. My newest issue has me perplexed how to continue.

    I have a Sharp network scanner, copier, printer that we use to scan documents to email. I have a HUB Transport Relay connector setup for this on exchange 2010. The copier has an AD username (authenticates) and sends to each individual user from an address book on the Sharp copier. I moved two users from 2010 to 2013 and they no longer are able to get those scans from the copier. I recalled the issue moving from Exchange 2003 to 2010 and it was that I didn’t have a connector. But if I change the copier to send to the new Exchange 2013 all the users on 2010 won’t get there scans, correct? I am stuck here. How or why doesn’t 2010 know those users moved to 2013 and forward the messages? Wouldn’t it be the same as any user still on my Exchange 2010 that emails me – now on 2013 server? What am I forgetting?

    I get the feeling I know the answer and the light bulb just hasn’t gone on yet, any help getting there would be appreciated!

    Thank you,
    Mike

    • Well I would guess there’s an SMTP connectivity issue between the 2010 and 2013 server. You might even see the mail queuing on the 2010 server with some error details that support that theory.

      My suggestion would be to move the mailboxes back to 2010 until you have fixed that problem.

  41. Hello

    I have created the connect for NAV2013 to relay emails through our Exchange 2013 and everything is working fine.

    the problem is that now I am able to relay or send emails through PowerShell using 3rd party exchange which is not good for security reason.

    Please suggest how i can stop it

    Regards

    • What do you mean exactly when you say you can “relay or send emails through PowerShell using 3rd party exchange”?

      If you think you’ve created an open relay that is accessible from the internet you should roll back the changes you made immediately.

      Do you need NAV2013 to be able to relay to external recipients?

      • Hello Paul,

        Yes i want NAV 2013 to replay email through our Exchange 2013 and it is working fine.

        I connect through PS to office 365 and run the CMDLET “Send-MailMessage -To user@externaldomain.com
        -From user@otherexternaldomain.com -SmtpServer myexchange.internal.com” and the CMDLET works and the recipient receives email.
        Just to test i disable this relay connector and then if i run the above CMDLET it gives and error “5.7 1 unable relay”

        How i can i set relay only from NAV2013 and no other

        Regards

        • Sounds to me like you’ve set the IP addresses incorrectly on the “Remote network settings” of your relay connector.

          But is that Office 365 tenant a completely separate tenant or are you running a hybrid configuration?

          Note you can also do open relay tests with online tools like mxtoolbox.com and exrca.com.

        • Hello Paul,

          This is only on-premise with Exchange 2013. I have used the Windows Azure PS to test sending emails only.

          There is no connection between on-premise and O365 and just used O365 for test email from PS.
          Well i used mxtoolbox.com and EXRCA and both show successfully that means it is an open relay and how can i stop it.
          With regards to IP for remote network i have added 192.168.1 90/24 which is our NAV2013 machine and removed the 0.0.0.0 255.255.255.255.

          On the security page under Authentication I have checked Transport Layer Security (TLS) only and under Permission i have selected Anonymous.
          Then i have run the CMDLET Get-ReceiveConnector “Relay E15MB1″ | Add-ADPermission -User ‘NT AUTHORITY\Anonymous Logon’ -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient

          Please let me know if i have set it right?

          Regards

        • You don’t need the /24 on the end of a single IP address like that.

          Also you don’t need to modify the TLS settings.

          I’m not saying either of those are the problem, but they are things you’ve done differently than the tutorial above.

        • I’ve done some more thinking about this – the only other thing I can think of is that your network edge device (router, firewall, etc) is proxying the SMTP connections instead of routing them, which may make them appear to Exchange 2013 as though they are coming from a 192.168.1.x IP address on your internal network, rather than from an internet IP.

          If that is the case then the /24 may well be the cause of the issue, and you should remove it and only add the specific IP address in to the relay connector.

  42. Hi Paul, thanks for this article, it’s very helpful.

    I do have a question regarding the external relay scenario. I understand the configuration of the additional Receive Connector on the Frontend Transport role – However, I’m just curious how email is then routed to the Internet. It is my understanding that the FET would proxy a connection from an internal device using this newly created connector, to a MB server in the relevant Delivery Group – this MB server’s Transport service would then deal with the email (queuing, rules, categorization etc) then the relevant Send connector would be responsible for the message getting out the Internet. If I’m correct, can I ask which Receive Connector would be used on the MB server that receives the mail from the FET – would it just use the “Default ” receive connector on port 25 (2525 if mutli-roled)? – would there ever be a need to create a Receive Connector on the MB server role in addition to one created on the FET, that you can think of – perhaps if you configured an FET Rec. connector to listen on a non-default port?

    Thanks very much
    Barry

  43. Pieter Pienaar says:

    Good day,

    I have a strange issue. Been struggling for days now to fix. But no success.

    I have a Exchange server 2010 which I am busy upgrading to Exchange 2013. I have already loaded the new server. Migrated a test account from the 2010 server over to the 2013 server.

    The issue that I have is the follow: I cannot send anything from the old 2010 to the 2013 boxes. I just get a error saying its been delayed.

    I can send via telnet if I do it manually. Then it works. From 2013 I can send to 2010 and to and from internet. I just struggle with my 2010 sending to 2013.

    Can you please send me in a direction to search for the issue.

    Thank you in advance.

    • Use Get-Queue | Get-Message | fl to see all the details of messages stuck in the queue. Usually there is some info there that will give you a hint.

      Check the receive connectors on Exchange 2013, especially if you’ve created a custom one.

  44. Paul Primac says:

    Paul,

    I am needing to do what you described for internal email from a Toshiba multi-function printer on my network so that scans from the MFP device are only allowed to relay email to internal recipients of the domain and block attempts to send out to the recipients on the internet which is currently happening. We are running Exchange 2010 on a single server so all roles are on the one server. Would this work the same way you have described for a 2010 Exchange server or was this not possible to configure for only internal delivery in Exchange 2010? Do you know? Thanks.

  45. Luis Fernando Rodriguez Garcia says:

    friend you saved me from a lot of headaches, thanks

Leave a Comment

*

We are an Authorized DigiCert™ SSL Partner.