In most Exchange Server 2010 environments there will be the need to allow relaying for certain hosts, devices or applications to send email via the Exchange server. This is common with multi-function devices such as network attached printer/scanners, or applications such as backup software that send email reports.
SMTP communication is handled by the Hub Transport server in an Exchange organization. The transport service listens for SMTP connections on it’s default Receive Connector. However, this connector is secured by default to not allow anonymous connections (ie, the type of connection most non-Exchange systems will be making).
You can see this in effect if you telnet to the server on port 25 and try to initiate unauthenticated SMTP communications.
220 EX3.exchangeserverpro.local Microsoft ESMTP MAIL Service ready at Wed, 18 Au g 2010 19:42:27 +1000 helo 250 EX3.exchangeserverpro.local Hello [192.168.0.9] mail from: somebody@hotmail.com 530 5.7.1 Client was not authenticated
For some Hub Transport servers that are internet-facing, anonymous connections may already be enabled. In those cases relay would still be denied but will behave differently than the first example.
220 EX3.exchangeserverpro.local Microsoft ESMTP MAIL Service ready at Wed, 18 Au g 2010 20:01:44 +1000 helo 250 EX3.exchangeserverpro.local Hello [192.168.0.9] mail from: somebody@hotmail.com 250 2.1.0 Sender OK rcpt to: somebody@gmail.com 550 5.7.1 Unable to relay
You’ll note that relay is denied if I try to send from an @hotmail.com address to an @gmail.com address, because neither is a valid domain for the Exchange organization. But with Anonymous Users enabled on the Receive Connector I can send from an @hotmail.com address to a valid local address.
220 EX3.exchangeserverpro.local Microsoft ESMTP MAIL Service ready at Wed, 18 Au g 2010 20:05:54 +1000 helo 250 EX3.exchangeserverpro.local Hello [192.168.0.9] mail from: somebody@hotmail.com 250 2.1.0 Sender OK rcpt to: alan.reid@exchangeserverpro.local 250 2.1.5 Recipient OK data 354 Start mail input; end with . test . 250 2.6.0 [In ternalId=2] Queued mail for delivery
However if I try to relay out to an external recipient, the Exchange server does not allow it.
220 EX3.exchangeserverpro.local Microsoft ESMTP MAIL Service ready at Wed, 18 Au g 2010 20:11:27 +1000 helo 250 EX3.exchangeserverpro.local Hello [192.168.0.9] mail from: backups@exchangeserverpro.net 250 2.1.0 Sender OK rcpt to: alerts@managedserviceprovider.com 550 5.7.1 Unable to relay
To permit a non-Exchange server to relay mail we can create a new Receive Connector on the Hub Transport server. Launch the Exchange Management Console and navigate to Server Management, and then Hub Transport. Select the Hub Transport server you wish to create the new Receive Connector on, and from the Actions pane of the console choose New Receive Connector.
Give the new connector a name such as “Relay ” and click Next to continue.
You can leave the local network settings as is, or optionally you can use a dedicated IP address for this connector if one has already been allocated to the server. Using dedicated IP addresses for each connector is sometimes required if you need to create connectors with different authentication settings, but for a general relay connector it is not necessary to change it.
Highlight the default IP range in the remote network settings and click the red X to delete it.
Now click the Add button and enter the IP address of the server you want to allow to relay through the Exchange server. Click OK to add it and then Next to continue.
Click the New button to complete the wizard.
The Receive Connector has now been created but is not yet ready to allow the server to relay through it. Go back to the Exchange Management Console, right-click the newly created Receive Connector and choose properties.
Select the Permission Groups tab and tick the Exchange Servers box.
Select the Authentication Tab and tick the Externally Secured box.
Apply the changes and the Receive Connector is now ready for the server to relay through.
220 EX3.exchangeserverpro.local Microsoft ESMTP MAIL Service ready at Wed, 18 Au g 2010 20:31:00 +1000 helo 250 EX3.exchangeserverpro.local Hello [192.168.0.9] mail from: backups@exchangeserverpro.net 250 2.1.0 Sender OK rcpt to: alerts@managedserviceprovider.com 250 2.1.5 Recipient OK data 354 Start mail input; end with . test . 250 2.6.0 <924bab1e-0f07-4054-8700-d121577993b4@EX3.exchangeserverpro.local> [In ternalId=3] Queued mail for delivery
Because the remote IP range has been secured to that single IP address, any other servers on different IP addresses still won’t be able to relay through the Exchange Server. From any other IP address not included in the remote IP range on the Receive Connector relay will be denied.
220 EX3.exchangeserverpro.local Microsoft ESMTP MAIL Service ready at Wed, 18 Au g 2010 20:46:06 +1000 helo 250 EX3.exchangeserverpro.local Hello [192.168.0.2] mail from: backups@exchangeserverpro.net 250 2.1.0 Sender OK rcpt to: alerts@managedserviceprovider.com 550 5.7.1 Unable to relay
You can later add more IP addresses, IP ranges, subnets, or even add multiple IP addresses to the Receive Connector using a script if necessary.
About Paul Cunningham
thanks, we set this up to allow the backup server to relay mail. we also reference here if anyone needs it.
http://www.techieshelp.com/allow-a-server-to-relay-email-exchange-2007-2010/
Many thanks. We have and RS6000 that had to send mail internally to employees and externally to customers. Your instructinos were right on the money.
Excellent! We have a backup server that sends notifications for successfull and failed jobs. Also needed to allow a Cisco voice router to send through it so users can have their voicemail sent to them in an attachment. Great post.
Paul
We are having the relay issue on a program that send messages to our clients, but we are on a small business server 2011, if I followed the above advice and add the IP address of the server into this connector would this work for us?
Would this then also mean that our server is pretty much open to relay from any source?
Hi Robert, is the app running on the SBS server itself or on another server/pc somewhere?
Its running on the same SBS server? its a VBscript that sends a smtp request to the exchange server, I have tried the above and added a new Receive Connector, but still get the same message ’550 5.7.1 unable to relay’? any thoughts?
Ok so if you create a relay connector and set it so just the IP of the server can use it then you should be fine. But just to be sure what you can do after you set it up is do the relay test at http://www.abuse.net/relay.html
Hi Paul,
This seems to have sorted it.
regard
Robert
we needed a 3rd party app that worked fine with relay on ex2003 but ex2010 kept giving us 5.7.1 and this was solved it in 5 minutes ! thanks ….quality guide/faq !
Sounds like what we need, but tried this and still getting 5.7.1. from some systems. one is using IIS smtp, another proprietary smtp dll, another vendor system- who knows.
So I need to restart Transport svc for this to take effect/
Hi Brian, don’t normally need a restart but I’ve seen a few heavily loaded Transport servers in the wild not pick up the new config until the service was restarted.
One thing you can also try is enabling protocol logging (set to Verbose) on the Receive Connector and then look at the log file it generates to see why the messages are getting rejected.
no go. still get “5.7.1 Unable to relay for user@externaldomain.com“. i have done the settings above for connectors on both Edge and Hub transports (just in case). I am assuming I am still missing a step? Other forums are inconsistent when referring to using Anon vs Exch Servers in the Perms Group tab.
Anonymous is required for systems that need to send external email into your Exchange org without authenticating first (eg an @gmail user sending an email to somebody on your network).
Exchange Servers is required for relay (eg an app or device relaying mail to an external domain via your server).
It is possible that the wrong Receive Connector is accepting the connections. This can happen if the Remote Network Settings has overlapping IP’s or IP ranges (Exchange has a rule of “most specific wins” if this case).
Have you tried turning on protocol logging? If you do that for all the Receive Connectors on the server it all gets logged into one file, but the log file entries tell you which Receive Connector accepted the connection.
