Exchange 2013 how to set up anonymous SMTP relay from LAN IP addresses
Posted by rbTech Staff, Last modified by rbTech Staff on 19 January 2015 02:15 PM
Setting up anonymous relaying is fairly simple to do in Exchange 2013, but it's unbelievably poorly documented. After far too much Googling around, I found most of the information I needed, but there was one glaring ommission from every page and post I could find; you have to make a 'hole' in your default receive connector for the IP address(es) of hte unauthenticated devices (e.g. Receive Connectors can't shade or overlap one another).
To Get your settings, run:
Get-Receiveconnector | fl
By default the RemoteIpRanges is 0.0.0.0-255.255.255.255, which means every IP address anywhere.
If you're making an exception for a single LAN IP address (for example 192.168.0.200), you'll need to change the RemoteIpRanges to the following:
You'll notice that the exception IP is no longer included in the range.
Then you have to create a new Receive Connector that allows unauthenticated relaying from a specific IP address. BE CAREFUL, because if this is improperly done you'll open your server up as an open relay to the Internet and you'll be in for some very, very, very bad days!
New-ReceiveConnector -Name "Anonymous Relay" -Usage Custom -PermissionGroups AnonymousUsers -Bindings 0.0.0.0:25 -RemoteIpRanges 192.168.0.200
Then you have to grant unauthenticated relay permission to the new connector:
Get-ReceiveConnector "Anonymous Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
Thanks to Microsoft for making an almost complete howto on the subject that I shamelessly cribbed the above commandlets from: