6

I'm a developer trying to get my .Net application to send emails out through our Exchange server. I'm not an Exchange expert so I'll qualify that up front!!

We've set up a receive Connector in Exchange that has the following properties:

  1. Network: allows all IP addresses via port 25.

  2. Authentication: Transport Layer Security and Externally Secured checkboxes are checked.

  3. Permission Groups: Anonymous Users and Exchange Servers checkboxes are checked.

But, when I run this Powershell statement right on our Exchange server it works when I send to a local domain address but when I try to send to a remote domain it fails.

WORKS:

C:\Windows\system32>Send-Mailmessage -To MYLOCALADDRESS@OURDOMAIN.com -From MYLOCALADDRESS@OURDOMAIN.com -Subject testing -Body testing -SmtpServer OURSERVER

(BTW: my value for OURSERVER=boxname.domainname.local. This is the same fully-qualified name that shows up in our Exchange Management Shell when I launch it).

FAILS:

C:\Windows\system32>Send-Mailmessage -To MYPERSONALADDRESS@gmail.com -From MYLOCALADDRESS@OURDOMAIN.com -Subject testing -Body testing -SmtpServer OURSERVER

Send-MailMessage : Mailbox unavailable. The server response was: 5.7.1 Unable to relay At line:1 char:17 + Send-Mailmessage <<<< -To MYPERSONALADDRESS@gmail.com -From MYLOCALADDRESS@OURDOMAIN.com -Subject testing -Body himom -SmtpServer FTI-EX + CategoryInfo : InvalidOperation: (System.Net.Mail.SmtpClient:SmtpClient) [Send-MailMessage], SmtpFailed RecipientException + FullyQualifiedErrorId : SmtpException,Microsoft.PowerShell.Commands.SendMailMessage

EDIT: From @TheCleaner 's advice, I ran the Add-ADPermission to the relay and it didn't help;

[PS] C:\Windows\system32>Get-ReceiveConnector "Allowed Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

Identity             User                 Deny  Inherited  
--------             ----                 ----  ---------  
FTI-EX\Allowed Relay NT AUTHORITY\ANON... False False

Thanks for the help. Mark

Rex
  • 7,895
  • 3
  • 29
  • 45
sisdog
  • 171
  • 1
  • 1
  • 4
  • So you are not passing any credentials? This is anonymous authentication? – Tim Brigham Feb 08 '13 at 18:34
  • That's correct, I'm not sending credentials in my tiny Powershell script. I certainly could send my credentials but I assumed that if I was able to send mail internally without providing credentials that my lack of sending credentials was not a part of the problem. Incorrect assumption? – sisdog Feb 08 '13 at 18:42
  • 1
    Correct. I'll write up an answer on this momentarily. – Tim Brigham Feb 08 '13 at 18:50
  • Just noticed this in the error: -SmtpSe rver FTI-EX Maybe it was just due to a typo? Beyond that, it says you're stating FTI-EX as your server, not FTI-EX.localdomain.local or whatever your domain is. Try full name. – Insomnia Feb 08 '13 at 18:50
  • I've expanded the -SmtpSever to be the full name of the exchange server. It still only worked for internal domains and not external. – sisdog Feb 08 '13 at 18:55

4 Answers4

3

You should set up a receive connector operating on a non-standard port (maybe 2525) and restrict it to only accept IP addresses of servers that you know are allowed to send out. Create the connector with nothing ticked in Authentication and Anonymous users ticked for permissions groups.

After that you'll need to run the following command in PS as Exchange by default blocks anonymous relaying on any receive connector.

Get-ReceiveConnector “Receive Connector Name” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”

I just tested this on my own exchange server and managed to send to both gmail and my own domain, sending from the exchange domain as well as a fake domain.

Also add the -port 2525 argument onto your PS script.

atomicharri
  • 321
  • 6
  • 24
0

I'll assume there is just an Exchange server, nothing fancy with a gateway/spam filter, etc.

On your Receive connector (call it "Relay"):

  1. Make sure the "Receive mail from remote servers that have these IP addrresses" has the IP address(es) of the server(s) you are going to be running this app on.

  2. On the Authentication tap, the only thing that should be checked is "Externally Secured"

  3. On the permission Groups the only thing that should be checked is "Exchange Servers"

NOTE: If you use "Anonymous" like it looks like in your original post, then you'll need to run this command in the Exchange shell to get that type of relay connector to work:

Get-ReceiveConnector "NAMEOFCONNECTOR" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

Then, try the app again from one of the servers whose IP is in #1 above. Don't try it directly on the Exchange server itself.

TheCleaner
  • 32,627
  • 26
  • 132
  • 191
  • Hey @TheCleaner, thx for the ideas. I ran the add permission cmdlet and it reported this but still didn't help: [PS] C:\Windows\system32>Get-ReceiveConnector "Allowed Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -E xtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient" Identity User Deny Inherited -------- ---- ---- --------- FTI-EX\Allowed Relay NT AUTHORITY\ANON... False False – sisdog Feb 08 '13 at 19:48
  • I would suggest creating the connector again as I've stated above. – TheCleaner Feb 08 '13 at 19:52
0

There are ways to relay to the outside world without authentication from your inside network (by creating a new SMTP connector on either your edge or hub).

In most circumstances you're better off setting up authentication if you can do so. This works well if you're only sending from a handful of dedicated processes / scripts etc.

If you want to have unauthenticated relaying create a new hub receive connector rule. To do this (assuming a single Exchange server filling all Exchange roles):

Server Configuration -> Hub Transport

Use all available IP addresses for your receive and enter any remote hosts which will relay into the 'receive mail from remote server' setting.

You probably won't want any of the authentication methods (possibly TLS) and the permission group should be set to anonymous.

Tim Brigham
  • 15,545
  • 10
  • 75
  • 115
0

This might be more of a workaround, but specifying credentials in your script should allow you to send externally without requiring any config changes on the Exchange side.

KERR
  • 415
  • 5
  • 9