How to Configure Application Servers to Relay Through Exchange 2007
Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Applies to: Exchange Server 2007 SP3
In some environments, you may have to allow an application server to relay e-mail messages through a Microsoft Exchange server. You may have to do this if you have a SharePoint server, a CRM application such as Dynamics, or a Web site that sends e-mail messages to your employees or customers.
Configuring your applications to successfully relay through an Exchange server prevents the "550 5.7.1 Unable to relay" error message from occurring.
You can use one of the following methods to let an application server relay through Exchange 2007.
Allow all computers that can authenticate Exchange 2007 users to relay messages.
Create a custom Receive connector for computers that cannot authenticate Exchange 2007 users.
How to Allow Computers That Can Automatically Authenticate Exchange Users to Relay Messages
By default, Exchange 2007 is configured to accept and relay e-mail only from hosts that can authenticate Exchange users. Both the "Default" and "Client" Receive connectors are configured in this manner. Authenticating is the simplest method to allow users to submit messages, and it is preferred in many cases.
The "ExchangeUsers" group lets authenticated users submit and relay messages. The permissions that are granted with the ExchangeUsers group are as follows:
NT AUTHORITY\Authenticated Users {ms-Exch-SMTP-Submit}
NT AUTHORITY\Authenticated Users {ms-Exch-Accept-Headers-Routing}
NT AUTHORITY\Authenticated Users {ms-Exch-Bypass-Anti-Spam}
NT AUTHORITY\Authenticated Users {ms-Exch-SMTP-Accept-Any-Recipient}
The specific system access control list (SACL) that controls relaying is ms-Exch-SMTP-Accept-Any-Recipient.
How to Create a Custom Receive Connector for Computers that Cannot Authenticate Exchange Users
For computers that cannot authenticate Exchange 2007 users, you must create a new custom Receive connector. The custom Receive connector resembles a protocol listener and is used to authenticate users with Exchange. The most common example of this is an application server that must relay messages through Exchange. You must create a new Receive connector because you will want to include the remote IP Addresses that you want to allow.
To create a custom Receive connector
Open the Exchange Management Console. Perform one of the following steps:
On a computer that has the Edge Transport server role installed, select Edge Transport, and then click the Receive Connectors tab.
To create a Receive connector on a Hub Transport server, expand Server Configuration in the console tree, and then select Hub Transport. In the results pane, select the server on which you want to create the connector, and then click the Receive Connectors tab.
In the action pane, click New Receive Connector. The New SMTP Receive Connector Wizard starts.
On the Introduction page, type a meaningful name for this connector in the Name field. This name is used to identify the connector.
In the Select the intended use for this connector field, select Custom to create a customized connector that will be used to connect with systems that are not running Exchange server.
Click Next.
On the Remote network settings page, enter the IP address or IP address range of the remote servers from which the connector will accept incoming connections. To add the remote IP address or remote IP address range, use one of the following methods:
To enter an IP address or subnet without a subnet mask, or to specify the subnet mask by using Classless Interdomain Routing (CIDR) notation, click Add or the arrow located next to Add, and then select IP Address.
In the Add IP address(es) of Remote Servers dialog box, enter the IP address by using one of the following methods:
Enter an IP address without a subnet mask. For example, enter 192.168.1.0. If you do not specify a subnet mask by using CIDR notation, the classful default subnet mask is assumed.
Enter an IP address by using CIDR notation. For example, enter 192.168.1.0/24.
To enter an IP address or subnet together with a subnet mask in dotted decimal notation, click the arrow located next to Add, and then select IP and Mask. In the Add Remote Servers - IP and Mask dialog box, enter the IP address and the subnet mask by using the following syntax:
IP Address For example, enter 192.168.1.0.
Subnet Mask For example, enter 255.255.255.0.
To specify an IP address range by using the first IP address and the last IP address in the range, click the arrow located next to Add, and then select IP Range. In the Add Remote Servers - IP Range dialog box, enter the IP address and the subnet mask by using the following syntax:
Start Address For example, enter 192.168.1.1.
End Address For example, enter 192.168.255.255.
Because you cannot specify a subnet mask, the classful default subnet mask is assumed.
When you are finished, click OK, and then click Next.
On the New Connector page, review the configuration summary for the connector. If you want to change the settings, click Back. To create the Receive connector by using the settings in the configuration summary, click New.
On the Completion page, click Finish.
Create an Externally Secured Connector for the Custom Receive Connector
Creating an externally secured connector for the new Receive connector is preferred in most situations where an application will be submitting e-mail messages to internal users and relaying e-mail messages to the Internet.
Before you can create this connector, you must enable the Exchange Servers permission group.
Note
You must perform the following steps in the order in which they are presented.
To create an externally secured connector for the custom Receive connector
Right-click the new connector, click Properties, click the Permissions Groups tab, and then select Exchange servers.
Click the Authentication tab, and then click to enable the Externally secured check box.
When you configure this setting, you will be granting several rights including the right to "send on behalf of users" in your organization, the right to ResolveP2 (make it so that the messages appear to be sent within the organization instead of anonymously). This setting also lets you bypass anti-spam filtering and size limits. The default Externally Secured permissions are as follows:
MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Authoritative-Domain}
MS Exchange\Externally Secured Servers {ms-Exch-Bypass-Anti-Spam}
MS Exchange\Externally Secured Servers {ms-Exch-Bypass-Message-Size-Limit}
MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Exch50}
MS Exchange\Externally Secured Servers {ms-Exch-Accept-Headers-Routing}
MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Submit}
MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Any-Recipient}
MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Authentication-Flag}
MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Any-Sender}
How to Grant Anonymous Permissions to the Custom Receive Connector
This option grants the minimum amount of required permissions to the submitting application. With the custom Receive connector that you created earlier, you can grant the ms-Exch-SMTP-Accept-Any-Recipient permission to the anonymous account.
To grant anonymous permissions to the custom Receive connector
Right-click the new connector, and then click Properties, click the Permissions Groups tab, and then select Anonymous users.
This grants the most common permissions to the anonymous account. But it does not grant the relay permission. This step must be done through the Exchange shell.
Click Start, click All Programs, click Microsoft Exchange Server 2007, and then click Exchange Management Shell.
At the command prompt, type the following, and then press ENTER:
Get-ReceiveConnector "CRM Application" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"