Knowledgebase:
Exchange 2013 how to set up anonymous SMTP relay from LAN IP addresses
Posted by rbTech Staff, Last modified by rbTech Staff on 19 January 2015 02:15 PM

Setting up anonymous relaying is fairly simple to do in Exchange 2013, but it's unbelievably poorly documented.  After far too much Googling around, I found most of the information I needed, but there was one glaring ommission from every page and post I could find; you have to make a 'hole' in your default receive connector for the IP address(es) of hte unauthenticated devices (e.g. Receive Connectors can't shade or overlap one another).

To Get your settings, run:

Get-Receiveconnector | fl

By default the RemoteIpRanges is 0.0.0.0-255.255.255.255, which means every IP address anywhere.

If you're making an exception for a single LAN IP address (for example 192.168.0.200), you'll need to change the RemoteIpRanges to the following:

0.0.0.0-192.168.0.199, 192.168.0.201-255.255.255.255

You'll notice that the exception IP is no longer included in the range.

Then you have to create a new Receive Connector that allows unauthenticated relaying from a specific IP address.  BE CAREFUL, because if this is improperly done you'll open your server up as an open relay to the Internet and you'll be in for some very, very, very bad days!

New-ReceiveConnector -Name "Anonymous Relay" -Usage Custom -PermissionGroups AnonymousUsers -Bindings 0.0.0.0:25 -RemoteIpRanges 192.168.0.200

Then you have to grant unauthenticated relay permission to the new connector:

Get-ReceiveConnector "Anonymous Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

Thanks to Microsoft for making an almost complete howto on the subject that I shamelessly cribbed the above commandlets from:

http://technet.microsoft.com/en-us/library/bb232021%28v=exchg.141%29.aspx

(0 vote(s))
Helpful
Not helpful

Comments (3)
Kevin
10 March 2016 05:36 PM
Thanks, this works, however when I use Telnet to test it out from a remote location, if I say I'm from the existing mail server, such as MAIL FROM: [email protected] and then say RCPT TO: [email protected] It allows me to send mail internally. It does drop me if I try to send mail externally (Such as Hotmail) but it allows me to send email to anyone on the existing server. Is there a way to prevent that?
Rubin Bennett
31 March 2016 04:35 PM
Hi Kevin
You could prevent local delivery of messages received via SMTP. However delivery of SMTP received email to local recipients is what a mailserver does. If you limited in the way you suggest, then users on the mailserver could only receive messages from internal recipients - the mailserver would refuse all SMTP delivered mail from anywhere outside the organization. While there are potential use cases for just this (an airgapped mailserver for example, that isn't allowed to correspond with the outside world), the scenario you describe would allow the server to *send* to outside recipients, but not to receive replies. Which I suspect is not what you're after :)

EDIT: I just reread your question, and if I understand you're saying that if you spoof the From: address to be from a local recipient, the server cheerfully accepts the message and delivers it locally. This is a much larger discussion than the Recieve Connector configuration.

Short answer: There are many, very effective spam filtering appliances that do this (Untangle, http://untangle.com is an excellent choice). There are anti-spam measures and modules you can enable and tweak inside of Exchange, but there are entire books written on that subject and I don't have a quick or succinct summary of how a mailserver would evaluate a message for it's authenticity or how to stop the case you describe.

We've deployed hundreds of mailservers and have lots of advice and opinions on the subject if you'd like some professional guidance on the subject. :)
Rubin
Rubin Bennett
31 March 2016 04:38 PM
A comment on my comment: Apparently in later Cumulative Rollups of Exchange 2013 (and 2016 now), Receive connectors are evaluated in order of scope. So a receive connector for the single IP address would be evaluated *before* the main, default Receive Connector, and so the work I described in the original article may be unnecessary.
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).