Which Exchange 2013 Role will allow mail relay

Question

We have a service that connects to our default receive connector in exchange, which relays the message to external users. Currently I have configured the service to use my DA account which assigned all Exchange Roles. I want to create a service account instead of using my DA credentials but i'm stuck as to which admin roles I should select.

To reiterate, the only function that we need is for the service account to be able to authorise mail being relayed externally.

Thanks

score 1 · Answer 1 · answered Jan 23 '15 at 12:40

1

Permission Group:

ms-Exch-SMTP-Accept-Any-Recipient

Via PowerShell: (includes anti-spam bypass)

Get-ReceiveConnector <RelayName> | Add-ADPermission –User “NAME” –ExtendedRights ms-Exch-SMTP- Accept-Any-Recipient,ms-exch-bypass-anti-spam

answered Jan 23 '15 at 12:40

Samuel Nicholson

138
5

Hi Sam, Thanks for this - i've not tried yet as I want to clarify what i have been doing. In Exchange Admin Centre, under Permissions > admin role I can add the service account to predefines admin role groups. When I add the service account to Organization Management (all roles) the service account functions as intended (however i don't want to allow all roles, i'd rather it be the needed roles) – Z Holt Jan 23 '15 at 12:57
1

It doesn't need any RBAC roles at all, that's silly. It simply needs to be given the required permission on the receive connector, as Samuel told you. – mfinni Jan 23 '15 at 14:08
The receive connector's security is set like http://imgur.com/F0pEjSh – Z Holt Jan 23 '15 at 14:42
I get the following error: – Z Holt Jan 26 '15 at 11:18
Cannot process argument transformation on parameter 'Identity'. Cannot convert the "System.Collections.ArrayList" value of type "System.Collections.ArrayList" to type "Microsoft.Exchange.Configuration.Tasks.ADRawEntryIdParameter". + CategoryInfo : InvalidData: (:) [Add-ADPermission], ParameterBindin...mationException + FullyQualifiedErrorId : ParameterArgumentTransformationError,Add-ADPermission + PSComputerName : canexchcasvr01.can****c.com – Z Holt Jan 26 '15 at 11:18

score 0 · Answer 2 · answered Feb 05 '15 at 06:24

0

I suggest you create a dedicated "Frontend Transport" receive connector for this, assign correct permissions as outlined here.

answered Feb 05 '15 at 06:24

Vick Vega

2,398
16
22

Which Exchange 2013 Role will allow mail relay

2 Answers2