I got it working just after my post, yes it was adding Anon along with Exch Servers.Seemed I had tested this config before, however I did find a test connector on the Edge that must have conflicted.
Thanks.
Thanks for the Tutorial, Paul.
So, basically, we’re fooling the Exchange Server to believe that an External Security exists in the Receive Connector, which then makes the server to allow untrusted connections. That is a nice “trick” that solve the problem, but maybe it’s a security risk to do that.
Is there a more secure way to configure this kind of relay ?
The only remote hosts allowed to relay through the connector are those you explicitly allow. There is naturally a risk if those remote hosts were compromised in some way, but other than that this is how it is done.
Great helpful, everything works fine, amazing !!!!
Dear Paul,
First of all, thank you so much to post this article. I couldn’t figure it out how to relay email from our SQL Reporting Server to send emails through our main SBS 2011 server until I saw your article. It took me more than a month to research to find out the solution. Finally, thanks to your article, our Reporting Server can send emails to external users through our main Exchange 2010 server!! Your instruction was very helpful, and I setup the relay setting within 2~3 minutes.
Cheers!!!
Joon
THANK YOU THANK YOU THANK YOU….This helped us out GREATLY!!
Hi,
I have tried to follow your simple steps but encounter the following error when I tick Externally Secure (…) in Authentication tab
“you must set the value for the permissiongroups parameter to exchangeservers when you set the authmechnism paramater to a value of Externalauthoritative”
A red exclamation mark appears beside ‘Enable Domain Security (Mutual Auth TLS).
Any idea why? Thank you.
Hi JK, you’ve got to do the steps in the right order or you’ll run into that error. So first you’ve got to do the Permission Groups settings, then after that you can do the Authentication settings.
Make sure you have Exchange Servers checked, not Exchange users.
I did this, but it would work for a while and quit. Ended up putting in the ipaddress of the extra inside connector instead of the name of the mail server. Started working right away.
Hi Peter, putting the relay connector on a dedicated IP is a good way to resolve issues where the wrong connector responds to SMTP connections on a shared IP.
Paul, This works great for us, but I have been asked to add a second redundant HUB server for the list of relaying servers. Is there a way to do this without having to have lists of IPs to maintain on each HUB server, we have four.
Thanks,
Jeff
Hi Jeff,
Firstly, you can clone the remote IP range from the existing connector to the new one you create by adapting this procedure:
http://exchangeserverpro.com/migrate-relay-connector-exchange-server-2007-2010
Now you’ve got two HT’s with relay connectors with the same remote IP range. Then, any time you want to update them, you can modify this procedure to apply the change to both:
http://exchangeserverpro.com/how-to-add-remote-ip-addresses-to-existing-receive-connectors
Just scale that process out to as many HT’s as you plan to configure with relay connectors.
Hope that helps!
thanks!. I’ve been messing with this for the better part of the day. Your instructions were the most clear as to setting up
Thank you for this post. Very helpful in simplifying the process of setting this up.
As others above, SSRS was what we are using the relay for and now it works great!
We are currently trying to merge our local account and our external accounts. The only catch is not everyone has external accounts, so we want to make sure that nothing local is routed outside the system. If possible, we’d like to eliminate the need for having to select which account we are sending from, and if at all possible, be able to send to both an internal or external contact simultaneously. Are these instructions on the right track? Is there anything else we may need to do?
Thanks.
Thanks – saved me hours!
With SP1 it works fine but when i change to SP2 i found this problem.
Thanks for save my time.
How can I tell which of applications are currently using the Open Mail Relay, so that when I restrict it, I know which apps will be affected?
Thanks!
Hi Duane, you can turn on Protocol Logging and use the resulting log file to identify what is using the receive connector.
Hi Paul
Great Article and your solution was just what i was after. One quick question though. The program being used is a mail merge client which has Sender name, Senders email address and reply email address fields. When relaying though the new connector to external recipients the Sender name field is displayed properly, however when emails are sent internally the Senders Name is not displayed, only the email address.
