We run the Hybrid Configuration Wizard (HCW) on the Exchange Server, but an error shows…
Configure anonymous SMTP relay in Exchange Server
Most of the time, you get asked if it’s possible to send an email to external recipients from an application or server in the organization. Well, it is possible if we configure a dedicated anonymous SMTP relay Exchange receive connector. Now how do we set it up? In this article, we will create an anonymous Exchange SMTP relay connector.
Table of contents
Internal SMTP relay
To relay email internal, you don’t have to configure an SMTP receive connector. It’s already set up with the default Exchange Server configuration. For example, let’s say you have an application and want to send an email to internal mailboxes. You set up a noreply@company.com email address, and it will send the email successfully to the internal mailbox users.
Create new receive connector
We have to create a dedicated receive connector for SMTP relay in Exchange Server. We can create the receive connector in:
- Exchange Admin Center
- Exchange Management Shell (PowerShell)
Note: Create the same receive connector on all Exchange Servers.
Create receive connector in Exchange Admin Center
Sign in to Exchange Admin Center. Click in the feature pane on mail flow and follow with receive connectors in the tabs. Select the Exchange Server if you have multiple Exchange Servers. Click on + in the toolbar to create a new receive connector.
Fill in a name for the receive connector. For example, SMTP relay. Select the role Frontend Transport and type Custom. Click Next.
Keep the network adapter bindings as default and click Next.
Add the server or servers that will use the SMTP relay in the Remote network settings. You can make use of IP addresses and IP ranges. In our example, IP address 192.168.1.60 is an application server that sends emails to internal and external recipients. Click Finish.
Important: Remove the default IP range 0.0.0.0-255.255.255.255.
Note: Do not add the Exchange Servers in the SMTP relay receive connector. It will cause issues with communication between Exchange Servers, and mail flow will not work correctly. Read more in the article Exchange Server internal mail flow not working.
The SMTP relay receive connector is successfully created.
Create receive connector with PowerShell
Do you want to create an SMTP relay receive connector with PowerShell? Run Exchange Management Shell as administrator. Make use of the New-ReceiveConnector cmdlet.
[PS] C:\>New-ReceiveConnector -Server "EX01-2016" -Name "SMTP relay" -TransportRole FrontendTransport -Custom -Bindings 0.0.0.0:25 -RemoteIpRanges 192.168.1.60
Identity Bindings Enabled
-------- -------- -------
EX01-2016\SMTP relay {0.0.0.0:25} TrueConfigure anonymous permissions
Run both the commands to grant the minimum required permissions to allow anonymous relay.
[PS] C:\>Set-ReceiveConnector "EX01-2016\SMTP relay" -PermissionGroups AnonymousUsers
[PS] C:\>Get-ReceiveConnector "EX01-2016\SMTP relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
Identity User Deny Inherited
-------- ---- ---- ---------
EX01-2016\SMTP relay NT AUTHORITY\ANON... False FalseCreate SMTP relay DNS record
In the internal DNS, create an A record and point it to the load balancer or the Exchange Server(s). In my example, the load balancer.
Note: Point internal devices or applications to a DNS record instead of an IP address. It’s quicker to change one entry in DNS than to change an IP on every device and application.
Ping the FQDN, and it needs to resolve to the IP address. If it doesn’t, run ipconfig /flushdns and try again. If that doesn’t work, give it some time or troubleshoot further.
C:\>ping relay.exoip.com
Pinging relay.exoip.com [192.168.1.54] with 32 bytes of data:
Reply from 192.168.1.54: bytes=32 time<1ms TTL=64
Reply from 192.168.1.54: bytes=32 time<1ms TTL=64
Reply from 192.168.1.54: bytes=32 time<1ms TTL=64
Reply from 192.168.1.54: bytes=32 time<1ms TTL=64
Ping statistics for 192.168.1.54:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0msTest anonymous SMTP relay
Test that the anonymous SMTP relay is set up correctly and that email relays through Exchange Server successfully. An excellent way to test Exchange anonymous SMTP relay is with the Send-Email.ps1 PowerShell script.
Run PowerShell as administrator. Copy the below script or download the Send-Email.ps1 PowerShell script. Before you run the script change the fields:
- To
- From
- SmtpServer
$EmailMessage = @{
To = "info@alitajran.com"
From = "application@exoip.com"
Subject = "Test email"
Body = "Test email sent using Exchange SMTP relay"
SmtpServer = "relay.exoip.com"
Port = "25"
}
Send-MailMessage @EmailMessageThe output should not give you an error, and the email will arrive in the inbox you added in the To field.
Important: Do not run the Send-Email.ps1 PowerShell script on the Exchange Server, as it will result in an error.
Running the Send-Email.ps1 PowerShell script on the Exchange Server will result in the below error. Run the script only on the systems that are added to the SMTP relay receive connector.
Send-MailMessage : Mailbox unavailable. The server response was: 5.7.54 SMTP; Unable to relay recipient in non-accepted domain
At line:10 char:1
+ Send-MailMessage @EmailMessage
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.Mail.SmtpClient:SmtpClient) [Send-MailMessage], SmtpFailedRecipientException
+ FullyQualifiedErrorId : SmtpException,Microsoft.PowerShell.Commands.SendMailMessageOther articles that you may be interested in:
- Copy receive connector to another Exchange Server
- Import remote IP addresses to Exchange receive connector
- Export remote IP addresses from Exchange receive connector
Conclusion
You learned how to configure an anonymous SMTP relay in Exchange Server. Create a dedicated receive connector and add the IP addresses or IP ranges that need to relay through the Exchange Server.
Did you enjoy this article? You may also like Send Out of Office reply every day with PowerShell. Don’t forget to follow us and share this article.
What Others Are Reading
Hi all, tried everything, but no working, after:
“Get-ReceiveConnector relay_name | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”
get this error:
server_name\realy_name wasn’t found. Please make sure you’ve typed it correctly.
Working on Exchange 2019, on Exchange 2016 not.
Hello
Do you encountered any situation that extended permissions were added or removed by windows update or any unrelated task?
I had a situation that bunch of extended permissions went missing.
hello, i have exchange 2019 and i use symantec messages gateway for mails. in our office we need to send 2000 mail in one day with a server but SMG block it and send rejected message by MTA. what should i do?
Dear Ali,
Thank you for the guides of Exchnage installation. I follow them and all is perfect, but i have one issue, and i hope you can help me to resolved it. I follow your guide of install and configure exchange all is ok. I can receive emails for outside of the organization, i can receive internally form another mailbox but when i try to email send outside of the organization i can’t. the error which i receive is:
SMTP rejected your message to the following email addresses:
Your message couldn’t be delivered and there was no valid enhanced status code being issued by the remote mail system to determine the exact cause, status: ‘550 Relay not permitted’.
I try a lot things but still can’t fix it. What i miss?
Thank you in advance for your help.
BR,
Dear Ali,
Could be able to remind me what i miss in my configuration.
Thank you in advance for your help.
Great article again Ali. Please note you may also need the following connector permissions to allow messages sent to distribution groups which are only accepting internal messages…
Add the Exchange servers (ExchangeServers) permission group and the Externally secured (ExternalAuthoritative) authentication mechanism to the Receive connector.
https://learn.microsoft.com/en-us/exchange/mail-flow/connectors/allow-anonymous-relay?view=exchserver-2019
Glad you like the article, Chato.
There are two different methods that you can use to configure permissions that are required for anonymyous relay on a Receive connector.
I showed the one that I always use in organizations. The one you mention is the other method. Both are fine.
Note that only one method should be used and not both at the same time.
Internal SMTP – we are in a hybrid environment. I can see the SMTP role is not configured. Just go with the defaults?
Thanks, this is a great resource.
Hi Ali,
Does an anonymous SMTP relay have to have a MAIL FROM: address (valid or not) for the email to be sent?
We are trying to send without a sender address using the “null address” (i.e. “) and the email is not delivered?
Thanks
Hi Rob,
No, it doesn’t need to have a valid email address. Ensure that you set the permissions to allow anonymous relay.
Can this process be used to keep a coexisting email environment in the same domain? For example if Lotus Notes is still in use but Exchange is being setup…can this allow Exchange to go live in production while letting users who haven’t migrated yet to send and receive email via Lotus Notes still?
Hi Ali,
You should also note that you need to go back into the SMTP Relay receive connector that you just created and configure the security settings by turning off authentication and also allowing the anonymous users permission group.
Thanks for your guide, Great work.
Regards,
Brett
Hi Brett,
You might have missed that step, but it’s shown in the article: “Run both the commands to grant the minimum required permissions to allow anonymous relay.”
Do you know how to force the use of
Ms-Exch-Bypass-Anti-Spam
to set the mail header equal to:
X-MS-Exchange-Organization-Antispam-Report: MessageSecurityAntispamBypass
X-MS-Exchange-Organization-SCL: -1
via connector.