In most Exchange Server 2010 environments there will be the need to allow relaying for certain hosts, devices or applications to send email via the Exchange server. This is common with multi-function devices such as network attached printer/scanners, or applications such as backup software that send email reports.
SMTP communication is handled by the Hub Transport server in an Exchange organization. The transport service listens for SMTP connections on it’s default Receive Connector. However, this connector is secured by default to not allow anonymous connections (ie, the type of connection most non-Exchange systems will be making).
You can see this in effect if you telnet to the server on port 25 and try to initiate unauthenticated SMTP communications.
220 EX3.exchangeserverpro.local Microsoft ESMTP MAIL Service ready at Wed, 18 Au g 2010 19:42:27 +1000 helo 250 EX3.exchangeserverpro.local Hello [192.168.0.9] mail from: somebody@hotmail.com 530 5.7.1 Client was not authenticated
For some Hub Transport servers that are internet-facing, anonymous connections may already be enabled. In those cases relay would still be denied but will behave differently than the first example.
220 EX3.exchangeserverpro.local Microsoft ESMTP MAIL Service ready at Wed, 18 Au g 2010 20:01:44 +1000 helo 250 EX3.exchangeserverpro.local Hello [192.168.0.9] mail from: somebody@hotmail.com 250 2.1.0 Sender OK rcpt to: somebody@gmail.com 550 5.7.1 Unable to relay
You’ll note that relay is denied if I try to send from an @hotmail.com address to an @gmail.com address, because neither is a valid domain for the Exchange organization. But with Anonymous Users enabled on the Receive Connector I can send from an @hotmail.com address to a valid local address.
220 EX3.exchangeserverpro.local Microsoft ESMTP MAIL Service ready at Wed, 18 Au g 2010 20:05:54 +1000 helo 250 EX3.exchangeserverpro.local Hello [192.168.0.9] mail from: somebody@hotmail.com 250 2.1.0 Sender OK rcpt to: alan.reid@exchangeserverpro.local 250 2.1.5 Recipient OK data 354 Start mail input; end with . test . 250 2.6.0 [In ternalId=2] Queued mail for delivery
However if I try to relay out to an external recipient, the Exchange server does not allow it.
220 EX3.exchangeserverpro.local Microsoft ESMTP MAIL Service ready at Wed, 18 Au g 2010 20:11:27 +1000 helo 250 EX3.exchangeserverpro.local Hello [192.168.0.9] mail from: backups@exchangeserverpro.net 250 2.1.0 Sender OK rcpt to: alerts@managedserviceprovider.com 550 5.7.1 Unable to relay
To permit a non-Exchange server to relay mail we can create a new Receive Connector on the Hub Transport server. Launch the Exchange Management Console and navigate to Server Management, and then Hub Transport. Select the Hub Transport server you wish to create the new Receive Connector on, and from the Actions pane of the console choose New Receive Connector.
Give the new connector a name such as “Relay ” and click Next to continue.
You can leave the local network settings as is, or optionally you can use a dedicated IP address for this connector if one has already been allocated to the server. Using dedicated IP addresses for each connector is sometimes required if you need to create connectors with different authentication settings, but for a general relay connector it is not necessary to change it.
Highlight the default IP range in the remote network settings and click the red X to delete it.
Now click the Add button and enter the IP address of the server you want to allow to relay through the Exchange server. Click OK to add it and then Next to continue.
Click the New button to complete the wizard.
The Receive Connector has now been created but is not yet ready to allow the server to relay through it. Go back to the Exchange Management Console, right-click the newly created Receive Connector and choose properties.
Select the Permission Groups tab and tick the Exchange Servers box.
Select the Authentication Tab and tick the Externally Secured box.
Apply the changes and the Receive Connector is now ready for the server to relay through.
220 EX3.exchangeserverpro.local Microsoft ESMTP MAIL Service ready at Wed, 18 Au g 2010 20:31:00 +1000 helo 250 EX3.exchangeserverpro.local Hello [192.168.0.9] mail from: backups@exchangeserverpro.net 250 2.1.0 Sender OK rcpt to: alerts@managedserviceprovider.com 250 2.1.5 Recipient OK data 354 Start mail input; end with . test . 250 2.6.0 <924bab1e-0f07-4054-8700-d121577993b4@EX3.exchangeserverpro.local> [In ternalId=3] Queued mail for delivery
Because the remote IP range has been secured to that single IP address, any other servers on different IP addresses still won’t be able to relay through the Exchange Server. From any other IP address not included in the remote IP range on the Receive Connector relay will be denied.
220 EX3.exchangeserverpro.local Microsoft ESMTP MAIL Service ready at Wed, 18 Au g 2010 20:46:06 +1000 helo 250 EX3.exchangeserverpro.local Hello [192.168.0.2] mail from: backups@exchangeserverpro.net 250 2.1.0 Sender OK rcpt to: alerts@managedserviceprovider.com 550 5.7.1 Unable to relay
You can later add more IP addresses, IP ranges, subnets, or even add multiple IP addresses to the Receive Connector using a script if necessary.
About Paul Cunningham
thanks, we set this up to allow the backup server to relay mail. we also reference here if anyone needs it.
http://www.techieshelp.com/allow-a-server-to-relay-email-exchange-2007-2010/
Many thanks. We have and RS6000 that had to send mail internally to employees and externally to customers. Your instructinos were right on the money.
Excellent! We have a backup server that sends notifications for successfull and failed jobs. Also needed to allow a Cisco voice router to send through it so users can have their voicemail sent to them in an attachment. Great post.
Paul
We are having the relay issue on a program that send messages to our clients, but we are on a small business server 2011, if I followed the above advice and add the IP address of the server into this connector would this work for us?
Would this then also mean that our server is pretty much open to relay from any source?
Hi Robert, is the app running on the SBS server itself or on another server/pc somewhere?
Its running on the same SBS server? its a VBscript that sends a smtp request to the exchange server, I have tried the above and added a new Receive Connector, but still get the same message ’550 5.7.1 unable to relay’? any thoughts?
Ok so if you create a relay connector and set it so just the IP of the server can use it then you should be fine. But just to be sure what you can do after you set it up is do the relay test at http://www.abuse.net/relay.html
Hi Paul,
This seems to have sorted it.
regard
Robert
we needed a 3rd party app that worked fine with relay on ex2003 but ex2010 kept giving us 5.7.1 and this was solved it in 5 minutes ! thanks ….quality guide/faq !
Sounds like what we need, but tried this and still getting 5.7.1. from some systems. one is using IIS smtp, another proprietary smtp dll, another vendor system- who knows.
So I need to restart Transport svc for this to take effect/
Hi Brian, don’t normally need a restart but I’ve seen a few heavily loaded Transport servers in the wild not pick up the new config until the service was restarted.
One thing you can also try is enabling protocol logging (set to Verbose) on the Receive Connector and then look at the log file it generates to see why the messages are getting rejected.
no go. still get “5.7.1 Unable to relay for user@externaldomain.com“. i have done the settings above for connectors on both Edge and Hub transports (just in case). I am assuming I am still missing a step? Other forums are inconsistent when referring to using Anon vs Exch Servers in the Perms Group tab.
Anonymous is required for systems that need to send external email into your Exchange org without authenticating first (eg an @gmail user sending an email to somebody on your network).
Exchange Servers is required for relay (eg an app or device relaying mail to an external domain via your server).
It is possible that the wrong Receive Connector is accepting the connections. This can happen if the Remote Network Settings has overlapping IP’s or IP ranges (Exchange has a rule of “most specific wins” if this case).
Have you tried turning on protocol logging? If you do that for all the Receive Connectors on the server it all gets logged into one file, but the log file entries tell you which Receive Connector accepted the connection.
I got it working just after my post, yes it was adding Anon along with Exch Servers.Seemed I had tested this config before, however I did find a test connector on the Edge that must have conflicted.
Thanks.
Thanks for the Tutorial, Paul.
So, basically, we’re fooling the Exchange Server to believe that an External Security exists in the Receive Connector, which then makes the server to allow untrusted connections. That is a nice “trick” that solve the problem, but maybe it’s a security risk to do that.
Is there a more secure way to configure this kind of relay ?
The only remote hosts allowed to relay through the connector are those you explicitly allow. There is naturally a risk if those remote hosts were compromised in some way, but other than that this is how it is done.
Great helpful, everything works fine, amazing !!!!
Dear Paul,
First of all, thank you so much to post this article. I couldn’t figure it out how to relay email from our SQL Reporting Server to send emails through our main SBS 2011 server until I saw your article. It took me more than a month to research to find out the solution. Finally, thanks to your article, our Reporting Server can send emails to external users through our main Exchange 2010 server!! Your instruction was very helpful, and I setup the relay setting within 2~3 minutes.
Cheers!!!
Joon
THANK YOU THANK YOU THANK YOU….This helped us out GREATLY!!
Hi,
I have tried to follow your simple steps but encounter the following error when I tick Externally Secure (…) in Authentication tab
“you must set the value for the permissiongroups parameter to exchangeservers when you set the authmechnism paramater to a value of Externalauthoritative”
A red exclamation mark appears beside ‘Enable Domain Security (Mutual Auth TLS).
Any idea why? Thank you.
Hi JK, you’ve got to do the steps in the right order or you’ll run into that error. So first you’ve got to do the Permission Groups settings, then after that you can do the Authentication settings.
Make sure you have Exchange Servers checked, not Exchange users.
I did this, but it would work for a while and quit. Ended up putting in the ipaddress of the extra inside connector instead of the name of the mail server. Started working right away.
Hi Peter, putting the relay connector on a dedicated IP is a good way to resolve issues where the wrong connector responds to SMTP connections on a shared IP.
Paul, This works great for us, but I have been asked to add a second redundant HUB server for the list of relaying servers. Is there a way to do this without having to have lists of IPs to maintain on each HUB server, we have four.
Thanks,
Jeff
Hi Jeff,
Firstly, you can clone the remote IP range from the existing connector to the new one you create by adapting this procedure:
http://exchangeserverpro.com/migrate-relay-connector-exchange-server-2007-2010
Now you’ve got two HT’s with relay connectors with the same remote IP range. Then, any time you want to update them, you can modify this procedure to apply the change to both:
http://exchangeserverpro.com/how-to-add-remote-ip-addresses-to-existing-receive-connectors
Just scale that process out to as many HT’s as you plan to configure with relay connectors.
Hope that helps!
thanks!. I’ve been messing with this for the better part of the day. Your instructions were the most clear as to setting up
Thank you for this post. Very helpful in simplifying the process of setting this up.
As others above, SSRS was what we are using the relay for and now it works great!
We are currently trying to merge our local account and our external accounts. The only catch is not everyone has external accounts, so we want to make sure that nothing local is routed outside the system. If possible, we’d like to eliminate the need for having to select which account we are sending from, and if at all possible, be able to send to both an internal or external contact simultaneously. Are these instructions on the right track? Is there anything else we may need to do?
Thanks.
Thanks – saved me hours!
With SP1 it works fine but when i change to SP2 i found this problem.
Thanks for save my time.
How can I tell which of applications are currently using the Open Mail Relay, so that when I restrict it, I know which apps will be affected?
Thanks!
Hi Duane, you can turn on Protocol Logging and use the resulting log file to identify what is using the receive connector.
Hi Paul
Great Article and your solution was just what i was after. One quick question though. The program being used is a mail merge client which has Sender name, Senders email address and reply email address fields. When relaying though the new connector to external recipients the Sender name field is displayed properly, however when emails are sent internally the Senders Name is not displayed, only the email address.
For Instance the Senders Name might have MyCo Mail out and the reply address of bla@bla.com. External receivers see the display name as being MyCo Mail with an email address of bla@bla.com, Internal users however only see the display name as bla@bla.com.
Any ideas on how to get internal users seeing the same Display Name and not the reply email address
Many Thanks
Hi Sean, you may find this article helpful:
http://exchangeserverpro.com/resolving-anonymous-mail-gal-exchange-server-2010
I just wanted to post a thank you for this great, easy-to-follow article. It saved my butt when I couldn’t get two scanners to scan to email. After fighting it for three days, I found this and voila! Away we go.
Thanks again. Good stuff!
Tom
You’re welcome Tom.
Great article , is there a way to setup a connector using an host name such as test.myserver.com instead of an IP address ? Just wondering I have a web app that relays from azure but the ip address could change at anytime
No, remote systems/networks are identified by IP only, not name.
You could look at using SMTP authentication instead, so that the Azure app makes an authenticated connection to a receive connector regardless of which source IP it is coming from.
This works for me thanks it needed doe my email scanner and linux server to send via my exchanger 2010 server so i added both IP address on the same connector..
Very handy and useful. Just sold my issue of sending emails out externally from a helpdesk software install on one of our servers.
Thanks
Thanks for this, although I am unable to get Exchange to relay in my particular situation. Basically, I’ve got an application on a machine that simply can’t relay through the Exchange box. The only difference that I can see is that the problematic server is on a separate subnet, and it also isn’t in the AD domain of the Exchange box. I don’t see why that matters but it seems to as I can relay from other servers that are on the same subnet and domain as Exchange. Any ideas?
Domain membership shouldn’t matter. You should start from the basics and verify that you can ping the Exchange server from the application server, telnet to the Exchange server on port 25 from the app server, and do some tests with protocol logging turned on for your receive connectors so you can inspect the logs if you need to (the telnet window will also give you some clues).
Two quick questions – in the example above is it necessary to check ‘Exchange Servers’ under Permissions Group for connector used to relay from, say, scanners? They are not Exchange servers..
Also, how would Exchange figure out which connector to use when, say, default connector and new ‘Relay’ connector are using the same local IP to receive? Or is it necessary to add additional IP on Nic for each new receive connector? Wont the shared IP screw up the whole receiving process?
Yes. The “Exchange Servers” permission is what allows the IP addresses you specify in the remote IP range to relay email to recipients outside of the organization. So instead of thinking of them as “Exchange Servers” think of it as a group of permissions that allows another host to do certain things.
Sharing IP’s works but is not best practice. It works because the receive connectors that share an IP work out which one should handle the incoming connection based on a “most specific match wins” approach – eg a connector with the exact IP of the connecting server will handle the request instead of one that only matches the IP by a broader range of IPs.
You can run into problems if you start allowing entire IP subnets and they overlap with the IP addresses for Exchange servers within the org. If possible use a dedicated network interface with its own IP that is *not* registered in DNS for the relay connector.
Hi Paul,
Thanks for the article. You say “Sharing IP’s works but is not best pratice”. Is this not what your steps are using as you “share” the same Remote Network Settings on both connectors. Confused.com!!
The connector works using Telnet SMTP tests (helo) and intermitant when the appliance tries to send external emails. We have two CAS servers and have identicle settings so the intermitancy is not caused by that.
Thanks
W.
You can share the listening/local IP address and it will work, but you need to be careful not to cause unexpected behaviours by misconfiguring the remote IP settings (eg accidentally adding the same remote IP to two connectors, or specifying IP ranges that overlap or cause issues with Exchange Hub -> Hub traffic).
Using dedicated IPs basically avoids a variety of potential problems.
In your case if you’re getting intermittent results I recommend you turn on protocol logging on the receive connectors on that server, and then analyse the logs to see whether the correct receive connector is handling the incoming connections from that appliance. The protocol logs would also reveal another other SMTP “conversation” errors that may be occurring.
Thanks. You saved me. This article helped me to set up mail routing from linux box.
Ok, makes sense. Though its not a very pretty picture if one needs to build several receive connectors. Definitely not as smooth as it was in 2003 version. Which can be said though about 2010 as a whole (with exception of DAG). I wonder if there are restrictions to at least assign multiple IPs to the same NIC instead of sticking multiple NICs into every HUB server.
And thanks for informative and prompt responses. That helps.
Paul or anyone else.
Is there a way for me to make Exchange 2010 work like 2003 is working in this sense:
2003 destination: Telnet Exch2003Server 25
helo
mail from: Paul <<< at this point it adds the valid @Domain.com and accepts the mail
2010 destination: Telenet Exch2010Server 25
helo
mail from: Paul <<< It fails with a 501 5.1.7. Invalid address error
Why not just supply a valid address? Do you have a specific need for it to work the other way?
Thank you soo much it was really helpfull.. Thanks A LOTTTTT
Hi Paul
Great article.
My send connector works without problems sending emails to an external server for certain domain using TLS. But I only can get it working when sending through exchange.
If i try using telnet or vbscript (CDO.message) connecting to the CAS server it doesnt work.
I’ve seen the following in the send connector logs…
When doing through Outlook, the CAS connects to the external server sending this mail from line:
MAIL FROM: SIZE=4147
250 Sender OK
Using telnet or vbscript:
MAIL FROM: SIZE=1480 AUTH=
501 Usage: MAIL FROM: [SIZE=message_size],
¿Any idea to avoid the AUTH=?
Thanks!
I mean But I only can get it working when sending through OUTLOOK
Hi Paul,
We have an app that is running on an SBS 2011 server and we are trying to setup our system similar to what Robert Anderton did where the app can send emails to external recipients. I have setup the new connector according to the settings and I also did the following:
“Ok so if you create a relay connector and set it so just the IP of the server can use it then you should be fine.”
At this time we are still are not able to send from that app. In the Local IP address should that be the IP address of the server or leaving it at All Available IPv4 (only one IP address assigned to the NIC) and should the remote server only have the ip address of the server. Any help would be greatly appreciated!! Keep up the good work!!
Thanks!!
Hi Paul (and others),
Dumb question: when configuring the “remote sending device” (in my case its an in-house Linux server that emails our customer bills), should the SMTP settings for the billing system be configured with Exchange/AD username & password? I followed this great post and seem to still be having issues not being able to send from our SBS2011 Exchange 2010 box. The two servers are on the same LAN. THANKS!!
I should also note that that the bills get sent two an internal Domain user as well as external client emails (if that adds any complexity).
Hi Paul,
I have unticked Offer Basic Authentication below Basic Authentication checkbox and a third party email marketing tool can successfully login using its connectivity test, however upon testing sending email from it, email never came through either to my company’s address or internal address. Would you advise where I should start looking at.
Thank’s
I suggest turning on Protocol Logging on each of your Receive Connectors, then look in the protocol logs which should show the connections being made by your third party tool and the resulting success/error codes.
Your help me to get my job done under huge pressure. thanks alot. May God Bless u for all your help.
Hi, Paul. I need to configure Exchange to accept email from our currently running mail server (Linux box, i will use linuxdomain.com as the domain we are using), the idea is to have Linux accept mail from outside our organization and then route it to the Exchange mailboxes I will create. I have been testing with one account, but emails are not making it. I did add an “Accepted domain” for my linuxdomain.com . I created a receive connector for the Linux server, but I am not sure if I configured it right. I followed your instructions but it is not working. Any input for my setup?
I appreciate your help
Step 1 is doing the Accepted Domain, so that’s good.
Step 2 is configuring a connector. In your case a relay connector is probably not the right one. What I recommend instead is creating a connector with the all the same settings as your Default Receive Connector, except specifiy the Linux box IP as the only remote IP address, and also tick Anonymous Users on the permission tab.
That should do the trick, but let me know if it does not.
Thanks for the tip Paul, checking the annonymous users box did the job.
Nice Article and very helpful
thank you The Author! =)
I’m running a store selling arts and crafts created by prisoners on a SBS 2011 machine located in my home. The store’s software is Zen Cart 1.5 and it sends SMTP notifications to buyers. Problem is, it only sends mail internally. I get the error message ” SMTP Error: The following recipients failed: customer@theirdomain.com.” I followed your great article on creating a new receive connector, and when it did not work I lessened the security levels, which also failed. The Exchange Server and Zen Cart are on the same machine so they share the same NAT IP address (the public IP address is stored at the router). Any ideas?
An application running on the server itself will be connecting to the Receive Connector *from* either the server’s IP (not the public IP, its real IP) or the loopback address (127.0.0.1). I’ve seen apps behave both ways so you may need to test both scenarios.
That fixed it. Thanks for getting back to me on this. Above and beyond.
Hi Paul,
How are you? When I remove anonymous check from the receive connector to stop the open relay then I am unable to receive emails from hotmail, yahoo or any external domains. I just want to close an open relay but also want to receive emails from external domains to my managed domains. Kindly suggest. Thanks.
To receive email from external sources such as Hotmail and Yahoo on a Hub Transport server you need to have that Anonymous tickbox ticked.
Are you saying that your server was an open relay? How had you tested that?
Hi Paul,
Many thanks for your article it was very clear and concise. I have a situation where an Excel Macro is supposed to be emailing out to a bunch of external addresses. This excel application is used by a bunch of people not just located on one server or IP. I’m not a developer just an admin but from what I can see from the Macro code the excel application is trying to use the CDO commands to do this and can provide either basic or NTLM authentication from I have researched. Neither seem to work on the default receive connector. All credentials specified in the macro are correct and valid.
Any ideas how I would go about finding out what information is being passed to the receive connector? I assume if it the exchange server gets sent a correct username and password from the macro then it should allow the mail out? I have enabled verbose logging on the connector and it seems to just shows the unable to relay but not why, e.g. wrong username or password.
