Microsoft released several Security Updates (SUs) for Microsoft Exchange Server to address vulnerabilities. Due to…
Find IP addresses using Exchange SMTP relay
You want to find on-premises IP addresses that use Exchange SMTP relay for sending mail. Why do you want to have that information? Most commonly, that’s when you want to decommission an Exchange Server, and you like to confirm that there is no mail flow running over the SMTP relay. If everything is set up, you can disable the SMTP relay receive connector. In this article, you will learn how to automate the search and find the IP addresses that use the SMTP relay.
Table of contents
Introduction
Before we start, it’s good to know why we want to know which IP addresses use the Exchange SMTP relay. A couple of reasons are when you:
- Move to new Exchange Server with SMTP relay
- Move to Office 365 SMTP relay
- Auditing which IP addresses you can remove
Note: Please don’t remove the SMTP relay receive connector immediately, and don’t decommission the Exchange Server immediately. That’s a big mistake.
We recommend the following order:
- Get IP addresses using Exchange SMTP relay (this article)
- Disable SMTP relay receive connector
- Shutdown Exchange Server for a week or longer
- Decommission Exchange Server
Check SMTP relay logs
To search for IP addresses in the logs, you need to enable logging on the connector. Run Exchange Management Shell as administrator. Run Get-ReceiveConnector cmdlet and check if protocol logging is enabled on the SMTP relay receive connector.
In our example, ProtocolLoggingLevel shows Verbose for the Identity SMTP Relay. It means that logging is enabled.
[PS] C:\>Get-ReceiveConnector -Server "EX01-2016" | ft Identity,Enabled,TransportRole,Protocol*,Bindings
Identity Enabled TransportRole ProtocolLoggingLevel Bindings
-------- ------- ------------- -------------------- --------
EX01-2016\Default EX01-2016 True HubTransport Verbose {0.0.0.0:2525, [::]:2525}
EX01-2016\Client Proxy EX01-2016 True HubTransport Verbose {[::]:465, 0.0.0.0:465}
EX01-2016\Default Frontend EX01-2016 True FrontendTransport Verbose {[::]:25, 0.0.0.0:25}
EX01-2016\Outbound Proxy Frontend EX01-2016 True FrontendTransport Verbose {[::]:717, 0.0.0.0:717}
EX01-2016\Client Frontend EX01-2016 True FrontendTransport Verbose {[::]:587, 0.0.0.0:587}
EX01-2016\SMTP relay True FrontendTransport Verbose {0.0.0.0:25}
You can check the SMTP logging status in Exchange admin center. Go to mail flow > receive connectors. Select the Exchange Server that you want to check. Select the SMTP relay receive connector and check the details pane if it shows Logging – On.
Note: If you have more than one Exchange Server in the organization, you most likely have an SMTP relay receive connectors configured on more than one Exchange Server for high availability. Check that SMTP relay receive connector logging is enabled on all Exchange Servers.
If SMTP logging is enabled, skip the next step. If not, enable logging on the SMTP relay receive connector in the next step. It’s most likely the transport role FrontendTransport.
Enable SMTP relay logs
[PS] C:\>Get-ReceiveConnector -Identity "EX01-2016\SMTP relay" | Set-ReceiveConnector -ProtocolLogging Verbose
Do you want to enable SMTP relay logging in Exchange admin center? Click in the details pane on the On link to enable SMTP logging. Do the same on the other Exchange Servers.
If you enabled SMTP relay receive connector logging right now, you have to wait a couple of days or weeks before logs are generated. That depends on the use.
Find SMTP relay logs
It’s impossible to find Exchange SMTP logs path in Exchange admin center. We need to use Exchange Management Shell and find where the SMTP logs are placed.
[PS] C:\>Get-FrontendTransportService -Identity "EX01-2016" | fl Name,Identity,Receive*
Name : EX01-2016
Identity : Frontend
ReceiveProtocolLogMaxAge : 30.00:00:00
ReceiveProtocolLogMaxDirectorySize : 250 MB (262,144,000 bytes)
ReceiveProtocolLogMaxFileSize : 10 MB (10,485,760 bytes)
ReceiveProtocolLogPath : C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive
Copy ReceiveProtocolLogPath and paste it into Windows Explorer.
In the next step, we will prepare the PowerShell script to scan all the logs and filter out the IP addresses.
Read more: Exchange receive connector logging »
Prepare SMTP-Review PowerShell script
Create two folders on the Exchange Server (C:) drive:
- Temp
- Scripts
Download SMTP-Review.ps1 PowerShell script and place it in C:\scripts folder. The script will export the text file to the C:\temp folder.
Ensure the file is unblocked to prevent errors when running the script. Read more in the article Not digitally signed error when running PowerShell script.
Another option is to copy and paste the below code into Notepad. Give it the name SMTP-Review.ps1 and place it in the C:\scripts folder.
<#
.SYNOPSIS
SMTP-Review.ps1
.DESCRIPTION
Script is intended to help determine servers that are using an Exchange server to connect and send email.
This is especially pertinent in a decommission scenario, where the logs are to be checked to ensure that
all SMTP traffic has been moved to the correct endpoint.
.LINK
www.alitajran.com/find-ip-addresses-using-exchange-smtp-relay
.NOTES
Written by: ALI TAJRAN
Website: www.alitajran.com
LinkedIn: linkedin.com/in/alitajran
.CHANGELOG
V1.00, 04/05/2021 - Initial version
V2.00, 03/28/2023 - Rewrite script to retrieve results faster
#>
# Clears the host console to make it easier to read output
Clear-Host
# Sets the path to the directory containing the log files to be processed
$logFilePath = "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive\*.log"
# Sets the path to the output file that will contain the unique IP addresses
$Output = "C:\temp\IPAddresses.txt"
# Gets a list of the log files in the specified directory
$logFiles = Get-ChildItem $logFilePath
# Gets the number of log files to be processed
$count = $logFiles.Count
# Initializes an array to store the unique IP addresses
$ips = foreach ($log in $logFiles) {
# Displays progress information
$percentComplete = [int](($logFiles.IndexOf($log) + 1) / $count * 100)
$status = "Processing $($log.FullName) - $percentComplete% complete ($($logFiles.IndexOf($log)+1) of $count)"
Write-Progress -Activity "Collecting Log details" -Status $status -PercentComplete $percentComplete
# Displays the name of the log file being processed
Write-Host "Processing Log File $($log.FullName)" -ForegroundColor Magenta
# Reads the content of the log file, skipping the first five lines
$fileContent = Get-Content $log | Select-Object -Skip 5
# Loops through each line in the log file
foreach ($line in $fileContent) {
# Extracts the IP address from the socket information in the log line
$socket = $line.Split(',')[5]
$ip = $socket.Split(':')[0]
# Adds the IP address to the $ips array
$ip
}
}
# Displays progress information
Write-Progress -Activity "Processing IP Addresses" -Status "This can take time"
# Removes duplicate IP addresses from the $ips array and sorts them alphabetically
$uniqueIps = $ips | Select-Object -Unique | Sort-Object
# Displays the list of unique IP addresses on the console
Write-Host "List of IP addresses:" -ForegroundColor Cyan
$uniqueIps
# Writes the list of unique IP addresses to the output file
$uniqueIps | Out-File $Output
This is how it looks in File Explorer.
In Line 27, change the path to the receive protocol log path you searched for in the previous step.
In our example, this is how it looks:
$LogFilePath = "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive\*.log"
Run SMTP-Review PowerShell script
Run PowerShell as administrator and run the SMTP-Review.ps1 PowerShell script.
Note: Run the script on all Exchange Servers if you have an SMTP relay configured on it. For example, Exchange Server EX01-2016 and EX02-2016.
C:\scripts\.\SMTP-Review.ps1
The script will go through all the files, and after it finishes, you will see which IP addresses use the SMTP relay in the console output. Also, it will generate an IPAddresses.txt file with the IP addresses in the C:\temp folder.
Make a note of the IP addresses and adjust the SMTP field in the printers, applications, and servers to the new SMTP relay record.
Other articles that may interest you:
- Export remote IP addresses to Exchange receive connector
- Import remote IP addresses to Exchange receive connector
- Copy receive connector to another Exchange Server
Conclusion
You learned how to find IP addresses using Exchange SMTP relay. Enable logging on the SMTP relay receive connector and copy the log path before you start. Run the SMTP-Review.ps1 PowerShell script and let it run through the SMTP receive logs. Don’t forget to run the script on all the Exchange Servers with an SMTP relay receive connector configured.
When the script finishes, adjust the SMTP records on the mentioned IP addresses. Another excellent way to use the script is to know which IP addresses are obsolete and delete them from the receive connector IP addresses list.
Did you enjoy this article? You may also like Microsoft Exchange Server vulnerability check. Don’t forget to follow us and share this article.
Is this Script safe to run? no Impact to the Exchange server?
Yes, it’s safe. The script only collects the information, and no changes will be applied.
Thanks for the script! Very helpful
Thanks for the script, is there also a way how you can find out which application or server is still sending mail via the SMTP relay.
That’s exactly what the script outputs – a list of the IP addresses using the SMTP relay.
Awesome script, much appreciated.
Great Solution. Thank You
Thank you for the script! In the case of having multiple receive connectors how would you modify it to show results from a particular one?
I dont think you can scope to a particular connector. Only way i can see it would be to change the location of the logs for the particular connector you want to scope, then run the script against that log location (instead of the generic location where all logs are kept).
Thank you Ali ..
Works perfectly on Exchange 2010 ..
Can you tell me what we need to do to make this Script work with Exchange 2016 ?
The SMTP-Review.ps1 PowerShell script works on these Exchange Server versions:
– Exchange Server 2010
– Exchange Server 2013
– Exchange Server 2016
– Exchange Server 2019
Hello Ali,
thank you very much for your courses, they are awesome 🙂
After running the script on my Ex2016, I saw the IP address of my Exchange Server’s second NIC what planned for DAG in the list. The problem is that DAG cannot be used actively.
The situation in the organization is like this
1 Ex2016 > DAG configured but is not aktiv, also exist only one Ex2016
2 New Ex2019 > DAG configured and used aktively
After copying the receive connector (anonymous relay) from the previous issues directly from the old server, the anonymous relay connector did not work on the new Ex2019 servers.
What would you suggest me ?
Thank you in advance for your answers
Emre
Hi Emre,
Glad that you like the courses.
Follow the article Copy receive connector to another Exchange Server.
At the end of the article, you will see that you have to grant MS-Exch-SMTP-Accept-Any-Recipient permissions to the Anonymous Logon Account on the receive connector for anonymous SMTP relay to work.
Thanks for the great writeup.
This is so perfect fast solution. Thanks for this !