skip to Main Content

Configure anonymous SMTP relay in Exchange Server

Most of the time, you get asked if it’s possible to send an email to external recipients from an application or server in the organization. Well, it is possible if we configure a dedicated anonymous SMTP relay Exchange receive connector. Now how do we set it up? In this article, we will create an anonymous Exchange SMTP relay connector.

Internal SMTP relay

To relay email internal, you don’t have to configure an SMTP receive connector. It’s already set up with the default Exchange Server configuration. For example, let’s say you have an application and want to send an email to internal mailboxes. You set up a email address, and it will send the email successfully to the internal mailbox users.

Create new receive connector

We have to create a dedicated receive connector for SMTP relay in Exchange Server. We can create the receive connector in:

  • Exchange Admin Center
  • Exchange Management Shell (PowerShell)

Note: Create the same receive connector on all Exchange Servers.

Create receive connector in Exchange Admin Center

Sign in to Exchange Admin Center. Click in the feature pane on mail flow and follow with receive connectors in the tabs. Select the Exchange Server if you have multiple Exchange Servers. Click on + in the toolbar to create a new receive connector.

Configure anonymous SMTP relay in Exchange Server add receive connector

Fill in a name for the receive connector. For example, SMTP relay. Select the role Frontend Transport and type Custom. Click Next.

Configure anonymous SMTP relay in Exchange Server new receive connector step 1

Keep the network adapter bindings as default and click Next.

Configure anonymous SMTP relay in Exchange Server new receive connector step 2

Add the server or servers that will use the SMTP relay in the Remote network settings. You can make use of IP addresses and IP ranges. In our example, IP address is an application server that sends emails to internal and external recipients. Click Finish.

Important: Remove the default IP range

Note: Do not add the Exchange Servers in the SMTP relay receive connector. It will cause issues with communication between Exchange Servers, and mail flow will not work correctly. Read more in the article Exchange 2016 internal mail flow not working.

The SMTP relay receive connector is successfully created.

Configure anonymous SMTP relay in Exchange Server smtp relay receive connector created

Create receive connector with PowerShell

Do you want to create an SMTP relay receive connector with PowerShell? Run Exchange Management Shell as administrator. Make use of the New-ReceiveConnector cmdlet.

[PS] C:\>New-ReceiveConnector -Server "EX01-2016" -Name "SMTP relay" -TransportRole FrontendTransport -Custom -Bindings -RemoteIpRanges

Identity             Bindings     Enabled
--------             --------     -------
EX01-2016\SMTP relay {} True

Configure anonymous permissions

Run both the commands to grant the minimum required permissions to allow anonymous relay.

[PS] C:\>Set-ReceiveConnector "EX01-2016\SMTP relay" -PermissionGroups AnonymousUsers

[PS] C:\>Get-ReceiveConnector "EX01-2016\SMTP relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

Identity             User                 Deny  Inherited
--------             ----                 ----  ---------
EX01-2016\SMTP relay NT AUTHORITY\ANON... False False

Create SMTP relay DNS record

In the internal DNS, create an A record and point it to the load balancer or the Exchange Server(s). In my example, the load balancer.

Note: Point internal devices or applications to a DNS record instead of an IP address. It’s quicker to change one entry in DNS than to change an IP on every device and application.

Ping the FQDN, and it needs to resolve to the IP address. If it doesn’t, run ipconfig /flushdns and try again. If that doesn’t work, give it some time or troubleshoot further.


Pinging [] with 32 bytes of data:
Reply from bytes=32 time<1ms TTL=64
Reply from bytes=32 time<1ms TTL=64
Reply from bytes=32 time<1ms TTL=64
Reply from bytes=32 time<1ms TTL=64

Ping statistics for
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

Test anonymous SMTP relay

Test that the anonymous SMTP relay is set up correctly and that email relays through Exchange Server successfully. An excellent way to test Exchange anonymous SMTP relay is with the Send-Email.ps1 PowerShell script.

Run PowerShell as administrator. Copy the below script or download the Send-Email.ps1 PowerShell script. Before you run the script change the fields:

  • To
  • From
  • SmtpServer
$EmailMessage = @{
    To         = ""
    From       = ""
    Subject    = "Test email"
    Body       = "Test email sent using Exchange SMTP relay"
    SmtpServer = ""
    Port       = "25"

Send-MailMessage @EmailMessage

The output should not give you an error, and the email will arrive in the inbox you added in the To field.

Important: Do not run the Send-Email.ps1 PowerShell script on the Exchange Server as it will result in an error.

Running the Send-Email.ps1 PowerShell script on the Exchange Server will result in the below error. Run the script only on the systems that are added to the SMTP relay receive connector.

Send-MailMessage : Mailbox unavailable. The server response was: 5.7.54 SMTP; Unable to relay recipient in non-accepted domain
At line:10 char:1
+ Send-MailMessage @EmailMessage
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.Mail.SmtpClient:SmtpClient) [Send-MailMessage], SmtpFailedRecipientException
    + FullyQualifiedErrorId : SmtpException,Microsoft.PowerShell.Commands.SendMailMessage

Other articles that you may be interested in:


In this article, you learned how to configure anonymous SMTP relay in Exchange Server. Create a dedicated receive connector and add the IP addresses or IP ranges that need to relay through the Exchange Server.

Did you enjoy this article? You may also like Send Out of Office reply every day with PowerShell. Don’t forget to follow us and share this article.



ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 9 Comments

    1. Glad you like the article, Chato.

      There are two different methods that you can use to configure permissions that are required for anonymyous relay on a Receive connector.

      I showed the one that I always use in organizations. The one you mention is the other method. Both are fine.

      Note that only one method should be used and not both at the same time.

  1. Internal SMTP – we are in a hybrid environment. I can see the SMTP role is not configured. Just go with the defaults?

    Thanks, this is a great resource.

  2. Hi Ali,

    Does an anonymous SMTP relay have to have a MAIL FROM: address (valid or not) for the email to be sent?

    We are trying to send without a sender address using the “null address” (i.e. “) and the email is not delivered?


  3. Can this process be used to keep a coexisting email environment in the same domain? For example if Lotus Notes is still in use but Exchange is being setup…can this allow Exchange to go live in production while letting users who haven’t migrated yet to send and receive email via Lotus Notes still?

  4. Hi Ali,

    You should also note that you need to go back into the SMTP Relay receive connector that you just created and configure the security settings by turning off authentication and also allowing the anonymous users permission group.

    Thanks for your guide, Great work.


  5. Do you know how to force the use of
    to set the mail header equal to:
    X-MS-Exchange-Organization-Antispam-Report: MessageSecurityAntispamBypass
    X-MS-Exchange-Organization-SCL: -1
    via connector.

Leave a Reply

Your email address will not be published. Required fields are marked *