Exchange 2016: Default Frontend Connector - "Ms-Exch-SMTP-Accept-Any-Recipient"

Azy1412 211 Reputation points

We've recently patched our Exchange servers, after the patch we received complaints that some of our applications were unable to send to external recipients. (the patch might not be the cause but it is the only recent change that was done on Exchange)

I've used telnet to check the sending to external recipients and received the following error:

550 5.7.54 SMTP; Unable to relay recipient in non-accepted domain 451 4.7.0 Timeout waiting for client input

The application mail flow is: APP/User -> Exchange Load Balancer IP -> Exchange Auto Mapped IP -> Exchange IP -> Mail Gateway

I've escalated the issue to our Support and he modified the default frontend connector by the command below.

Get-ReceiveConnector "Default Frontend" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

After that emails were sent with no issue. but this seems to me like a security concern as the default frontend connector is acting as open relay. ( I know I shouldn't have modified the default receive connector but there so many calls accompanied by verbal abuse to solve the issue as soon as possible )

After some googling I read that you shouldn't remove the Ms-Exch-SMTP-Accept-Any-Recipient as it will not accept any emails coming from internet.

Here are the connector settings:

AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer
Banner :
BinaryMimeEnabled : True
Bindings : {[::]:25,}
ChunkingEnabled : True
DefaultDomain :
DeliveryStatusNotificationEnabled : True
EightBitMimeEnabled : True
SmtpUtf8Enabled : True
BareLinefeedRejectionEnabled : False
DomainSecureEnabled : False
EnhancedStatusCodesEnabled : True
LongAddressesEnabled : False
OrarEnabled : False
SuppressXAnonymousTls : False
ProxyEnabled : False
AdvertiseClientSettings : False
Fqdn : LON-EX01.Constoso.local
ServiceDiscoveryFqdn :
Enabled : True
ConnectionTimeout : 00:10:00
ConnectionInactivityTimeout : 00:05:00
MessageRateLimit : Unlimited
MessageRateSource : IPAddress
MaxInboundConnection : 5000
MaxInboundConnectionPerSource : 20
MaxInboundConnectionPercentagePerSource : 2
MaxHeaderSize : 256 KB (262,144 bytes)
MaxHopCount : 60
MaxLocalHopCount : 5
MaxLogonFailures : 3
MaxMessageSize : 36 MB (37,748,736 bytes)
MaxProtocolErrors : 5
MaxRecipientsPerMessage : 200
PermissionGroups : AnonymousUsers, ExchangeServers, ExchangeLegacyServers, Custom
PipeliningEnabled : True
ProtocolLoggingLevel : None
RemoteIPRanges : {::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff,}
RequireEHLODomain : False
RequireTLS : False
EnableAuthGSSAPI : False
ExtendedProtectionPolicy : None
LiveCredentialEnabled : False
Server : LON-EX01
TransportRole : FrontendTransport
RejectReservedTopLevelRecipientDomains : False
RejectReservedSecondLevelRecipientDomains : False
RejectSingleLabelRecipientDomains : False
AcceptConsumerMail : False
SizeEnabled : Enabled
TarpitInterval : 00:00:05
AuthTarpitInterval : 00:00:05
MaxAcknowledgementDelay : 00:00:30
ExchangeVersion : 0.1 (8.0.535.0)
Name : Default Frontend LON-EX01
OriginatingServer : LON-DC01
IsValid : True
ObjectState : Unchanged

Need your guidance as I don't know where to go from here..

Thank you and I apologize for the lengthy question. ^_^'

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,494 questions
0 comments No comments
{count} votes

Accepted answer
  1. Kael Yao-MSFT 37,676 Reputation points Microsoft Vendor

    Hi, @Azy1412

    To my understanding, you would like to use your Exchange server as a SMTP relay for applications.
    Did you setup some custom receive connectors used for SMTP relay on your Exchange server before?

    Please note that it is never suggested to modify the default receive connectors.

    You get the "550 5.7.54 SMTP; Unable to relay recipient in non-accepted domain" error because the "Default Frontend <servername>" receive connector only accept messages sent to your default mail domain and other accepted domains.
    This is the default setting.

    If the "ms-Exch-SMTP-Accept-Any-Recipient" permission is added to the "Default Frontend <servername>" receive connector, your Exchange server may be under the risk of become a open relay because it will no longer reject emails sent to external domains outside the scope of your accepted domains.

    The recommended method of your issue should be creating a dedicated custom receive connector and set it to receive from specific ip addresses (which are used by the applications)
    Here is a Microsoft document introducing the detailed steps for your reference: Allow anonymous relay on Exchange servers

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 additional answers

Sort by: Most helpful