Any ideas?
In the situation where you have an authenticated connection coming from multiple unpredictable IPs you have to create a separate Receive Connector, on its own dedicated IP address, and set the Authentication settings to Basic/Integrated (depending on which you want) instead of using the “externally secured” option.
The remote network settings need to specify an IP range that will encompass the PC’s that will be sending the emails (us DHCP reservations for the PC’s if you want to narrow that down).
You’ll also need to make sure the dedicated IP address for this connector is *not* registered in DNS for that server name, and that the Default Receive Connector (and an others) are reconfigured to use the server’s primary IP address instead of use any address, to prevent the connectors getting mixed up and not selecting the right one to handle the authenticated connection.
Also be aware as you’re setting this up and tweaking/testing it can take several minutes for each change to kick in so give yourself a decent window of time (preferably out of hours) to implement and test it and be patient.
Hi,
We needed a relay solution to mailshot ‘customers’ from mixed IP machines. We achieved this using the article above, but also using an open relay server (vm running xp and a ‘free’ LAN602 suite pop3 app). This allows our LAN clients to use their application to send messages through our exchange easily.
HTH
Thanks for the article.
Our internal org (2 HUB/CASs and 4 MBX servers) do not talk directly to the internet and they get their mail from Cisco IronPorts on the perimeter.
Would we still be better creating new interfaces and new receive connectors or modifying the default ones already there?
Thanks -
Depends what mail you’re talking about. If its the incoming internet email (ie from external senders) then just modifying the default receive connectors to permit Anonymous Users would be fine.
If you wanted to be more precise about it you could create a dedicated receive connector secured to just the IP address(es) of the Ironports and allow Anon Users on that one.
I should have been more clear. We only want to allow anonymous relay for inside systems like app servers, scanners, etc.
Our plan right now is to give each Hub an extra NIC and IP and create new listeners per this article – I just don’t know if that is the way to go or if we should just modify the default ones since we’re not directly internet-facing.
Thanks -
Gotcha. Yes still do it the way this article suggests. Don’t modify the default one as internal Hub -> Hub traffic depends on it.
Thanks Paul.
We have the same scenerio as Jason. We simply enabled Anonomous on the default connector and specified the IronPort IP addresses to be able to connect. Seems to be working fine for us. For mail relayed out from internal apps we setup the additional connector as described in the article. No additional NIC or IP required here. Thanks for a great article!
Two days search in Exchange, and this is the solution.
Thanks a lot Paul
Paul,
I have followed all of your instructions to the best of my ability and am still getting a “550 5.7.1 Unable to relay” message back when performing a telnet test with the “rcpt to:” line. Are there any other settings I can verify or permissions that are not in the GUI to help troubleshoot this issue?
Thank you,
– Denis
Hi Paul,
We used this article to get our random SMTP-enabled devices routing mail to external recipients just fine in the past. Now we need to do it with our Toshiba copiers and it’s not working. I have a pair of hub servers in a hardware load balanced array, and each has a receive connector which includes the IP’s of the copiers, verbose protocol logging, using only the Exchange servers permission and only the Externally Secured authentication. The copier only tells us ‘mailbox unavailable’ in it’s log.
I’m not even finding the transaction in any of the Exchange logs even though when I test using an internal e-mail address the logs show all the events just fine. I also tried adding the anonymous permission group but no change.
Any suggestions would be appreciated!
Jim
“Mailbox unavailable”… you sure the devices aren’t trying to logon to mailboxes instead of just using SMTP?
Figured it out. We use hardware load balancers for the hub & cas arrays. Thus the IP was the client IP of the farm and not the actual IP of the copier. After adding the correct IP’s and reverting to the original connector settings, it tests fine.As always, thanks for your followup, Paul!
I have been searching for a couple of days for this, thank you so much.
We have a new linux server providing database and other services for a new enterprise resource app and it needs to email from within our enterprise. Exchange 2010 (on sbs server 2011) did not allow it. I have been searching authentication and so on from a pretty much standing start. I had got as far as needing a recieve connector but no mix of settings worked, but these did.
Thank you again,
Phil
It still not working for me. Protocol logging turned on. this started out as a decommission of old 2003 exchange server. we migrated to 2010 exchange. Disable all exchange services on 2003 exch server and changed port forwards in cisco router. Mail flowing great except for this one application that cannot relay no matter what I try.
Protocol logging shows that i am hitting the right receive connector but destination is show 127.0.0.1!!!
i have tried everything list here, anymore ideas or suggestions.
Is the application running on the Exchange server itself? If so then 127.0.0.1 may need to be added to the remote IP range on the relay connector.
Another solid article dude.
You are fast becoming my go-to-site for all things Exchange.
Thanks!
Hi Paul,
Try to verify your domain username password is correct. Also may be right to check the log files for this particular application for more information.
Paul,
I keep getting the error 421 4.3.2 Service not available when i run Test-SMTPconnector against my relay connector, but it appears to be relaying messages fine. What could be wrong?
Hi Paul
Many thanks. This clearly works but I have on question. what happens if you have a mix of authenticated and non-authenticaed servers that need to relay. Will I need to setup multiple connectors based on the IP addresses? I had a server that autheictad using basic authentication. Changing to thse settings broke that but the thing is that turning off the authentication on the server does not stop the error.
Many thanks in advance.
Regards,
Paul L
This article describes how to set up an unauthenticated relay connector.
If you have servers/apps that can do basic auth then you can try configuring them to use the Client Receive Connector (runs on a different port) or configure a dedicated receive connector for basic auth (I’ve had to do this for customers in the past).
Hello Paul,
I was going over our server settings and our receive connector’s permissions are set to allow anonymous users? We were getting ndr’s in our messages queue lately. Could this be the reason? Should I uncheck that?
Thanks in advance,
Alex
If you’re using a Hub Transport as the internet-facing server for receiving inbound email, then it needs that anonymous users box ticked.
It depends on the NDRs you’re seeing. If a spammer sends an email to your network with a spoofed From address, and your server tries to send back an NDR but can’t because the domain or email address doesn’t exist, then that NDR will sit in your queue for a while until it expires. The best way to combat that would be better spam/connection filtering.
Eg here is how to setup Spamhaus for an Exchange 2010 transport server (instructions are for Edge Transport but same steps apply to Hub Transport if you first install the anti-spam agents on the Hub Transport)
http://exchangeserverpro.com/exchange-2010-edge-transport-server-configuring-ip-block-list-providers/
Thanks for the info. I set this up on our servers this morning. Could I still implement this even though we use Postini as a smarthost?
Thanks again,
Alex
I don’t see any issue with it.
Thank a million!
Been struggling to get my CRM Exchange settings fixed for hours. These two screenshots did the trick!
Hi Paul,
I am not able to add single ip address in relay connector. If I add single ip address for e.g. 192.168.1.10/24 it takes full ip range 192.168.1.0/24. Please tell me what is the issue.
Regards,
Just put the IP in without the /24.
Thanks Paul
Hello Mr. Cunningham,
I swapped our exchange 2003 server to a new server running exchange 2010. Everything is working fine right now, but I have to keep the exchange 2003 server running for this to be the case. If I shut the 2003 server down or stop the SMTP service on it, then anyone getting mail from the exchange 2010 server will not receive mail from outside the domain, such as from Yahoo, Google, or Hotmail. I have done countless hours/days of research trying to figure out what’s wrong and have been unable to find a solution that has worked. The Exchange 2010 server is currently setup with 3 receive connectors. The first connector has all IPv6 and IPv4 and all IP addresses on Network, authen for TLS, Basic, and Integrated, and perm group for Exchange Users. The second connector has All IPv6 and IPv4 with all IP addresses, authen for TLS, Basic, Offer Basic, and Integrated, and perm group for Anon, Exchange users and servers, and Legacy. The third connector has all IPv4 with all IP addresses, authen TLS, and perm anon. To verify, SMTP is setup on the exchange 2010 server. Do you have any ideas how to get our system working with just the exchange 2010 server running/shutting down the exchange 2003 server? Please get back to me as soon as you’re able to.
Overall issue: Can’t receive email from outside domain unless old server SMTP service is running.
Thanks for any help you can provide.
Have a nice day,
Incoming email connections hit your firewall on TCP port 25, and your firewall determines where that IP and port are NATed to. My assumption, based on your problem description, is that you haven’t changed your firewall rule to NAT the incoming TCP 25 connections to the Exchange 2010 server.
