It's June 16, 2020 and Microsoft released Cumulative Update 17 for Exchange Server 2016 (KB4556414).…
Find IP addresses using Exchange SMTP relay
You want to find on-premises IP addresses that use Exchange SMTP relay for sending mail. Why do you want to have that information? Most commonly, that’s when you want to decommission an Exchange Server, and you like to confirm that there is no mail flow running over the SMTP relay. If everything is set up, you can disable the SMTP relay receive connector. In this article, you will learn how to automate the search and find the IP addresses that use the SMTP relay.
Table of contents
Introduction
Before we start, it’s good to know why we want to know which IP addresses use the Exchange SMTP relay. A couple of reasons are when you:
- Move to new Exchange Server with SMTP relay
- Move to Office 365 SMTP relay
- Auditing which IP addresses you can remove
Note: Please don’t remove the SMTP relay receive connector immediately, and don’t decommission the Exchange Server immediately. That’s a big mistake.
We recommend the following order:
- Get IP addresses using Exchange SMTP relay (this article)
- Disable SMTP relay receive connector
- Shutdown Exchange Server for a week or longer
- Decommission Exchange Server
Check SMTP relay logs
To be able to search for IP addresses in the logs, you need to enable logging on the connector. Run Exchange Management Shell as administrator. Run Get-ReceiveConnector cmdlet and check if protocol logging is enabled on the SMTP relay receive connector.
In our example, ProtocolLoggingLevel shows Verbose for the Identity SMTP Relay. It means that logging is enabled.
[PS] C:\>Get-ReceiveConnector -Server "EX01-2016" | ft Identity,Enabled,TransportRole,Protocol*,Bindings
Identity Enabled TransportRole ProtocolLoggingLevel Bindings
-------- ------- ------------- -------------------- --------
EX01-2016\Default EX01-2016 True HubTransport Verbose {0.0.0.0:2525, [::]:2525}
EX01-2016\Client Proxy EX01-2016 True HubTransport Verbose {[::]:465, 0.0.0.0:465}
EX01-2016\Default Frontend EX01-2016 True FrontendTransport Verbose {[::]:25, 0.0.0.0:25}
EX01-2016\Outbound Proxy Frontend EX01-2016 True FrontendTransport Verbose {[::]:717, 0.0.0.0:717}
EX01-2016\Client Frontend EX01-2016 True FrontendTransport Verbose {[::]:587, 0.0.0.0:587}
EX01-2016\SMTP relay True FrontendTransport Verbose {0.0.0.0:25}
You can check the SMTP logging status in Exchange admin center. Go to mail flow > receive connectors. Select the Exchange Server that you want to check. Select the SMTP relay receive connector and check in the details pane if it shows Logging – On.
Note: If you have more than one Exchange Server in the organization, you most likely have an SMTP relay receive connectors configured on more than one Exchange Server for high availability. Check that SMTP relay receive connector logging is enabled on all Exchange Servers.
If SMTP logging is enabled, skip the next step. If not, enable logging on the SMTP relay receive connector in the next step. It’s most likely the transport role FrontendTransport.
Enable SMTP relay logs
[PS] C:\>Get-ReceiveConnector -Identity "EX01-2016\SMTP relay" | Set-ReceiveConnector -ProtocolLogging Verbose
Do you want to enable SMTP relay logging in Exchange admin center? Click in the details pane on the On link to enable SMTP logging. Do the same on the other Exchange Servers.
If you enabled SMTP relay receive connector logging right now, you have to wait a couple of days or weeks before logs are generated. That depends on the use.
Find SMTP relay logs
It’s not possible to find Exchange SMTP logs path in Exchange admin center. We can use Exchange Management Shell and find where the SMTP logs are placed.
[PS] C:\>Get-FrontendTransportService -Identity "EX01-2016" | fl Name,Identity,Receive*
Name : EX01-2016
Identity : Frontend
ReceiveProtocolLogMaxAge : 30.00:00:00
ReceiveProtocolLogMaxDirectorySize : 250 MB (262,144,000 bytes)
ReceiveProtocolLogMaxFileSize : 10 MB (10,485,760 bytes)
ReceiveProtocolLogPath : C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive
Copy ReceiveProtocolLogPath and paste it in Windows Explorer.
In the next step, we will prepare the PowerShell script to scan all the logs and filter out the IP addresses.
Read more: Exchange receive connector logging »
Prepare SMTP-Review PowerShell script
Download SMTP-Review.ps1 PowerShell script from here (direct) or here (GitHub). Place the script in C:\scripts folder on the Exchange Server. If you don’t have a scripts folder, create one.
In Line 80, change the path to the receive protocol log path that you searched for in the previous step. In our example, this is how it looks:
$LogFilePath = "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive\*.log"
Run SMTP-Review PowerShell script
Run PowerShell as administrator and run the SMTP-Review.ps1 PowerShell script.
Note: Run the script on all Exchange Servers if you have an SMTP relay configured on it. For example, Exchange Server EX01-2016 and EX02-2016.
PS C:\> cd C:\scripts
PS C:\scripts> .\SMTP-Review.ps1
The script will go through all the files, and after it finishes, you will see which IP addresses use the SMTP relay as output. Also, it will generate an Output.txt file with the IP addresses in the same path where you have the script placed.
Make a note of the IP addresses and adjust the SMTP field in the printers, applications, and servers to the new SMTP relay record.
Other articles that may interest you:
- Export remote IP addresses to Exchange receive connector
- Import remote IP addresses to Exchange receive connector
- Copy receive connector to another Exchange Server
Conclusion
In this article, you learned how to find IP addresses using Exchange SMTP relay. Enable logging on the SMTP relay receive connector and copy the log path before you start. Run the SMTP-Review.ps1 PowerShell script and let it run through the SMTP receive logs. Don’t forget to run the script on all the Exchange Servers that you have an SMTP relay receive connector configured on.
When the script finishes, adjust the SMTP records on the mentioned IP addresses. Another excellent way to use the script is to know which IP addresses are obsolete and delete them from the receive connector IP addresses list.
Did you enjoy this article? You may also like Microsoft Exchange Server vulnerability check. Don’t forget to follow us and share this article.
Hello Ali,
thank you very much for your courses, they are awesome 🙂
After running the script on my Ex2016, I saw the IP address of my Exchange Server’s second NIC what planned for DAG in the list. The problem is that DAG cannot be used actively.
The situation in the organization is like this
1 Ex2016 > DAG configured but is not aktiv, also exist only one Ex2016
2 New Ex2019 > DAG configured and used aktively
After copying the receive connector (anonymous relay) from the previous issues directly from the old server, the anonymous relay connector did not work on the new Ex2019 servers.
What would you suggest me ?
Thank you in advance for your answers
Emre
Hi Emre,
Glad that you like the courses.
Follow the article Copy receive connector to another Exchange Server.
At the end of the article, you will see that you have to grant MS-Exch-SMTP-Accept-Any-Recipient permissions to the Anonymous Logon Account on the receive connector for anonymous SMTP relay to work.
Thanks for the great writeup. I made a slight change to your script to parse the log files faster (which you may want to include.). By removing the nesting of the for loops, the script went from over an hour to run, to just a few minutes.
For loop 1 – get the content of all the files
For loop 2 – parse for unique IP addresses
Any chance you can post those edits? Some of my queries last a few days – so this should be helpful. I took at a look at the script and aren’t clear how you modified it.
This is so perfect fast solution. Thanks for this !