How to Configure a Relay Connector for Exchange Server 2010

In most Exchange Server 2010 environments there will be the need to allow relaying for certain hosts, devices or applications to send email via the Exchange server.  This is common with multi-function devices such as network attached printer/scanners, or applications such as backup software that send email reports.

SMTP communication is handled by the Hub Transport server in an Exchange organization.  The transport service listens for SMTP connections on it’s default Receive Connector. However, this connector is secured by default to not allow anonymous connections (ie, the type of connection most non-Exchange systems will be making).

You can see this in effect if you telnet to the server on port 25 and try to initiate unauthenticated SMTP communications.

220 EX3.exchangeserverpro.local Microsoft ESMTP MAIL Service ready at Wed, 18 Au
g 2010 19:42:27 +1000
helo
250 EX3.exchangeserverpro.local Hello [192.168.0.9]
mail from: somebody@hotmail.com
530 5.7.1 Client was not authenticated

For some Hub Transport servers that are internet-facing, anonymous connections may already be enabled.  In those cases relay would still be denied but will behave differently than the first example.

220 EX3.exchangeserverpro.local Microsoft ESMTP MAIL Service ready at Wed, 18 Au
g 2010 20:01:44 +1000
helo
250 EX3.exchangeserverpro.local Hello [192.168.0.9]
mail from: somebody@hotmail.com
250 2.1.0 Sender OK
rcpt to: somebody@gmail.com
550 5.7.1 Unable to relay

You’ll note that relay is denied if I try to send from an @hotmail.com address to an @gmail.com address, because neither is a valid domain for the Exchange organization. But with Anonymous Users enabled on the Receive Connector I can send from an @hotmail.com address to a valid local address.

220 EX3.exchangeserverpro.local Microsoft ESMTP MAIL Service ready at Wed, 18 Au
g 2010 20:05:54 +1000
helo
250 EX3.exchangeserverpro.local Hello [192.168.0.9]
mail from: somebody@hotmail.com
250 2.1.0 Sender OK
rcpt to: alan.reid@exchangeserverpro.local
250 2.1.5 Recipient OK
data
354 Start mail input; end with .
test
.
250 2.6.0  [In
ternalId=2] Queued mail for delivery

However if I try to relay out to an external recipient, the Exchange server does not allow it.

220 EX3.exchangeserverpro.local Microsoft ESMTP MAIL Service ready at Wed, 18 Au
g 2010 20:11:27 +1000
helo
250 EX3.exchangeserverpro.local Hello [192.168.0.9]
mail from: backups@exchangeserverpro.net
250 2.1.0 Sender OK
rcpt to: alerts@managedserviceprovider.com
550 5.7.1 Unable to relay

To permit a non-Exchange server to relay mail we can create a new Receive Connector on the Hub Transport server. Launch the Exchange Management Console and navigate to Server Management, and then Hub Transport. Select the Hub Transport server you wish to create the new Receive Connector on, and from the Actions pane of the console choose New Receive Connector.

Give the new connector a name such as “Relay ” and click Next to continue.

You can leave the local network settings as is, or optionally you can use a dedicated IP address for this connector if one has already been allocated to the server. Using dedicated IP addresses for each connector is sometimes required if you need to create connectors with different authentication settings, but for a general relay connector it is not necessary to change it.

Highlight the default IP range in the remote network settings and click the red X to delete it.

Now click the Add button and enter the IP address of the server you want to allow to relay through the Exchange server. Click OK to add it and then Next to continue.

Click the New button to complete the wizard.

The Receive Connector has now been created but is not yet ready to allow the server to relay through it.  Go back to the Exchange Management Console, right-click the newly created Receive Connector and choose properties.

Select the Permission Groups tab and tick the Exchange Servers box.

Select the Authentication Tab and tick the Externally Secured box.

Apply the changes and the Receive Connector is now ready for the server to relay through.

220 EX3.exchangeserverpro.local Microsoft ESMTP MAIL Service ready at Wed, 18 Au
g 2010 20:31:00 +1000
helo
250 EX3.exchangeserverpro.local Hello [192.168.0.9]
mail from: backups@exchangeserverpro.net
250 2.1.0 Sender OK
rcpt to: alerts@managedserviceprovider.com
250 2.1.5 Recipient OK
data
354 Start mail input; end with .
test
.
250 2.6.0 <924bab1e-0f07-4054-8700-d121577993b4@EX3.exchangeserverpro.local> [In
ternalId=3] Queued mail for delivery

Because the remote IP range has been secured to that single IP address, any other servers on different IP addresses still won’t be able to relay through the Exchange Server. From any other IP address not included in the remote IP range on the Receive Connector relay will be denied.

220 EX3.exchangeserverpro.local Microsoft ESMTP MAIL Service ready at Wed, 18 Au
g 2010 20:46:06 +1000
helo
250 EX3.exchangeserverpro.local Hello [192.168.0.2]
mail from: backups@exchangeserverpro.net
250 2.1.0 Sender OK
rcpt to: alerts@managedserviceprovider.com
550 5.7.1 Unable to relay

You can later add more IP addresses, IP ranges, subnets, or even add multiple IP addresses to the Receive Connector using a script if necessary.

About Paul Cunningham

Paul is a Microsoft Exchange Server MVP and publisher of Exchange Server Pro. He also holds several Microsoft certifications including for Exchange Server 2007, 2010 and 2013. Connect with Paul on Twitter and Google+.

Comments

  1. thanks, we set this up to allow the backup server to relay mail. we also reference here if anyone needs it.

    http://www.techieshelp.com/allow-a-server-to-relay-email-exchange-2007-2010/

  2. Many thanks. We have and RS6000 that had to send mail internally to employees and externally to customers. Your instructinos were right on the money.

  3. Excellent! We have a backup server that sends notifications for successfull and failed jobs. Also needed to allow a Cisco voice router to send through it so users can have their voicemail sent to them in an attachment. Great post.

  4. Robert Anderton says:

    Paul

    We are having the relay issue on a program that send messages to our clients, but we are on a small business server 2011, if I followed the above advice and add the IP address of the server into this connector would this work for us?
    Would this then also mean that our server is pretty much open to relay from any source?

  5. Robert Anderton says:

    Hi Paul,

    This seems to have sorted it.
    regard
    Robert

  6. Tim Pillay says:

    we needed a 3rd party app that worked fine with relay on ex2003 but ex2010 kept giving us 5.7.1 and this was solved it in 5 minutes ! thanks ….quality guide/faq !

  7. Sounds like what we need, but tried this and still getting 5.7.1. from some systems. one is using IIS smtp, another proprietary smtp dll, another vendor system- who knows.
    So I need to restart Transport svc for this to take effect/

    • Hi Brian, don’t normally need a restart but I’ve seen a few heavily loaded Transport servers in the wild not pick up the new config until the service was restarted.

      One thing you can also try is enabling protocol logging (set to Verbose) on the Receive Connector and then look at the log file it generates to see why the messages are getting rejected.

      • no go. still get “5.7.1 Unable to relay for user@externaldomain.com“. i have done the settings above for connectors on both Edge and Hub transports (just in case). I am assuming I am still missing a step? Other forums are inconsistent when referring to using Anon vs Exch Servers in the Perms Group tab.

      • Anonymous is required for systems that need to send external email into your Exchange org without authenticating first (eg an @gmail user sending an email to somebody on your network).

        Exchange Servers is required for relay (eg an app or device relaying mail to an external domain via your server).

        It is possible that the wrong Receive Connector is accepting the connections. This can happen if the Remote Network Settings has overlapping IP’s or IP ranges (Exchange has a rule of “most specific wins” if this case).

        Have you tried turning on protocol logging? If you do that for all the Receive Connectors on the server it all gets logged into one file, but the log file entries tell you which Receive Connector accepted the connection.

      • I got it working just after my post, yes it was adding Anon along with Exch Servers.Seemed I had tested this config before, however I did find a test connector on the Edge that must have conflicted.
        Thanks.

  8. Thanks for the Tutorial, Paul.

    So, basically, we’re fooling the Exchange Server to believe that an External Security exists in the Receive Connector, which then makes the server to allow untrusted connections. That is a nice “trick” that solve the problem, but maybe it’s a security risk to do that.

    Is there a more secure way to configure this kind of relay ?

    • The only remote hosts allowed to relay through the connector are those you explicitly allow. There is naturally a risk if those remote hosts were compromised in some way, but other than that this is how it is done.

  9. JuanRivera says:

    Great helpful, everything works fine, amazing !!!!

  10. Joonyoung Park says:

    Dear Paul,

    First of all, thank you so much to post this article. I couldn’t figure it out how to relay email from our SQL Reporting Server to send emails through our main SBS 2011 server until I saw your article. It took me more than a month to research to find out the solution. Finally, thanks to your article, our Reporting Server can send emails to external users through our main Exchange 2010 server!! Your instruction was very helpful, and I setup the relay setting within 2~3 minutes.

    Cheers!!!

    Joon

  11. THANK YOU THANK YOU THANK YOU….This helped us out GREATLY!!

  12. Hi,

    I have tried to follow your simple steps but encounter the following error when I tick Externally Secure (…) in Authentication tab

    “you must set the value for the permissiongroups parameter to exchangeservers when you set the authmechnism paramater to a value of Externalauthoritative”

    A red exclamation mark appears beside ‘Enable Domain Security (Mutual Auth TLS).

    Any idea why? Thank you.

    • Hi JK, you’ve got to do the steps in the right order or you’ll run into that error. So first you’ve got to do the Permission Groups settings, then after that you can do the Authentication settings.

  13. Make sure you have Exchange Servers checked, not Exchange users.

  14. Peter Andersen says:

    I did this, but it would work for a while and quit. Ended up putting in the ipaddress of the extra inside connector instead of the name of the mail server. Started working right away.

  15. Jeff Waska says:

    Paul, This works great for us, but I have been asked to add a second redundant HUB server for the list of relaying servers. Is there a way to do this without having to have lists of IPs to maintain on each HUB server, we have four.

    Thanks,
    Jeff

  16. thanks!. I’ve been messing with this for the better part of the day. Your instructions were the most clear as to setting up

  17. Daren Fredrickson says:

    Thank you for this post. Very helpful in simplifying the process of setting this up.
    As others above, SSRS was what we are using the relay for and now it works great!

  18. We are currently trying to merge our local account and our external accounts. The only catch is not everyone has external accounts, so we want to make sure that nothing local is routed outside the system. If possible, we’d like to eliminate the need for having to select which account we are sending from, and if at all possible, be able to send to both an internal or external contact simultaneously. Are these instructions on the right track? Is there anything else we may need to do?
    Thanks.

  19. Thanks – saved me hours!

  20. With SP1 it works fine but when i change to SP2 i found this problem.

    Thanks for save my time.

  21. How can I tell which of applications are currently using the Open Mail Relay, so that when I restrict it, I know which apps will be affected?

    Thanks!

  22. Hi Paul

    Great Article and your solution was just what i was after. One quick question though. The program being used is a mail merge client which has Sender name, Senders email address and reply email address fields. When relaying though the new connector to external recipients the Sender name field is displayed properly, however when emails are sent internally the Senders Name is not displayed, only the email address.

    For Instance the Senders Name might have MyCo Mail out and the reply address of bla@bla.com. External receivers see the display name as being MyCo Mail with an email address of bla@bla.com, Internal users however only see the display name as bla@bla.com.

    Any ideas on how to get internal users seeing the same Display Name and not the reply email address

    Many Thanks

  23. Tom Greendyk says:

    I just wanted to post a thank you for this great, easy-to-follow article. It saved my butt when I couldn’t get two scanners to scan to email. After fighting it for three days, I found this and voila! Away we go.

    Thanks again. Good stuff!

    Tom

  24. Great article , is there a way to setup a connector using an host name such as test.myserver.com instead of an IP address ? Just wondering I have a web app that relays from azure but the ip address could change at anytime

    • No, remote systems/networks are identified by IP only, not name.

      You could look at using SMTP authentication instead, so that the Azure app makes an authenticated connection to a receive connector regardless of which source IP it is coming from.

  25. This works for me thanks it needed doe my email scanner and linux server to send via my exchanger 2010 server so i added both IP address on the same connector..

  26. Very handy and useful. Just sold my issue of sending emails out externally from a helpdesk software install on one of our servers.

    Thanks

  27. Thanks for this, although I am unable to get Exchange to relay in my particular situation. Basically, I’ve got an application on a machine that simply can’t relay through the Exchange box. The only difference that I can see is that the problematic server is on a separate subnet, and it also isn’t in the AD domain of the Exchange box. I don’t see why that matters but it seems to as I can relay from other servers that are on the same subnet and domain as Exchange. Any ideas?

    • Domain membership shouldn’t matter. You should start from the basics and verify that you can ping the Exchange server from the application server, telnet to the Exchange server on port 25 from the app server, and do some tests with protocol logging turned on for your receive connectors so you can inspect the logs if you need to (the telnet window will also give you some clues).

  28. Two quick questions – in the example above is it necessary to check ‘Exchange Servers’ under Permissions Group for connector used to relay from, say, scanners? They are not Exchange servers..

    Also, how would Exchange figure out which connector to use when, say, default connector and new ‘Relay’ connector are using the same local IP to receive? Or is it necessary to add additional IP on Nic for each new receive connector? Wont the shared IP screw up the whole receiving process?

    • Yes. The “Exchange Servers” permission is what allows the IP addresses you specify in the remote IP range to relay email to recipients outside of the organization. So instead of thinking of them as “Exchange Servers” think of it as a group of permissions that allows another host to do certain things.

      Sharing IP’s works but is not best practice. It works because the receive connectors that share an IP work out which one should handle the incoming connection based on a “most specific match wins” approach – eg a connector with the exact IP of the connecting server will handle the request instead of one that only matches the IP by a broader range of IPs.

      You can run into problems if you start allowing entire IP subnets and they overlap with the IP addresses for Exchange servers within the org. If possible use a dedicated network interface with its own IP that is *not* registered in DNS for the relay connector.

      • Hi Paul,
        Thanks for the article. You say “Sharing IP’s works but is not best pratice”. Is this not what your steps are using as you “share” the same Remote Network Settings on both connectors. Confused.com!!

        The connector works using Telnet SMTP tests (helo) and intermitant when the appliance tries to send external emails. We have two CAS servers and have identicle settings so the intermitancy is not caused by that.

        Thanks

        W.

        • You can share the listening/local IP address and it will work, but you need to be careful not to cause unexpected behaviours by misconfiguring the remote IP settings (eg accidentally adding the same remote IP to two connectors, or specifying IP ranges that overlap or cause issues with Exchange Hub -> Hub traffic).

          Using dedicated IPs basically avoids a variety of potential problems.

          In your case if you’re getting intermittent results I recommend you turn on protocol logging on the receive connectors on that server, and then analyse the logs to see whether the correct receive connector is handling the incoming connections from that appliance. The protocol logs would also reveal another other SMTP “conversation” errors that may be occurring.

  29. Thanks. You saved me. This article helped me to set up mail routing from linux box.

  30. Ok, makes sense. Though its not a very pretty picture if one needs to build several receive connectors. Definitely not as smooth as it was in 2003 version. Which can be said though about 2010 as a whole (with exception of DAG). I wonder if there are restrictions to at least assign multiple IPs to the same NIC instead of sticking multiple NICs into every HUB server.

    And thanks for informative and prompt responses. That helps.

  31. Paul or anyone else.
    Is there a way for me to make Exchange 2010 work like 2003 is working in this sense:
    2003 destination: Telnet Exch2003Server 25
    helo
    mail from: Paul <<< at this point it adds the valid @Domain.com and accepts the mail
    2010 destination: Telenet Exch2010Server 25
    helo
    mail from: Paul <<< It fails with a 501 5.1.7. Invalid address error

  32. Thank you soo much it was really helpfull.. Thanks A LOTTTTT

  33. Javi Somo says:

    Hi Paul

    Great article.
    My send connector works without problems sending emails to an external server for certain domain using TLS. But I only can get it working when sending through exchange.
    If i try using telnet or vbscript (CDO.message) connecting to the CAS server it doesnt work.

    I’ve seen the following in the send connector logs…
    When doing through Outlook, the CAS connects to the external server sending this mail from line:
    MAIL FROM: SIZE=4147
    250 Sender OK

    Using telnet or vbscript:
    MAIL FROM: SIZE=1480 AUTH=
    501 Usage: MAIL FROM: [SIZE=message_size],

    ¿Any idea to avoid the AUTH=?

    Thanks!

  34. Jamon Mason says:

    Hi Paul,

    We have an app that is running on an SBS 2011 server and we are trying to setup our system similar to what Robert Anderton did where the app can send emails to external recipients. I have setup the new connector according to the settings and I also did the following:

    “Ok so if you create a relay connector and set it so just the IP of the server can use it then you should be fine.”

    At this time we are still are not able to send from that app. In the Local IP address should that be the IP address of the server or leaving it at All Available IPv4 (only one IP address assigned to the NIC) and should the remote server only have the ip address of the server. Any help would be greatly appreciated!! Keep up the good work!!

    Thanks!!

  35. Hi Paul (and others),
    Dumb question: when configuring the “remote sending device” (in my case its an in-house Linux server that emails our customer bills), should the SMTP settings for the billing system be configured with Exchange/AD username & password? I followed this great post and seem to still be having issues not being able to send from our SBS2011 Exchange 2010 box. The two servers are on the same LAN. THANKS!!

    • I should also note that that the bills get sent two an internal Domain user as well as external client emails (if that adds any complexity).

  36. Hi Paul,

    I have unticked Offer Basic Authentication below Basic Authentication checkbox and a third party email marketing tool can successfully login using its connectivity test, however upon testing sending email from it, email never came through either to my company’s address or internal address. Would you advise where I should start looking at.

    Thank’s

    • I suggest turning on Protocol Logging on each of your Receive Connectors, then look in the protocol logs which should show the connections being made by your third party tool and the resulting success/error codes.

  37. Muhammad Hasan says:

    Your help me to get my job done under huge pressure. thanks alot. May God Bless u for all your help.

  38. Hi, Paul. I need to configure Exchange to accept email from our currently running mail server (Linux box, i will use linuxdomain.com as the domain we are using), the idea is to have Linux accept mail from outside our organization and then route it to the Exchange mailboxes I will create. I have been testing with one account, but emails are not making it. I did add an “Accepted domain” for my linuxdomain.com . I created a receive connector for the Linux server, but I am not sure if I configured it right. I followed your instructions but it is not working. Any input for my setup?
    I appreciate your help

    • Step 1 is doing the Accepted Domain, so that’s good.

      Step 2 is configuring a connector. In your case a relay connector is probably not the right one. What I recommend instead is creating a connector with the all the same settings as your Default Receive Connector, except specifiy the Linux box IP as the only remote IP address, and also tick Anonymous Users on the permission tab.

      That should do the trick, but let me know if it does not.

  39. Nice Article and very helpful
    thank you The Author! =)

  40. I’m running a store selling arts and crafts created by prisoners on a SBS 2011 machine located in my home. The store’s software is Zen Cart 1.5 and it sends SMTP notifications to buyers. Problem is, it only sends mail internally. I get the error message ” SMTP Error: The following recipients failed: customer@theirdomain.com.” I followed your great article on creating a new receive connector, and when it did not work I lessened the security levels, which also failed. The Exchange Server and Zen Cart are on the same machine so they share the same NAT IP address (the public IP address is stored at the router). Any ideas?

    • An application running on the server itself will be connecting to the Receive Connector *from* either the server’s IP (not the public IP, its real IP) or the loopback address (127.0.0.1). I’ve seen apps behave both ways so you may need to test both scenarios.

  41. Muhammad Usama says:

    Hi Paul,

    How are you? When I remove anonymous check from the receive connector to stop the open relay then I am unable to receive emails from hotmail, yahoo or any external domains. I just want to close an open relay but also want to receive emails from external domains to my managed domains. Kindly suggest. Thanks.

    • To receive email from external sources such as Hotmail and Yahoo on a Hub Transport server you need to have that Anonymous tickbox ticked.

      Are you saying that your server was an open relay? How had you tested that?

  42. Hi Paul,
    Many thanks for your article it was very clear and concise. I have a situation where an Excel Macro is supposed to be emailing out to a bunch of external addresses. This excel application is used by a bunch of people not just located on one server or IP. I’m not a developer just an admin but from what I can see from the Macro code the excel application is trying to use the CDO commands to do this and can provide either basic or NTLM authentication from I have researched. Neither seem to work on the default receive connector. All credentials specified in the macro are correct and valid.
    Any ideas how I would go about finding out what information is being passed to the receive connector? I assume if it the exchange server gets sent a correct username and password from the macro then it should allow the mail out? I have enabled verbose logging on the connector and it seems to just shows the unable to relay but not why, e.g. wrong username or password.
    Any ideas?

    • In the situation where you have an authenticated connection coming from multiple unpredictable IPs you have to create a separate Receive Connector, on its own dedicated IP address, and set the Authentication settings to Basic/Integrated (depending on which you want) instead of using the “externally secured” option.

      The remote network settings need to specify an IP range that will encompass the PC’s that will be sending the emails (us DHCP reservations for the PC’s if you want to narrow that down).

      You’ll also need to make sure the dedicated IP address for this connector is *not* registered in DNS for that server name, and that the Default Receive Connector (and an others) are reconfigured to use the server’s primary IP address instead of use any address, to prevent the connectors getting mixed up and not selecting the right one to handle the authenticated connection.

      Also be aware as you’re setting this up and tweaking/testing it can take several minutes for each change to kick in so give yourself a decent window of time (preferably out of hours) to implement and test it and be patient.

  43. Dave Altree says:

    Hi,

    We needed a relay solution to mailshot ‘customers’ from mixed IP machines. We achieved this using the article above, but also using an open relay server (vm running xp and a ‘free’ LAN602 suite pop3 app). This allows our LAN clients to use their application to send messages through our exchange easily.

    HTH

  44. Jason Hauck says:

    Thanks for the article.

    Our internal org (2 HUB/CASs and 4 MBX servers) do not talk directly to the internet and they get their mail from Cisco IronPorts on the perimeter.

    Would we still be better creating new interfaces and new receive connectors or modifying the default ones already there?

    Thanks -

    • Depends what mail you’re talking about. If its the incoming internet email (ie from external senders) then just modifying the default receive connectors to permit Anonymous Users would be fine.

      If you wanted to be more precise about it you could create a dedicated receive connector secured to just the IP address(es) of the Ironports and allow Anon Users on that one.

      • Jason Hauck says:

        I should have been more clear. We only want to allow anonymous relay for inside systems like app servers, scanners, etc.
        Our plan right now is to give each Hub an extra NIC and IP and create new listeners per this article – I just don’t know if that is the way to go or if we should just modify the default ones since we’re not directly internet-facing.

        Thanks -

        • Gotcha. Yes still do it the way this article suggests. Don’t modify the default one as internal Hub -> Hub traffic depends on it.

        • Jason Hauck says:

          Thanks Paul.

        • Greg H. says:

          We have the same scenerio as Jason. We simply enabled Anonomous on the default connector and specified the IronPort IP addresses to be able to connect. Seems to be working fine for us. For mail relayed out from internal apps we setup the additional connector as described in the article. No additional NIC or IP required here. Thanks for a great article!

  45. Twan van Eijk says:

    Two days search in Exchange, and this is the solution.
    Thanks a lot Paul

  46. Paul,

    I have followed all of your instructions to the best of my ability and am still getting a “550 5.7.1 Unable to relay” message back when performing a telnet test with the “rcpt to:” line. Are there any other settings I can verify or permissions that are not in the GUI to help troubleshoot this issue?

    Thank you,

    – Denis

  47. Hi Paul,

    We used this article to get our random SMTP-enabled devices routing mail to external recipients just fine in the past. Now we need to do it with our Toshiba copiers and it’s not working. I have a pair of hub servers in a hardware load balanced array, and each has a receive connector which includes the IP’s of the copiers, verbose protocol logging, using only the Exchange servers permission and only the Externally Secured authentication. The copier only tells us ‘mailbox unavailable’ in it’s log.

    I’m not even finding the transaction in any of the Exchange logs even though when I test using an internal e-mail address the logs show all the events just fine. I also tried adding the anonymous permission group but no change.

    Any suggestions would be appreciated!

    Jim

    • “Mailbox unavailable”… you sure the devices aren’t trying to logon to mailboxes instead of just using SMTP?

      • Figured it out. We use hardware load balancers for the hub & cas arrays. Thus the IP was the client IP of the farm and not the actual IP of the copier. After adding the correct IP’s and reverting to the original connector settings, it tests fine.As always, thanks for your followup, Paul!

  48. I have been searching for a couple of days for this, thank you so much.

    We have a new linux server providing database and other services for a new enterprise resource app and it needs to email from within our enterprise. Exchange 2010 (on sbs server 2011) did not allow it. I have been searching authentication and so on from a pretty much standing start. I had got as far as needing a recieve connector but no mix of settings worked, but these did.

    Thank you again,
    Phil

    • It still not working for me. Protocol logging turned on. this started out as a decommission of old 2003 exchange server. we migrated to 2010 exchange. Disable all exchange services on 2003 exch server and changed port forwards in cisco router. Mail flowing great except for this one application that cannot relay no matter what I try.
      Protocol logging shows that i am hitting the right receive connector but destination is show 127.0.0.1!!!
      i have tried everything list here, anymore ideas or suggestions.