Outgoing email from Exchange 2010 depends on a Send Connector. By the sounds of it you have not created a Send Connector to route outbound email from Exchange 2010, therefore it takes the only available route which is via the Exchange 2003 server.
I will also mention that when you fix those problems and decide to decom your Exchange 2003 server, don’t just shut it down, you have to actually uninstall it properly or you’ll have problems in future with your Exchange org.
Thank you for the information Mr. Cunningham.
I checked just now and TCP port 25 is being NATed/allowed into our Exchange 2010 server. Currently it seems to be setup to allow and direct things to both the Exchange 2003 and Exchange 2010 server. Would being setup in this way cause an issue?
I’m sorry if I misworded this earlier, but outgoing e-mail is working as intended/correctly. The only issue is with incoming e-mail when the exchange 2003 server’s SMTP isn’t working. Thank you for the extra information though. I appreciate your time and help. If there is anything else you can think of that might fix this issue, please let me know.
I was not aware that Exchange 2003 needed to be uninstalled. We were planning to just shut the server down when we were done. Thanks for mentioning this extra tip.
You’re saying that your firewall is NATing the same IP address on port 25 to two different internal hosts? I wouldn’t expect that to work.
Sorry about that. I checked with my boss to make sure. I misunderstood him the first time. He said port 25 is only being NATed to one IP address/our Exchange 2010 server’s external IP address.
Doesn’t make sense that taking down Ex2003 would impact inbound email flow then.
I’d suggest double checking that your MX record points to the correct external address. Also go to http://www.testexchangeconnectivity.com and run the inbound email test. When the test emails arrive take the headers from them and use the header analyzer at MXtoolbox.com to see which server the emails actually came in through.
Thanks a ton. Having me do that check has shown us some very interesting information. We have several different emails and it seems some have the MX record/DNS setup correctly, but others do not. On the one that passed we got a warning with out Exchange 2010 server. I will paste the warning below. If you know what it means, please let me know.
“Analyzing SMTP Capabilities for server trend4.trendservicesinc.com:25
The test passed with some warnings encountered. Please expand the additional details.
Additional Details
Unabled to determine SMTP capabilities. Reason: Unexpected SMTP server response. Expected: 220, actual: 500, whole response: 500 5.3.3 Unrecognized command ”
I appreciate everything you’re doing to help me with this.
Do you use Trend Micro’s cloud email security service? If so then I’d say that trend4.trendservices.inc is theirs.
I don’t believe we do. As for Trend4, it’s one of our servers. The expected 220, actual 500 part is what I don’t know/understand. Though, it doesn’t seem to stop e-mail from coming in/going out.
Got it fixed. Everything seems to be working now. Thanks for all your help.
P.S. For anyone who reads this later, the expected 220, actual 500 error was fixed by altering the authentication settings for the internet receive connector in exchange 2010. If you have this issue, try adding them until you get the one that fixes it for you.
Yes, the internet-facing receive connector (which is just the default receive connector for a lot of people) needs to have Anonymous Users ticked.
Sir,
i am facing problem to send the mail only one particular domain. my mail stuck in Queue with the message 451 4.4.0 primary target ip address responded with “554 transaction failed” i don’t know what is the reason that mail is getting failure on this domain.
thanks
Hello Sunit. Have you checked the logs on the server? Either on your Hub or Edge server,, it is usually here:
C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\ProtocolLog\SmtpSend
This is usually related to DNS problems on your end. One workaround is to hard-code the IP address of the MX record for the domain being stuck in the hosts file on your sending server. Permanent solution is to have your DNS settings correctly configured.
Thanks
Hi Paul,
I came across your article here and am wondering if you could help
I’m having an issue properly configuring my receive connector in Exchange 2010.
This weekend I changed our spam filtering service to McAfee SaaS Email Protection & Continuity, but they are not allowing me to use the outgoing service because they detect an open relay on my exchange server.
As far as my firewall is concerned, everything is good. I have a Sonicwall NSA 240 and have the WAN > LAN incoming SMTP locked down to only the MxLogic IP addresses. I’ve confirmed this by doing about 3 open relay tests from websites which fail because they can’t access port 25.
The problem is that because MxLogic has access to port 25 when they do a relay test it succeeds.
All I really need to do is ensure that MxLogic can connect successfully but that no relaying is allowed.
Any assistance would be greatly appreciated
Never mind. I actually found a couple snippets of command shell that helped me resolve the issue. Thanks.