In most Exchange Server 2010 environments there will be the need to allow relaying for certain hosts, devices or applications to send email via the Exchange server. This is common with multi-function devices such as network attached printer/scanners, or applications such as backup software that send email reports.
SMTP communication is handled by the Hub Transport server in an Exchange organization. The transport service listens for SMTP connections on it’s default Receive Connector. However, this connector is secured by default to not allow anonymous connections (ie, the type of connection most non-Exchange systems will be making).
You can see this in effect if you telnet to the server on port 25 and try to initiate unauthenticated SMTP communications.
220 EX3.exchangeserverpro.local Microsoft ESMTP MAIL Service ready at Wed, 18 Au g 2010 19:42:27 +1000 helo 250 EX3.exchangeserverpro.local Hello [192.168.0.9] mail from: somebody@hotmail.com 530 5.7.1 Client was not authenticated
For some Hub Transport servers that are internet-facing, anonymous connections may already be enabled. In those cases relay would still be denied but will behave differently than the first example.
220 EX3.exchangeserverpro.local Microsoft ESMTP MAIL Service ready at Wed, 18 Au g 2010 20:01:44 +1000 helo 250 EX3.exchangeserverpro.local Hello [192.168.0.9] mail from: somebody@hotmail.com 250 2.1.0 Sender OK rcpt to: somebody@gmail.com 550 5.7.1 Unable to relay
You’ll note that relay is denied if I try to send from an @hotmail.com address to an @gmail.com address, because neither is a valid domain for the Exchange organization. But with Anonymous Users enabled on the Receive Connector I can send from an @hotmail.com address to a valid local address.
220 EX3.exchangeserverpro.local Microsoft ESMTP MAIL Service ready at Wed, 18 Au g 2010 20:05:54 +1000 helo 250 EX3.exchangeserverpro.local Hello [192.168.0.9] mail from: somebody@hotmail.com 250 2.1.0 Sender OK rcpt to: alan.reid@exchangeserverpro.local 250 2.1.5 Recipient OK data 354 Start mail input; end with . test . 250 2.6.0 [In ternalId=2] Queued mail for delivery
However if I try to relay out to an external recipient, the Exchange server does not allow it.
220 EX3.exchangeserverpro.local Microsoft ESMTP MAIL Service ready at Wed, 18 Au g 2010 20:11:27 +1000 helo 250 EX3.exchangeserverpro.local Hello [192.168.0.9] mail from: backups@exchangeserverpro.net 250 2.1.0 Sender OK rcpt to: alerts@managedserviceprovider.com 550 5.7.1 Unable to relay
To permit a non-Exchange server to relay mail we can create a new Receive Connector on the Hub Transport server. Launch the Exchange Management Console and navigate to Server Management, and then Hub Transport. Select the Hub Transport server you wish to create the new Receive Connector on, and from the Actions pane of the console choose New Receive Connector.
Give the new connector a name such as “Relay ” and click Next to continue.
You can leave the local network settings as is, or optionally you can use a dedicated IP address for this connector if one has already been allocated to the server. Using dedicated IP addresses for each connector is sometimes required if you need to create connectors with different authentication settings, but for a general relay connector it is not necessary to change it.
Highlight the default IP range in the remote network settings and click the red X to delete it.
Now click the Add button and enter the IP address of the server you want to allow to relay through the Exchange server. Click OK to add it and then Next to continue.
Click the New button to complete the wizard.
The Receive Connector has now been created but is not yet ready to allow the server to relay through it. Go back to the Exchange Management Console, right-click the newly created Receive Connector and choose properties.
Select the Permission Groups tab and tick the Exchange Servers box.
Select the Authentication Tab and tick the Externally Secured box.
Apply the changes and the Receive Connector is now ready for the server to relay through.
220 EX3.exchangeserverpro.local Microsoft ESMTP MAIL Service ready at Wed, 18 Au g 2010 20:31:00 +1000 helo 250 EX3.exchangeserverpro.local Hello [192.168.0.9] mail from: backups@exchangeserverpro.net 250 2.1.0 Sender OK rcpt to: alerts@managedserviceprovider.com 250 2.1.5 Recipient OK data 354 Start mail input; end with . test . 250 2.6.0 <924bab1e-0f07-4054-8700-d121577993b4@EX3.exchangeserverpro.local> [In ternalId=3] Queued mail for delivery
Because the remote IP range has been secured to that single IP address, any other servers on different IP addresses still won’t be able to relay through the Exchange Server. From any other IP address not included in the remote IP range on the Receive Connector relay will be denied.
220 EX3.exchangeserverpro.local Microsoft ESMTP MAIL Service ready at Wed, 18 Au g 2010 20:46:06 +1000 helo 250 EX3.exchangeserverpro.local Hello [192.168.0.2] mail from: backups@exchangeserverpro.net 250 2.1.0 Sender OK rcpt to: alerts@managedserviceprovider.com 550 5.7.1 Unable to relay
You can later add more IP addresses, IP ranges, subnets, or even add multiple IP addresses to the Receive Connector using a script if necessary.
About Paul Cunningham
thanks, we set this up to allow the backup server to relay mail. we also reference here if anyone needs it.
http://www.techieshelp.com/allow-a-server-to-relay-email-exchange-2007-2010/
Many thanks. We have and RS6000 that had to send mail internally to employees and externally to customers. Your instructinos were right on the money.
Excellent! We have a backup server that sends notifications for successfull and failed jobs. Also needed to allow a Cisco voice router to send through it so users can have their voicemail sent to them in an attachment. Great post.
Paul
We are having the relay issue on a program that send messages to our clients, but we are on a small business server 2011, if I followed the above advice and add the IP address of the server into this connector would this work for us?
Would this then also mean that our server is pretty much open to relay from any source?
Hi Robert, is the app running on the SBS server itself or on another server/pc somewhere?
Its running on the same SBS server? its a VBscript that sends a smtp request to the exchange server, I have tried the above and added a new Receive Connector, but still get the same message ’550 5.7.1 unable to relay’? any thoughts?
Ok so if you create a relay connector and set it so just the IP of the server can use it then you should be fine. But just to be sure what you can do after you set it up is do the relay test at http://www.abuse.net/relay.html
Hi Paul,
This seems to have sorted it.
regard
Robert
we needed a 3rd party app that worked fine with relay on ex2003 but ex2010 kept giving us 5.7.1 and this was solved it in 5 minutes ! thanks ….quality guide/faq !
Sounds like what we need, but tried this and still getting 5.7.1. from some systems. one is using IIS smtp, another proprietary smtp dll, another vendor system- who knows.
So I need to restart Transport svc for this to take effect/
Hi Brian, don’t normally need a restart but I’ve seen a few heavily loaded Transport servers in the wild not pick up the new config until the service was restarted.
One thing you can also try is enabling protocol logging (set to Verbose) on the Receive Connector and then look at the log file it generates to see why the messages are getting rejected.
no go. still get “5.7.1 Unable to relay for user@externaldomain.com“. i have done the settings above for connectors on both Edge and Hub transports (just in case). I am assuming I am still missing a step? Other forums are inconsistent when referring to using Anon vs Exch Servers in the Perms Group tab.
Anonymous is required for systems that need to send external email into your Exchange org without authenticating first (eg an @gmail user sending an email to somebody on your network).
Exchange Servers is required for relay (eg an app or device relaying mail to an external domain via your server).
It is possible that the wrong Receive Connector is accepting the connections. This can happen if the Remote Network Settings has overlapping IP’s or IP ranges (Exchange has a rule of “most specific wins” if this case).
Have you tried turning on protocol logging? If you do that for all the Receive Connectors on the server it all gets logged into one file, but the log file entries tell you which Receive Connector accepted the connection.
I got it working just after my post, yes it was adding Anon along with Exch Servers.Seemed I had tested this config before, however I did find a test connector on the Edge that must have conflicted.
Thanks.
Thanks for the Tutorial, Paul.
So, basically, we’re fooling the Exchange Server to believe that an External Security exists in the Receive Connector, which then makes the server to allow untrusted connections. That is a nice “trick” that solve the problem, but maybe it’s a security risk to do that.
Is there a more secure way to configure this kind of relay ?
The only remote hosts allowed to relay through the connector are those you explicitly allow. There is naturally a risk if those remote hosts were compromised in some way, but other than that this is how it is done.
Great helpful, everything works fine, amazing !!!!
Dear Paul,
First of all, thank you so much to post this article. I couldn’t figure it out how to relay email from our SQL Reporting Server to send emails through our main SBS 2011 server until I saw your article. It took me more than a month to research to find out the solution. Finally, thanks to your article, our Reporting Server can send emails to external users through our main Exchange 2010 server!! Your instruction was very helpful, and I setup the relay setting within 2~3 minutes.
Cheers!!!
Joon
THANK YOU THANK YOU THANK YOU….This helped us out GREATLY!!
Hi,
I have tried to follow your simple steps but encounter the following error when I tick Externally Secure (…) in Authentication tab
“you must set the value for the permissiongroups parameter to exchangeservers when you set the authmechnism paramater to a value of Externalauthoritative”
A red exclamation mark appears beside ‘Enable Domain Security (Mutual Auth TLS).
Any idea why? Thank you.
Hi JK, you’ve got to do the steps in the right order or you’ll run into that error. So first you’ve got to do the Permission Groups settings, then after that you can do the Authentication settings.
Make sure you have Exchange Servers checked, not Exchange users.
I did this, but it would work for a while and quit. Ended up putting in the ipaddress of the extra inside connector instead of the name of the mail server. Started working right away.
Hi Peter, putting the relay connector on a dedicated IP is a good way to resolve issues where the wrong connector responds to SMTP connections on a shared IP.
Paul, This works great for us, but I have been asked to add a second redundant HUB server for the list of relaying servers. Is there a way to do this without having to have lists of IPs to maintain on each HUB server, we have four.
Thanks,
Jeff
Hi Jeff,
Firstly, you can clone the remote IP range from the existing connector to the new one you create by adapting this procedure:
http://exchangeserverpro.com/migrate-relay-connector-exchange-server-2007-2010
Now you’ve got two HT’s with relay connectors with the same remote IP range. Then, any time you want to update them, you can modify this procedure to apply the change to both:
http://exchangeserverpro.com/how-to-add-remote-ip-addresses-to-existing-receive-connectors
Just scale that process out to as many HT’s as you plan to configure with relay connectors.
Hope that helps!
thanks!. I’ve been messing with this for the better part of the day. Your instructions were the most clear as to setting up
Thank you for this post. Very helpful in simplifying the process of setting this up.
As others above, SSRS was what we are using the relay for and now it works great!
We are currently trying to merge our local account and our external accounts. The only catch is not everyone has external accounts, so we want to make sure that nothing local is routed outside the system. If possible, we’d like to eliminate the need for having to select which account we are sending from, and if at all possible, be able to send to both an internal or external contact simultaneously. Are these instructions on the right track? Is there anything else we may need to do?
Thanks.
Thanks – saved me hours!
With SP1 it works fine but when i change to SP2 i found this problem.
Thanks for save my time.
How can I tell which of applications are currently using the Open Mail Relay, so that when I restrict it, I know which apps will be affected?
Thanks!
Hi Duane, you can turn on Protocol Logging and use the resulting log file to identify what is using the receive connector.
Hi Paul
Great Article and your solution was just what i was after. One quick question though. The program being used is a mail merge client which has Sender name, Senders email address and reply email address fields. When relaying though the new connector to external recipients the Sender name field is displayed properly, however when emails are sent internally the Senders Name is not displayed, only the email address.
For Instance the Senders Name might have MyCo Mail out and the reply address of bla@bla.com. External receivers see the display name as being MyCo Mail with an email address of bla@bla.com, Internal users however only see the display name as bla@bla.com.
Any ideas on how to get internal users seeing the same Display Name and not the reply email address
Many Thanks
Hi Sean, you may find this article helpful:
http://exchangeserverpro.com/resolving-anonymous-mail-gal-exchange-server-2010
I just wanted to post a thank you for this great, easy-to-follow article. It saved my butt when I couldn’t get two scanners to scan to email. After fighting it for three days, I found this and voila! Away we go.
Thanks again. Good stuff!
Tom
You’re welcome Tom.