Find IP addresses using Exchange SMTP relay

You want to find on-premises IP addresses that use Exchange SMTP relay for sending mail. Why do you want to have that information? Most commonly, that’s when you want to decommission an Exchange Server, and you like to confirm that there is no mail flow running over the SMTP relay. If everything is set up, you can disable the SMTP relay receive connector. In this article, you will learn how to automate the search and find the IP addresses that use the SMTP relay.

Table of contents

Introduction

Before we start, it’s good to know why we want to know which IP addresses use the Exchange SMTP relay. A couple of reasons are when you:

Note: Please don’t remove the SMTP relay receive connector immediately, and don’t decommission the Exchange Server immediately. That’s a big mistake.

We recommend the following order:

  • Get IP addresses using Exchange SMTP relay (this article)
  • Disable SMTP relay receive connector
  • Shutdown Exchange Server for a week or longer
  • Decommission Exchange Server

Check SMTP relay logs

To search for IP addresses in the logs, you need to enable logging on the connector. Run Exchange Management Shell as administrator. Run Get-ReceiveConnector cmdlet and check if protocol logging is enabled on the SMTP relay receive connector.

In our example, ProtocolLoggingLevel shows Verbose for the Identity SMTP Relay. It means that logging is enabled.

[PS] C:\>Get-ReceiveConnector -Server "EX01-2016" | ft Identity,Enabled,TransportRole,Protocol*,Bindings

Identity                                    Enabled     TransportRole ProtocolLoggingLevel Bindings
--------                                    -------     ------------- -------------------- --------
EX01-2016\Default EX01-2016                    True      HubTransport              Verbose {0.0.0.0:2525, [::]:2525}
EX01-2016\Client Proxy EX01-2016               True      HubTransport              Verbose {[::]:465, 0.0.0.0:465}
EX01-2016\Default Frontend EX01-2016           True FrontendTransport              Verbose {[::]:25, 0.0.0.0:25}
EX01-2016\Outbound Proxy Frontend EX01-2016    True FrontendTransport              Verbose {[::]:717, 0.0.0.0:717}
EX01-2016\Client Frontend EX01-2016            True FrontendTransport              Verbose {[::]:587, 0.0.0.0:587}
EX01-2016\SMTP relay                           True FrontendTransport              Verbose {0.0.0.0:25}

You can check the SMTP logging status in Exchange admin center. Go to mail flow > receive connectors. Select the Exchange Server that you want to check. Select the SMTP relay receive connector and check the details pane if it shows Logging – On.

Note: If you have more than one Exchange Server in the organization, you most likely have an SMTP relay receive connectors configured on more than one Exchange Server for high availability. Check that SMTP relay receive connector logging is enabled on all Exchange Servers.

Find IP addresses using Exchange SMTP relay enable

If SMTP logging is enabled, skip the next step. If not, enable logging on the SMTP relay receive connector in the next step. It’s most likely the transport role FrontendTransport.

Enable SMTP relay logs

[PS] C:\>Get-ReceiveConnector -Identity "EX01-2016\SMTP relay" | Set-ReceiveConnector -ProtocolLogging Verbose

Do you want to enable SMTP relay logging in Exchange admin center? Click in the details pane on the On link to enable SMTP logging. Do the same on the other Exchange Servers.

Find IP addresses using Exchange SMTP relay turn on

If you enabled SMTP relay receive connector logging right now, you have to wait a couple of days or weeks before logs are generated. That depends on the use.

Find SMTP relay logs

It’s impossible to find Exchange SMTP logs path in Exchange admin center. We need to use Exchange Management Shell and find where the SMTP logs are placed.

[PS] C:\>Get-FrontendTransportService -Identity "EX01-2016" | fl Name,Identity,Receive*


Name                               : EX01-2016
Identity                           : Frontend
ReceiveProtocolLogMaxAge           : 30.00:00:00
ReceiveProtocolLogMaxDirectorySize : 250 MB (262,144,000 bytes)
ReceiveProtocolLogMaxFileSize      : 10 MB (10,485,760 bytes)
ReceiveProtocolLogPath             : C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive

Copy ReceiveProtocolLogPath and paste it into Windows Explorer.

Find IP addresses using Exchange SMTP relay log path

In the next step, we will prepare the PowerShell script to scan all the logs and filter out the IP addresses.

Read more: Exchange receive connector logging »

Prepare SMTP-Review PowerShell script

Create two folders on the Exchange Server (C:) drive:

  • Temp
  • Scripts

Download SMTP-Review.ps1 PowerShell script and place it in C:\scripts folder. The script will export the text file to the C:\temp folder.

Ensure the file is unblocked to prevent errors when running the script. Read more in the article Not digitally signed error when running PowerShell script.

Another option is to copy and paste the below code into Notepad. Give it the name SMTP-Review.ps1 and place it in the C:\scripts folder.

<#
    .SYNOPSIS
    SMTP-Review.ps1

    .DESCRIPTION
    Script is intended to help determine servers that are using an Exchange server to connect and send email.
    This is especially pertinent in a decommission scenario, where the logs are to be checked to ensure that
    all SMTP traffic has been moved to the correct endpoint.

    .LINK
    www.alitajran.com/find-ip-addresses-using-exchange-smtp-relay

    .NOTES
    Written by: ALI TAJRAN
    Website:    www.alitajran.com
    LinkedIn:   linkedin.com/in/alitajran

    .CHANGELOG
    V1.00, 04/05/2021 - Initial version
    V2.00, 03/28/2023 - Rewrite script to retrieve results faster
#>

# Clears the host console to make it easier to read output
Clear-Host

# Sets the path to the directory containing the log files to be processed
$logFilePath = "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive\*.log"

# Sets the path to the output file that will contain the unique IP addresses
$Output = "C:\temp\IPAddresses.txt"

# Gets a list of the log files in the specified directory
$logFiles = Get-ChildItem $logFilePath

# Gets the number of log files to be processed
$count = $logFiles.Count

# Initializes an array to store the unique IP addresses
$ips = foreach ($log in $logFiles) {

    # Displays progress information
    $percentComplete = [int](($logFiles.IndexOf($log) + 1) / $count * 100)
    $status = "Processing $($log.FullName) - $percentComplete% complete ($($logFiles.IndexOf($log)+1) of $count)"
    Write-Progress -Activity "Collecting Log details" -Status $status -PercentComplete $percentComplete

    # Displays the name of the log file being processed
    Write-Host "Processing Log File $($log.FullName)" -ForegroundColor Magenta

    # Reads the content of the log file, skipping the first five lines
    $fileContent = Get-Content $log | Select-Object -Skip 5

    # Loops through each line in the log file
    foreach ($line in $fileContent) {

        # Extracts the IP address from the socket information in the log line
        $socket = $line.Split(',')[5]
        $ip = $socket.Split(':')[0]

        # Adds the IP address to the $ips array
        $ip
    }
}

# Displays progress information
Write-Progress -Activity "Processing IP Addresses" -Status "This can take time"

# Removes duplicate IP addresses from the $ips array and sorts them alphabetically
$uniqueIps = $ips | Select-Object -Unique | Sort-Object

# Displays the list of unique IP addresses on the console
Write-Host "List of IP addresses:" -ForegroundColor Cyan
$uniqueIps

# Writes the list of unique IP addresses to the output file
$uniqueIps | Out-File $Output

This is how it looks in File Explorer.

Find IP addresses using Exchange SMTP relay script

In Line 27, change the path to the receive protocol log path you searched for in the previous step.

In our example, this is how it looks:

$LogFilePath = "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive\*.log"

Run SMTP-Review PowerShell script

Run PowerShell as administrator and run the SMTP-Review.ps1 PowerShell script.

Note: Run the script on all Exchange Servers if you have an SMTP relay configured on it. For example, Exchange Server EX01-2016 and EX02-2016.

C:\scripts\.\SMTP-Review.ps1

The script will go through all the files, and after it finishes, you will see which IP addresses use the SMTP relay in the console output. Also, it will generate an IPAddresses.txt file with the IP addresses in the C:\temp folder.

Find IP addresses using Exchange SMTP relay script running

Make a note of the IP addresses and adjust the SMTP field in the printers, applications, and servers to the new SMTP relay record.

Other articles that may interest you:

Conclusion

You learned how to find IP addresses using Exchange SMTP relay. Enable logging on the SMTP relay receive connector and copy the log path before you start. Run the SMTP-Review.ps1 PowerShell script and let it run through the SMTP receive logs. Don’t forget to run the script on all the Exchange Servers with an SMTP relay receive connector configured.

When the script finishes, adjust the SMTP records on the mentioned IP addresses. Another excellent way to use the script is to know which IP addresses are obsolete and delete them from the receive connector IP addresses list.

Did you enjoy this article? You may also like Microsoft Exchange Server vulnerability check. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

X TwitterLinkedIn

What Others Are Reading

This Post Has 15 Comments

  3. Thanks for the script, is there also a way how you can find out which application or server is still sending mail via the SMTP relay.

    Reply

  6. Thank you for the script! In the case of having multiple receive connectors how would you modify it to show results from a particular one?

    Reply

    1. I dont think you can scope to a particular connector. Only way i can see it would be to change the location of the logs for the particular connector you want to scope, then run the script against that log location (instead of the generic location where all logs are kept).

      Reply

  7. Thank you Ali ..
    Works perfectly on Exchange 2010 ..
    Can you tell me what we need to do to make this Script work with Exchange 2016 ?

    Reply

    1. The SMTP-Review.ps1 PowerShell script works on these Exchange Server versions:

      – Exchange Server 2010
      – Exchange Server 2013
      – Exchange Server 2016
      – Exchange Server 2019

      Reply

  8. Hello Ali,

    thank you very much for your courses, they are awesome 🙂
    After running the script on my Ex2016, I saw the IP address of my Exchange Server’s second NIC what planned for DAG in the list. The problem is that DAG cannot be used actively.
    The situation in the organization is like this
    1 Ex2016 > DAG configured but is not aktiv, also exist only one Ex2016
    2 New Ex2019 > DAG configured and used aktively
    After copying the receive connector (anonymous relay) from the previous issues directly from the old server, the anonymous relay connector did not work on the new Ex2019 servers.
    What would you suggest me ?

    Thank you in advance for your answers

    Emre

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *