The following are the two steps required to enable an internal anonymous relay in Exchange 2013/2016/20*.
Step 1: Create the Receive Connector
New-ReceiveConnector –Name MFP-APP-AnonRelay –Usage Custom –Bindings 0.0.0.0:25 –RemoteIPRanges 192.168.25.1-192.168.25.10,192.168.25.225-192.168.25.254 –Comment “Allows anonymous relay” –TransportRole FrontEndTransport –AuthMechanism None –PermissionGroups AnonymousUsers
Variables:
- -Name: Change this if needed but must match for both steps
- -RemoteIPRanges: Only put trusted device IP addresses in this section
Once the receive connector is set up it can be managed via EAC.
Step 2: Allow Anonymous Rights
Get-ReceiveConnector “MFP-APP-AnonRelay” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”
Variable:
- The Receive Connector name must match the one set in Step 1
Conclusion
Once the above steps are set up there is no need to set a username and password on any device that has an allowed IP.
For obvious reasons one should never put an Internet IP address in this rule! But, that being said, one always denies all SMTP 25/587 inbound traffic to a third party sanitation provider's subnets right (we use ExchangeDefender for our own and our client's needs)?
Also, this setup is for on-premises Exchange.
Philip Elder
Microsoft High Availability MVP
MPECS Inc.
Co-Author: SBS 2008 Blueprint Book
Our Web Site
Our Cloud Service
No comments:
Post a Comment