MsExchange Blog Spot Telnet25

September 17, 2014

Configuring Internal Application Relay with Receive Connector Part#2

Filed under: General — telnet25 @ 4:14 am

Open your newly created internal Receive connector my making right click on it and selecting properties

clip_image001

In order to allow Anonymous Authentication follow the steps in this order. On the Authentication Tab TLS is selected by default.

  • Click Permissions and select “Exchange Servers” and click apply

clip_image002

  • Now go back to Authentication and select “Externally Secured” this is where the magic starts

clip_image003

  • I will explain in details why we selected this option and what happened in the background.
  • Go back to Permissions Tab and select this time “Anonymous”

clip_image004

  • If you don’t follow the order you will receive error, some controls aren’t valid.

You must set the value for the PermissionGroups to ExchangeServers when you set the AutMechanism parameter to a value of ExternalAuthoritative.

clip_image005

  • You got this because you did not follow the order listed above.
  • If you enable “Eternally Secured” you will be forced to use limited offer TLS with this connector,
  • You can go back and mess with Permissions groups if you do have any requirements.

clip_image006

Step-1 —————> Permission Groups, Select Exchange Servers

Step-2 —————> Authentication Settings, Select Externally Secured

Step-3 —————> Permission Groups, Select Anonymous

Externally Secured meaning is, This Receive connector will lift off most of the restrictions, you are pretty much trusting the internal Servers, the relaying servers are “Trusted: therefore you will be adding the IP address of the relaying servers into here.

clip_image007

Here is list of permissions gets assigned to this connector

Accept-Authoritative-Domain

MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Authoritative-Domain}

Bypass-Anti-Spam

MS Exchange\Externally Secured Servers {ms-Exch-Bypass-Anti-Spam}

Bypass-Message-Size-Limit

MS Exchange\Externally Secured Servers {ms-Exch-Bypass-Message-Size-Limit}

SMTP-Accept

MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Exch50}

Accept-Headers-Routing

MS Exchange\Externally Secured Servers {ms-Exch-Accept-Headers-Routing}

SMTP-Submit

MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Submit}

Accept-Any-Recipient

MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Any-Recipient}

Accept-Authentication-Flag

MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Authentication-Flag}

Accept-Any-Sender}

MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Any-Sender}

See the  Receive connectors

Get-ReceiveConnectors

clip_image009

Add AD Permissions to this Receive Connector

$ReceiveConnector = "E1\Internal_Relay-1"

Get-ReceiveConnector "$ReceiveConnector" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

clip_image011

Now let’s see the properties of this connector

Get-ReceiveConnector -Identity "E1\Internal_Relay-1" | fl

clip_image012

Now if you have applications will relay off this connector and they are defined with short names, you will need to add your SMTP domain name in this filed, otherwise the short name completion may fail with 501 5.1.3 Invalid address Short Name Rcpt SMTP address etc.

Basically the application server is passing valid from SMTP Address format on the relay submission and on the CC or BB it is passing short names such as casey.Dedeal

From: ApplicationRelay@smtp25.org

To: Casey.Dedeal

Bcc: Jon.Doe

clip_image013

To overcome with this issue allow applications to continue to use short names on the CC or BCC field use

$ReceiveConnector = "E1\Internal_Relay-1"

Set-Receiveconnector "$ReceiveConnector" -defaultdomain ZtekZone.com

clip_image014

Now this connector will append default specified SMTP domain to short names when application is performing relay submission.

clip_image015

One less to worry , especially for applications who are written poorly. ( none full SMTP compliant)

If you like to see the AD Permissions on this connector

$ReceiveConnector = "E1\Internal_Relay-1"

Get-ReceiveConnector "$ReceiveConnector” | Get-ADPermission | where {$_.extendedrights –like “*Any-Recipient”}

image

Lastly , use network sniffer and SMTP loggings options  to further troubleshoot any SMTP submission failures on this connector.

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
https://telnet25.wordpress.com/ (Blog)

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: