Harun’s Microsoft Blog

How to allow the internal application servers to relay SMTP Messages thru Exchange Server 2010 and 2007

by on Oct.06, 2009, under EXCHANGE 2007, EXCHANGE 2010

if you are getting the SMTP error message “550 5.7.1 Unable to relay” when you try to relay smtp messages thru your exchange server, you have to configure a new receive connector by following the steps below

SMTP applications that can authenticate to relay messages does not have this problem so this configuration is strictly for those applications that cannot authenticate with Exchange 2010..

First step is to create a new custom receive connector to be able to scope remote IP Addresses of the application servers that we will allow.

Start your Exchange Management Console -> Expand the Server Configuration and click on Hub Transport-> Click on the “New Receive Connector”

 

Enter an approtiate name and  Click NEXT

In the “Remote Network settings” window, remove the existing range that is already suggested in the window,

Click “Add” to enter the IP Adresses/ranges of the application servers that will be allowed to relay SMTP messages, Click OK and Next
Click New and Finish

Check Properties of the new connector 

Click on the Authentication Tab, clear all the check boxes and choose the Exchange server authentication check box 

Click on the Permissions Group Tab and check the Anonymous users box 

The next step is to create the connector, and open the properties. Now you have two options, which I will present. The first option will probably be the most common.

Option 1: Make your new scoped connector an Externally Secured connector

This option is the most common option, and preferred in most situations where the application that is submitting will be submitting email to your internal users as well as relaying to the outside world.

Before you can perform this step, it is required that you enable the Exchange Servers permission group. Once in the properties, go to the Permissions Groups tab and select Exchange servers.

Next, continue to the authentication mechanisms page and add the “Externally secured” mechanism. What this means is that you have complete trust that the previously designated IP addresses will be trusted by your organization.

How to Grant the relay permission to Anonymous users on the new connector?

Check the “Anonymous users” box

This will grant permissions for the anonymous account, but not the permission to relay. This should be done thru the Exchange shell:

Get-ReceiveConnector “Haruns Application Relay” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”

That’s it :)


Leave a Reply

You must be logged in to post a comment.

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Blogroll

A few highly recommended websites...