Find IP addresses using Exchange SMTP relay

You want to find on-premises IP addresses that use Exchange SMTP relay for sending mail. Why do you want to have that information? Most commonly, that’s when you want to decommission an Exchange Server, and you like to confirm that there is no mail flow running over the SMTP relay. If everything is set up, you can disable the SMTP relay receive connector. In this article, you will learn how to automate the search and find the IP addresses that use the SMTP relay.

Introduction

Before we start, it’s good to know why we want to know which IP addresses use the Exchange SMTP relay. A couple of reasons are when you:

• Move to new Exchange Server with SMTP relay
• Move to Office 365 SMTP relay
• Auditing which IP addresses you can remove

We recommend the following order:

• Get IP addresses using Exchange SMTP relay (this article)
• Disable SMTP relay receive connector
• Shutdown Exchange Server for a week or longer
• Decommission Exchange Server

Check SMTP relay logs

To be able to search for IP addresses in the logs, you need to enable logging on the connector. Run Exchange Management Shell as administrator. Run Get-ReceiveConnector cmdlet and check if protocol logging is enabled on the SMTP relay receive connector.

In our example, ProtocolLoggingLevel shows Verbose for the Identity SMTP Relay. It means that logging is enabled.

[PS] C:\>Get-ReceiveConnector -Server "EX01-2016" | ft Identity,Enabled,TransportRole,Protocol*,Bindings

Identity                                    Enabled     TransportRole ProtocolLoggingLevel Bindings
--------                                    -------     ------------- -------------------- --------
EX01-2016\Default EX01-2016                    True      HubTransport              Verbose {0.0.0.0:2525, [::]:2525}
EX01-2016\Client Proxy EX01-2016               True      HubTransport              Verbose {[::]:465, 0.0.0.0:465}
EX01-2016\Default Frontend EX01-2016           True FrontendTransport              Verbose {[::]:25, 0.0.0.0:25}
EX01-2016\Outbound Proxy Frontend EX01-2016    True FrontendTransport              Verbose {[::]:717, 0.0.0.0:717}
EX01-2016\Client Frontend EX01-2016            True FrontendTransport              Verbose {[::]:587, 0.0.0.0:587}
EX01-2016\SMTP relay                           True FrontendTransport              Verbose {0.0.0.0:25}

You can check the SMTP logging status in Exchange admin center. Go to mail flow > receive connectors. Select the Exchange Server that you want to check. Select the SMTP relay receive connector and check in the details pane if it shows Logging – On.

If SMTP logging is enabled, skip the next step. If not, enable logging on the SMTP relay receive connector in the next step. It’s most likely the transport role FrontendTransport.

Enable SMTP relay logs

[PS] C:\>Get-ReceiveConnector -Identity "EX01-2016\SMTP relay" | Set-ReceiveConnector -ProtocolLogging Verbose

Do you want to enable SMTP relay logging in Exchange admin center? Click in the details pane on the On link to enable SMTP logging. Do the same on the other Exchange Servers.

If you enabled SMTP relay receive connector logging right now, you have to wait a couple of days or weeks before logs are generated. That depends on the use.

Find SMTP relay logs

It’s not possible to find Exchange SMTP logs path in Exchange admin center. We can use Exchange Management Shell and find where the SMTP logs are placed.

[PS] C:\>Get-FrontendTransportService -Identity "EX01-2016" | fl Name,Identity,Receive*


Name                               : EX01-2016
Identity                           : Frontend
ReceiveProtocolLogMaxAge           : 30.00:00:00
ReceiveProtocolLogMaxDirectorySize : 250 MB (262,144,000 bytes)
ReceiveProtocolLogMaxFileSize      : 10 MB (10,485,760 bytes)
ReceiveProtocolLogPath             : C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive

Copy ReceiveProtocolLogPath and paste it in Windows Explorer.

In the next step, we will prepare the PowerShell script to scan all the logs and filter out the IP addresses.

Read more: Exchange receive connector logging »

Prepare SMTP-Review PowerShell script

Download SMTP-Review.ps1 PowerShell script from here (direct) or here (GitHub). Place the script in C:\scripts folder on the Exchange Server. If you don’t have a scripts folder, create one.

In Line 80, change the path to the receive protocol log path that you searched for in the previous step. In our example, this is how it looks:

$LogFilePath = "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive\*.log"

Run SMTP-Review PowerShell script

Run PowerShell as administrator and run the SMTP-Review.ps1 PowerShell script.

PS C:\> cd C:\scripts
PS C:\scripts> .\SMTP-Review.ps1

The script will go through all the files, and after it finishes, you will see which IP addresses use the SMTP relay as output. Also, it will generate an Output.txt file with the IP addresses in the same path where you have the script placed.

Make a note of the IP addresses and adjust the SMTP field in the printers, applications, and servers to the new SMTP relay record.

Other articles that may interest you:

• Export remote IP addresses to Exchange receive connector
• Import remote IP addresses to Exchange receive connector
• Copy receive connector to another Exchange Server

Conclusion

In this article, you learned how to find IP addresses using Exchange SMTP relay. Enable logging on the SMTP relay receive connector and copy the log path before you start. Run the SMTP-Review.ps1 PowerShell script and let it run through the SMTP receive logs. Don’t forget to run the script on all the Exchange Servers that you have an SMTP relay receive connector configured on.

When the script finishes, adjust the SMTP records on the mentioned IP addresses. Another excellent way to use the script is to know which IP addresses are obsolete and delete them from the receive connector IP addresses list.

Did you enjoy this article? You may also like Microsoft Exchange Server vulnerability check. Don’t forget to follow us and share this article.