  49. Another solid article dude.
    You are fast becoming my go-to-site for all things Exchange.

    Thanks!

  50. Hi Paul,

    Try to verify your domain username password is correct. Also may be right to check the log files for this particular application for more information.

  51. Chris Daykin says:

    Paul,

    I keep getting the error 421 4.3.2 Service not available when i run Test-SMTPconnector against my relay connector, but it appears to be relaying messages fine. What could be wrong?

  52. Paul Lemonidis says:

    Hi Paul

    Many thanks. This clearly works but I have on question. what happens if you have a mix of authenticated and non-authenticaed servers that need to relay. Will I need to setup multiple connectors based on the IP addresses? I had a server that autheictad using basic authentication. Changing to thse settings broke that but the thing is that turning off the authentication on the server does not stop the error.

    Many thanks in advance.

    Regards,

    Paul L

    • This article describes how to set up an unauthenticated relay connector.

      If you have servers/apps that can do basic auth then you can try configuring them to use the Client Receive Connector (runs on a different port) or configure a dedicated receive connector for basic auth (I’ve had to do this for customers in the past).

  53. Alex Robinson says:

    Hello Paul,

    I was going over our server settings and our receive connector’s permissions are set to allow anonymous users? We were getting ndr’s in our messages queue lately. Could this be the reason? Should I uncheck that?

    Thanks in advance,
    Alex

    • If you’re using a Hub Transport as the internet-facing server for receiving inbound email, then it needs that anonymous users box ticked.

      It depends on the NDRs you’re seeing. If a spammer sends an email to your network with a spoofed From address, and your server tries to send back an NDR but can’t because the domain or email address doesn’t exist, then that NDR will sit in your queue for a while until it expires. The best way to combat that would be better spam/connection filtering.

      Eg here is how to setup Spamhaus for an Exchange 2010 transport server (instructions are for Edge Transport but same steps apply to Hub Transport if you first install the anti-spam agents on the Hub Transport)

      http://exchangeserverpro.com/exchange-2010-edge-transport-server-configuring-ip-block-list-providers/

  54. Thank a million!

    Been struggling to get my CRM Exchange settings fixed for hours. These two screenshots did the trick!

  55. Consultant says:

    Hi Paul,

    I am not able to add single ip address in relay connector. If I add single ip address for e.g. 192.168.1.10/24 it takes full ip range 192.168.1.0/24. Please tell me what is the issue.

    Regards,

  56. Christopher Hughes says:

    Hello Mr. Cunningham,

    I swapped our exchange 2003 server to a new server running exchange 2010. Everything is working fine right now, but I have to keep the exchange 2003 server running for this to be the case. If I shut the 2003 server down or stop the SMTP service on it, then anyone getting mail from the exchange 2010 server will not receive mail from outside the domain, such as from Yahoo, Google, or Hotmail. I have done countless hours/days of research trying to figure out what’s wrong and have been unable to find a solution that has worked. The Exchange 2010 server is currently setup with 3 receive connectors. The first connector has all IPv6 and IPv4 and all IP addresses on Network, authen for TLS, Basic, and Integrated, and perm group for Exchange Users. The second connector has All IPv6 and IPv4 with all IP addresses, authen for TLS, Basic, Offer Basic, and Integrated, and perm group for Anon, Exchange users and servers, and Legacy. The third connector has all IPv4 with all IP addresses, authen TLS, and perm anon. To verify, SMTP is setup on the exchange 2010 server. Do you have any ideas how to get our system working with just the exchange 2010 server running/shutting down the exchange 2003 server? Please get back to me as soon as you’re able to.

    Overall issue: Can’t receive email from outside domain unless old server SMTP service is running.

    Thanks for any help you can provide.

    Have a nice day,

    • Incoming email connections hit your firewall on TCP port 25, and your firewall determines where that IP and port are NATed to. My assumption, based on your problem description, is that you haven’t changed your firewall rule to NAT the incoming TCP 25 connections to the Exchange 2010 server.

      Outgoing email from Exchange 2010 depends on a Send Connector. By the sounds of it you have not created a Send Connector to route outbound email from Exchange 2010, therefore it takes the only available route which is via the Exchange 2003 server.

      I will also mention that when you fix those problems and decide to decom your Exchange 2003 server, don’t just shut it down, you have to actually uninstall it properly or you’ll have problems in future with your Exchange org.

      • Christopher Hughes says:

        Thank you for the information Mr. Cunningham.

        I checked just now and TCP port 25 is being NATed/allowed into our Exchange 2010 server. Currently it seems to be setup to allow and direct things to both the Exchange 2003 and Exchange 2010 server. Would being setup in this way cause an issue?

        I’m sorry if I misworded this earlier, but outgoing e-mail is working as intended/correctly. The only issue is with incoming e-mail when the exchange 2003 server’s SMTP isn’t working. Thank you for the extra information though. I appreciate your time and help. If there is anything else you can think of that might fix this issue, please let me know.

        I was not aware that Exchange 2003 needed to be uninstalled. We were planning to just shut the server down when we were done. Thanks for mentioning this extra tip.

        • You’re saying that your firewall is NATing the same IP address on port 25 to two different internal hosts? I wouldn’t expect that to work.

        • Christopher Hughes says:

          Sorry about that. I checked with my boss to make sure. I misunderstood him the first time. He said port 25 is only being NATed to one IP address/our Exchange 2010 server’s external IP address.

        • Doesn’t make sense that taking down Ex2003 would impact inbound email flow then.

          I’d suggest double checking that your MX record points to the correct external address. Also go to http://www.testexchangeconnectivity.com and run the inbound email test. When the test emails arrive take the headers from them and use the header analyzer at MXtoolbox.com to see which server the emails actually came in through.

        • Christopher Hughes says:

          Thanks a ton. Having me do that check has shown us some very interesting information. We have several different emails and it seems some have the MX record/DNS setup correctly, but others do not. On the one that passed we got a warning with out Exchange 2010 server. I will paste the warning below. If you know what it means, please let me know.

          “Analyzing SMTP Capabilities for server trend4.trendservicesinc.com:25
          The test passed with some warnings encountered. Please expand the additional details.

          Additional Details
          Unabled to determine SMTP capabilities. Reason: Unexpected SMTP server response. Expected: 220, actual: 500, whole response: 500 5.3.3 Unrecognized command ”

          I appreciate everything you’re doing to help me with this.

        • Do you use Trend Micro’s cloud email security service? If so then I’d say that trend4.trendservices.inc is theirs.

        • Christopher Hughes says:

          I don’t believe we do. As for Trend4, it’s one of our servers. The expected 220, actual 500 part is what I don’t know/understand. Though, it doesn’t seem to stop e-mail from coming in/going out.

  57. Christopher Hughes says:

    Got it fixed. Everything seems to be working now. Thanks for all your help.

    P.S. For anyone who reads this later, the expected 220, actual 500 error was fixed by altering the authentication settings for the internet receive connector in exchange 2010. If you have this issue, try adding them until you get the one that fixes it for you.

  58. Sunit Kumar says:

    Sir,

    i am facing problem to send the mail only one particular domain. my mail stuck in Queue with the message 451 4.4.0 primary target ip address responded with “554 transaction failed” i don’t know what is the reason that mail is getting failure on this domain.

    thanks

    • Lucas Librandi says:

      Hello Sunit. Have you checked the logs on the server? Either on your Hub or Edge server,, it is usually here:
      C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\ProtocolLog\SmtpSend
      This is usually related to DNS problems on your end. One workaround is to hard-code the IP address of the MX record for the domain being stuck in the hosts file on your sending server. Permanent solution is to have your DNS settings correctly configured.
      Thanks

  59. Jeremy Martin says:

    Hi Paul,

    I came across your article here and am wondering if you could help

    I’m having an issue properly configuring my receive connector in Exchange 2010.

    This weekend I changed our spam filtering service to McAfee SaaS Email Protection & Continuity, but they are not allowing me to use the outgoing service because they detect an open relay on my exchange server.

    As far as my firewall is concerned, everything is good. I have a Sonicwall NSA 240 and have the WAN > LAN incoming SMTP locked down to only the MxLogic IP addresses. I’ve confirmed this by doing about 3 open relay tests from websites which fail because they can’t access port 25.

    The problem is that because MxLogic has access to port 25 when they do a relay test it succeeds.

    All I really need to do is ensure that MxLogic can connect successfully but that no relaying is allowed.

    Any assistance would be greatly appreciated :)

    • Jeremy Martin says:

      Never mind. I actually found a couple snippets of command shell that helped me resolve the issue. Thanks.

  60. Thanks! Worked perfectly. So many of these articles are near impossible to follow. This was simple. Thanks for taking the time. Its people like you that make Microsoft bearable.

  61. Is there any limitation with No.of Non Exchange server IP address can be added in single Non-Auth SMTP relay connector (Exchange 2010).

  62. Thanks for your update Paul.

  63. Thanks, done the trick

  64. hi

    our everyday internet connection has gone down

    we have a separate server connected to a different connection using hmailer that i send mailshots from as not to clog the line

    would i be able to set this up for this purpose, our IT providers are arguing between themselves as whats best

  65. Andrew Ho says:

    HI Paul,

    Thanks for this topic. But in my scenario is not the same like yours. But I can’t search in any where.
    I have Edge Server is internet facing, user can’t relay mail to external domain by default. But the internal user can use Edge server to relay internal domain we have( like abc.com). they can send email to that domain for spam. How can I config on Receive Connector to restrict the internal anonimous smtp access? Because if I disable Anonymous option on Default receive connector on Edge server, I can’t receive emails that sent from internet

    Thanks you.

    • I don’t understand your scenario. Why are your users trying to relay mail directly through the Edge Transport server?

      The Edge Transport server should be set up with an Edge Subscription.

  66. Andrew Ho says:

    Thanks for reply, Paul,

    After searching several sites what I mean is “ms-exch-smtp-accept-authoritative-domain-sender”, To prevent anonymous senders from sending mail using my own domain in MAIL FROM, we need to remove the ms-exch-smtp-accept-authoritative-domain-senderpermission assigned to them.

    I apply it in recieve connector on Edger server:

    Get-ReceiveConnector “My Internet ReceiveConnector” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission

    Do you have any topic to solve this problem? I heard that we can apply SPF record on public DNS to let Edge server check this, but how about internal user, can we apply SPF for internal DNS or just use the command above?

    Thanks you again

    • Christopher Hughes says:

      Good morning,

      I actually have this issue too. Did you ever figure it out? If so, can you tell me what you did? Or send me a link to whatever helped you out. I did try running the command you have above, but it didn’t seem to work for me. Gave an error about pipes not being allowed to be used with that command. (I tried running it with “My Internet ReceiveConnector” and the actual name of our Receive Connector) I appreciate it.

      Thanks.

  67. Hey Paul,

    This may have been answered previously, but I was hoping you could clarify. I have a backup solution running on the two Mailbox Servers in my 2010 DAG. At the end of the Backup it tries to send a notification email but is currently failing (authentication required). I have seen issues in the past when custom receive connectors contain the IPs of the Exchange Servers. I have already created a Receive connector as you have described to allow other application servers to relay mail. However, I just want to clarify that it will be OK to add the two DAG members IPs to the Remote IP Ranges of the Relay connector you describe? i.e. It would still allow it to route normail client email?

    Thanks,
    Step.

    • Not sure. You don’t have another Hub Transport that isn’t also a DAG member? Or maybe send it via a load balancer?

      • Hi Paul, thanks for the reply. Our DAG members only have the Mailbox Server role installed. We have two HTs on seperate servers. However, I thought it may cause issues adding the Mailbox servers to the Custom Receive Connector? But you’re saying that this should be OK?

        Thanks again,

        Step.

        • That should be fine. The problems mainly arise with adding other Hub Transport IP’s to a custom connector.

          I think you’ll be fine but of course you should keep an eye on it after making the change just in case something else causes a problem.

        • Awesome! Thanks Paul. I’ll give it a shot and keep an eye on things.

  68. Misha Verhoeven says:

    Hey Paul,

    On our Exchange 2010 servers we have 2 nic’s configured, one for the client network and one for the replication network (DAG).

    On our NIC for the client network we have 3 IP addresses.configured : 1 for the clients 2 for different connectors.

    All 3 IP’s are registered in DNS.
    Must we use skipassource=true for the 2 additional ip addresses to prevent DNS registration of those addresses??

    Regards
    Misha

  69. Good job Paul,

    Quality article with details explanation!

  70. Excelente documento, me ayudo a aclarar mis dudas sobre este tema.

    Gracias.

  71. Hi,

    Does relaying cause email headers to contain the “on behalf of” text?
    if so how can this be avoided?

    some information about my current situation. We have an IBM iSeries machine sending SMTP traffic to our exchange server. the exchange server then sends this to the recipient.
    however the recipient can see the “on behalf of” string in the header.
    also when sending emails to external accounts the email-name is split up like this: “someone@ (live.com someone@live.com)”

    how can i correct this?

    Kind regards

  72. Christopher Hughes says:

    Hello Mr. Cunningham,

    Our Exchange 2010 server has been up and running for a while now, in huge part to this article and your help, but one thing we have not been able to do as of current is get rid of the old Exchange 2003. I tried to uninstall Exchange 2003, but it didn’t work completely. What I saw, it looked like it did a partial uninstall. I have tried using the disc uninstall tool to do this. The disc we have is 2003 SP2. I’ve read in other forums/websites you need the original non Service Pack 2003 disc to uninstall successfully, but we do not have it anymore and I cannot find it on the web to download. Is there another way to uninstall Exchange 2003 or to get the original 2003 disc?

    Some extra information:
    We have had the server with Exchange 2003 shut down for a few weeks to see what would happen. Overall, most things are working correctly, but on occasion something seems to go wrong. One thing I’ve noticed is that we seem to be having issues when trying to create users through Exchange 2010, while this server is down. I am not sure if that has something to do with not fully uninstalling Exchange 2003 though.

    Thanks for all your help,

    Christopher Hughes

    • This is not really related to the topic of this article. But in short, yes you need to cleanly uninstall the legacy Exchange servers or you will face all kinds of little problems in future, and yes that requires the media or files to be available. If you can’t find your own copy I suggest you start asking around your network of friends and colleagues, someone is bound to have a copy somewhere.

      • Christopher Hughes says:

        I’m sorry I put it in the wrong topic. Unfortunately I’ve checked with everyone and no one has it. I appreciate the info.

        Thanks,

  73. Hi Paul I just want to say thanks for this informative article, i am struggling to configure mobile devices of the user’s and they can’t able to send any emails from their iphone’s, just configured another receive connector as per as your instructions and voila all good :)

    Thanks heaps

  74. I followed your article to get this relay setup for a FSRM we have setup but I still keep getting these errors in the event log and no emails flowing:

    A File Server Resource Manager Service email action could not be run.

    Operation:
    Running email action.
    Quota threshold reached.
    Processing File Server Resource Manager event

    Context:
    Action type: Email Action
    Mail-from address: left blank to protect the innocent
    Mail-reply-to address: left blank to protect the innocent
    Mail-to address: left blank to protect the innocent
    Mail-CC address:
    Mail-BCC address:
    Mail subject: 90% quota threshold exceeded
    Mail message text: email message I wont bore you with.

    Thank you.
    Quota path: D:\
    Threshold percent: 90

    Error-specific details:
    Error: IMessage::Send – cdoAnonymous, 0x8004020f, The server rejected one or more recipient addresses. The server response was: 550 5.7.1 Unable to relay

    Error: IMessage::Send – cdoNTLM, 0×80040211, The message could not be sent to the SMTP server. The transport error code was 0x800ccc13. The server response was not available

    Any suggestions?

    • Never mind. Turns out, when M$ says to separate email addresses with a “;” they actually mean “; ” (note the space). :-/

  75. Hi Paul

    Followed your article, great work!

    In my environment, both the default receiver and custom relay connector has Anonymous user ticked, and email is working fine. As soon as I un-tick Anonymous user in the default receiver, incoming external email stopped with the error – 530 Validating Sender: 5.7.1 Client was not authenticated

    I must be missing something here. I thought since all external email go through our email appliance, and the appliance is added to the remote network setting, email should still come through the relay connector.

    The reason to un-tick Anonymous user is due to remote user connect to our Exchange Server and spam us.

    Any suggestions please?

  76. no no no… just because this works, its not the right way to do it… Please see: http://technet.microsoft.com/en-us/library/bb232021(v=exchg.141).aspx

    Make the change in the Exchange Shell to allow relay for anon user:
    Get-ReceiveConnector “Anonymous Relay” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”

  77. Great Article! I have an Windows SBS 2011 server running Exchange 2010. I am running a backup program locally on the SBS 2011 server that needs to send email notifications both internally and externally. What is your recommendation on how to accomplish? Do I modify the main server Relay Connector or create a new Receive Connector using the procedure described above? My concern is modifying the existing connector by enabling Anonymous access may lead to Relay abuse however, I am also unsure if creating a new Receive Connector on the main Exchange server using the IP may also have unintended consequences. Please advise and let me know what your approach would be in this situation. Thank you in advance.

  78. Mahipati Desai says:

    Hi Paul, thanks for the excellent article. Really appreciate the great work :)

    I’ve a scenario wherein, there are more than 50+ applications that were using standard port 25 w/o any authentication and we used to use individual application names as the From Alias for auto-mailing. However with exchange 2010 and the new security concerns, we would like to achieve the following: Can you pl help me with the required configuration that we need to do? Thanks in advance.

    1. Across all 50+ applications we’d like to use one single ID for auth.
    2. However each of the application will need to use its own Alias Name and Alias Email ID (this email ID need not be physically present on my exchange server) as the outbound servers are informational only. No inbound mails are expected.
    3. We’d like to use port 587 instead of standard 25 – but the catch here is that exchange expects the auth ID to be used for sending out the mal and the mail output carries the Auth ID instead of application name (alias id).

    Pl let me know if there are any ways and means to achieve the end result. Thanks in advance.

    Cheers..Mahi

  79. John Clemmons says:

    Hi Paul, I want to know I could do something similar with SBS 2003? Customer has an off site fax machine that can convert a received fax to PDF and then email the PDF. Problem is the fax machine does not have the ability to use a port other than 25 and cannot do SSL.

  80. Paul,

    This post was helpful with a situation we experience this morning. A client was using a third party tool, TELNETTing to port 25 of our corporate server ,and trying to send an email to an outside recipient. He received a 5.7.1 unable to relay error. We asked him to try sending to someone local in our org, and he was successful sending with no errors. I typed the 5.7.1 error into Google and your site showed up with the correct answer on how to configure for relaying.

    Thanks for the solution. I am a subscriber in any event of your newsletters.

    Thanks
    Andrew

  81. Hi Paul,

    I am having exchange 2010 SP3 and I have configured the receive connector relay as well as give permission to relay outside but still I am getting the same error even if I enabled anonymous.

    any clue

    • Turn on protocol logging on the connectors. Then review the protocol logs to see which connector is actually handling the connections you’re interested in. If the wrong connector is handling the connections then you’ll likely need to review the IP addresses in the remote network settings of the connectors.

