This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 57.00000000000001%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDW%3C/text%3E%3C/svg%3E)
I am using an old Exchange 2016 Server as an internal SMTP relay for things on-prem that don't play well with O365.
I am trying to configure a connector so that it requires authentication but acts like an anonymous relay.
Example, upon connecting from anywhere, you do the usual SMTP auth but at the point where you enter the from email address you can put anything.
At the moment it requires the from address to be the one that is listed on the authenticated users AD account.
I have already tried adding the ms-Exch-SMTP-Accept-Any-Sender permission manually to the connector but still no joy.
Can anyone suggest anything?
You can't have an anonymous relay and require auth on the same connector. Those are two opposing concepts.
Ok, so given the following...
We have an application that needs to send emails from a fairly large Citrix farm.
Our security team will not allow us to add the IP's of the servers to a connector as that would allow anyone or any application to be able to relay from up to 40 servers with nearly 1000 concurrent users.
The application uses the email address of the user running the application as the from address when it sends the email (basically trying to impersonate the user).
All of our users have mailboxes in O365.
We figured SMTP Auth would be the right track however as you've said you can't do that and have it act like an anonymous relay.
I'm open to suggestions on how to achieve a working system?
and the application has a mailbox and can auth to the Exchange Servers?
If so, if you gave it SEND AS rights to all the mailboxes, and have it use the standard client receive connector on port 587, that should work,
If it can't auth to the Exchange Servers, you are in a bit of bind and really have other choice but to allow it to relay and scoped to the IPs of the servers.
I guess the other question is , can you security trim it on the Citrix server side and only allow the app to send email ( i.e. no one can open a telnet window and send on port 25 or use powershell to send a mail message etc..)
The application mail user has no mailbox but can authenticate against the Exchange Server.
It is authenticating as a Mail User to the on-prem Exchange Server but all of the recipients will be external, either truly external or in O365.
I know it's a rubbish situation. The only other avenue I have is to go to the application developers (who are kind of in-house) and use the security team to help beat them into submission to use a pre-defined from address instead of the logged in users email address.
If you could focus on the sender or message header ( The app may generate a message ID or something similar that has the same partial data in each message),
then you could create a transport rule and allow anonymous relay - Dropping messages from that Citrix Farm Sever IPs unless it matches those patterns
Example
or
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 22%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELL%3C/text%3E%3C/svg%3E)
Hi @David W ,
I agree with what Andy said.
You could follow what Andy said above to restrict senders by creating a transport rule. Mail sent by users other than the specified sender will be deleted. Regarding the restriction by message id, according to my test, usually the message id of the mail is a string of random GUID plus the format of @yourdomain.com. If you choose to use this method for restriction, please send a test mail in advance and check the message header. Screenshot below is how to create a transport rule to restriction by message id. Please pay attention to the "-" in the format of message id.
----------
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @David W ,
Do suggestions above help? If the issue has been resolved, please click “Accept as answer” to mark helpful reply as an answer, this will make answer searching in the forum easier and be beneficial to other community members as well.
Thanks for your understanding.
----------
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @David W ,
I am writing here to confirm with you how thing going now? If the above suggestion helps, please click “Accept as answer” to mark helpful reply as an answer.Your action would be helpful to other users who encounter the same issue and read this thread.
Thanks for your understanding.
----------
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.