For Instance the Senders Name might have MyCo Mail out and the reply address of bla@bla.com. External receivers see the display name as being MyCo Mail with an email address of bla@bla.com, Internal users however only see the display name as bla@bla.com.
Any ideas on how to get internal users seeing the same Display Name and not the reply email address
Many Thanks
Hi Sean, you may find this article helpful:
http://exchangeserverpro.com/resolving-anonymous-mail-gal-exchange-server-2010
I just wanted to post a thank you for this great, easy-to-follow article. It saved my butt when I couldn’t get two scanners to scan to email. After fighting it for three days, I found this and voila! Away we go.
Thanks again. Good stuff!
Tom
You’re welcome Tom.
Great article , is there a way to setup a connector using an host name such as test.myserver.com instead of an IP address ? Just wondering I have a web app that relays from azure but the ip address could change at anytime
No, remote systems/networks are identified by IP only, not name.
You could look at using SMTP authentication instead, so that the Azure app makes an authenticated connection to a receive connector regardless of which source IP it is coming from.
This works for me thanks it needed doe my email scanner and linux server to send via my exchanger 2010 server so i added both IP address on the same connector..
Very handy and useful. Just sold my issue of sending emails out externally from a helpdesk software install on one of our servers.
Thanks
Thanks for this, although I am unable to get Exchange to relay in my particular situation. Basically, I’ve got an application on a machine that simply can’t relay through the Exchange box. The only difference that I can see is that the problematic server is on a separate subnet, and it also isn’t in the AD domain of the Exchange box. I don’t see why that matters but it seems to as I can relay from other servers that are on the same subnet and domain as Exchange. Any ideas?
Domain membership shouldn’t matter. You should start from the basics and verify that you can ping the Exchange server from the application server, telnet to the Exchange server on port 25 from the app server, and do some tests with protocol logging turned on for your receive connectors so you can inspect the logs if you need to (the telnet window will also give you some clues).
Two quick questions – in the example above is it necessary to check ‘Exchange Servers’ under Permissions Group for connector used to relay from, say, scanners? They are not Exchange servers..
Also, how would Exchange figure out which connector to use when, say, default connector and new ‘Relay’ connector are using the same local IP to receive? Or is it necessary to add additional IP on Nic for each new receive connector? Wont the shared IP screw up the whole receiving process?
Yes. The “Exchange Servers” permission is what allows the IP addresses you specify in the remote IP range to relay email to recipients outside of the organization. So instead of thinking of them as “Exchange Servers” think of it as a group of permissions that allows another host to do certain things.
Sharing IP’s works but is not best practice. It works because the receive connectors that share an IP work out which one should handle the incoming connection based on a “most specific match wins” approach – eg a connector with the exact IP of the connecting server will handle the request instead of one that only matches the IP by a broader range of IPs.
You can run into problems if you start allowing entire IP subnets and they overlap with the IP addresses for Exchange servers within the org. If possible use a dedicated network interface with its own IP that is *not* registered in DNS for the relay connector.
Thanks. You saved me. This article helped me to set up mail routing from linux box.
Ok, makes sense. Though its not a very pretty picture if one needs to build several receive connectors. Definitely not as smooth as it was in 2003 version. Which can be said though about 2010 as a whole (with exception of DAG). I wonder if there are restrictions to at least assign multiple IPs to the same NIC instead of sticking multiple NICs into every HUB server.
And thanks for informative and prompt responses. That helps.
Paul or anyone else.
Is there a way for me to make Exchange 2010 work like 2003 is working in this sense:
2003 destination: Telnet Exch2003Server 25
helo
mail from: Paul <<< at this point it adds the valid @Domain.com and accepts the mail
2010 destination: Telenet Exch2010Server 25
helo
mail from: Paul <<< It fails with a 501 5.1.7. Invalid address error
Why not just supply a valid address? Do you have a specific need for it to work the other way?