  82. Paul, Thank you very much for your input, this has been a great help for me.

  83. Hi Paul,

    I configured SharePoint server as SMTP to relay message to Exchange 2010 so that my workflow in SharePoint can send mail to users.

    When I tested the mail delivery on SharePoint server through telnet, the mail delivered.

    However, when I run the normal process in SharePoint, it did not return any email.

    This is really disturbing.

    Any help will be appreciated.

    Thanks,

    Bisi.

    • Hi Bisi,

      Please check whether you send an email to individual user or a group of users (DL). If you are send to a group of users, you need to set the Group type in AD from Distribution group to Security Group. Sharepoint only support Security group and not Distribution group. Give a try

  84. Hi EK,

    I am sending to user not Distribution list/Group. It is a user mailbox

    I thought once you test with telnet and the mail delivers, it automatically works with SharePoint workflow.

    So I am confused where the issue is coming from, is it Exchange 2010 or SharePoint? All my settings/configuration has been checked and reviewed times without number but still the mail that the workflow is supposed to trigger is not dropping.

    So I need help on how to troubleshoot properly where the problem is coming from. It is now strange to me that telneting drops email but it still will not work in sharepoint workflow.

    Thanks,

    Bisi.

    • Hi Bisi,

      Is the sender a valid user mailbox or a dummy email address only? If it is valid user mailbox, you need to include user authentication in your sharepoint workflow. If the sender address is a dummy account, you need to add your sharepoint server IP address in Exchange Receive Connector.

      In SharePoint, we encounter issue group email fail to receive email sent from Sharepoint. After few hours of troubleshooting, found out it was actually due to the Group Type in AD. We changed from Distribution to Security and got the issue resolved.

      Hope you can resolve your issue as well.

  85. I have two types of MFDs one works with NTLMv2 authentication the other doesn’t work because it doesn’t support it. I was thinking I could setup another receive connector and lesson the authentication and add the IP addresses of the MFPs to that connector but we don’t want it to be able to relay outside the domain just local email. How would I do this ?

    Thankse
    Jo

  86. Luke Brynycz says:

    Thanks a LOT for this. Just a heads up, if you still can’t get it working guys, make sure you only enable Exchange Servers in the auth box. If you tick them all, it still doesn’t work for some reason!

  87. In our Exchange 2007 environment this solution worked. Once we introduced 2013 and added 2013 servers mail stops flowing with:
    4.4.0 Primary target IP address responded with: “451 5.7.3 Cannot achieve Exchange Server authentication.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.

    So I think we now need to select Exchange Server authentication as well

  88. Hi Paul
    You are right that if we remove the Exchange Servers mail flows normally.
    However, we need to add them in order to send the Powershell reports, and AV reports etc.
    Without them we see 5.7.1 errors
    Do you know another way?

    • A relay connector isn’t required if you’re only sending the mail reports to internal recipients. All that would be required is the default receive connector with anonymous users enabled.

      Or if you wanted to use a relay connector still, consider binding the relay connector to an additional IP address on the server, one that is not registered in DNS, and then use a DNS alias to reference it.

  89. Hi, Thanks paul for this great details. This is really helpful.
    I have one query that if any script send mail on port 25 to internal users. the connector will not stop them. how can we restrict those user also to not to run any script to even can’t send any mail to internal users?

    Thanks in advanced.

    • If you don’t want them connecting to port 25 you could firewall those client subnets so they can’t get through on that port.

      Or just restrict the distribution lists you’re worried about so that only some people can send to them.

  90. Thanks so much. you made my day…

  91. Mike Rochford says:

    Paul, we’re having an issue with SMTP relay after setting up a relay connector, but can’t figure out if it’s related. The crux of the issue is that a relayed message which includes multiple recipients fails for all recipients if one internal address is invalid. Previously, the message was delivered to the valid recipients with a NDR for the failures. Is there a setting which controls this that might have been changed as we did our work?

    • Turn on protocol logging and look at the logs for those connection attempts. In the past I’ve seen cases where the sending system/application itself was terminating the SMTP connection without sending the email after too many invalid recipient addresses were attempted.

  92. I’m having trouble understanding the following:
    2 2010 Edge servers in a DMZ
    2 SharePoint servers in a DMZ that send out emails to customers through the Edge servers via a specific receive connector.
    The mail often gets stuck in the spam filter of the customer because of the name that it has in the header:

    sending email adres sharepoint@ourcompany.nl
    receipient customer@customerdomain.nl

    and here it gets funny: helo= SR-XXXXX.ourcompany.dmz

    Where does the .dmz tld name come from and why doesn’t it say .nl?
    I don’t understand where this comes from, please advise.

  93. Hello Paul and thanks for yet another great article!

    I’m having an issue with one of my Windows 2008 R2 FSRM Server.
    I have 2 FSRM servers configured to use a new SMTP relay connector (configured as you suggested on this article).
    One of my files servers works great!

    However the second one isn’t. It’s giving me the : 5.7.1 Client does not have permissions to send as this sender error.
    I already added the IP of this second server to the allowed remote IP networks. This IP is on a different subnet by the way.
    When I telnet (on port 25) to the IP of the mail server connector, and do an EHLO command, it responds with the correct name but defaults to the NLB IP address. From this telnet session I’m able to send only within my organization.

    When I perform the same tests from the working server, it also responds with the name of the mail server connector but with the IP of this File Server (as opposed to the NLB IP). This mails fine from inside and outside the organization which is what we want…

    We have 3 other connectors on our Exchange Servers for other methods of relaying and they have the CAS’s IP addresses in them as well as the same FQDN name as the new connector created.

    Any insight is appreciated!
    Thanks!

    • Where does NLB come into this? Are you using NLB for your Exchange servers to load balance SMTP?

      • Hello,
        Correct. We’re using NLB to load balance our CAS servers (2 in this scenario).
        However, the SMTP Relay in question is configured only to use CAS1 only. so we’re using that specific CAS’s FQDN.

        Thanks!

        • Check the binding for the receive connector. If it is configured to allow it to bind to any IP address it might be grabbing the NLB IP. You may need to explicitly bind it to the server IP.

  94. I configured the binding as suggested and still nothing.
    However, I got it to work.
    It ended up being a routing issue.
    Thanks for the assistance Paul!

    Keep up the good work!

  95. Kyle Bunch says:

    This worked perfectly and really helped me out. Thanks for posting this info.

Leave a Comment

*

We are an Authorized DigiCert™ SSL Partner.