MsExchange Blog Spot Telnet25

September 17, 2014

Configuring Internal Application Relay with Receive Connector Part#2

Filed under: General — telnet25 @ 4:14 am

Open your newly created internal Receive connector my making right click on it and selecting properties


In order to allow Anonymous Authentication follow the steps in this order. On the Authentication Tab TLS is selected by default.

  • Click Permissions and select “Exchange Servers” and click apply


  • Now go back to Authentication and select “Externally Secured” this is where the magic starts


  • I will explain in details why we selected this option and what happened in the background.
  • Go back to Permissions Tab and select this time “Anonymous”


  • If you don’t follow the order you will receive error, some controls aren’t valid.

You must set the value for the PermissionGroups to ExchangeServers when you set the AutMechanism parameter to a value of ExternalAuthoritative.


  • You got this because you did not follow the order listed above.
  • If you enable “Eternally Secured” you will be forced to use limited offer TLS with this connector,
  • You can go back and mess with Permissions groups if you do have any requirements.


Step-1 —————> Permission Groups, Select Exchange Servers

Step-2 —————> Authentication Settings, Select Externally Secured

Step-3 —————> Permission Groups, Select Anonymous

Externally Secured meaning is, This Receive connector will lift off most of the restrictions, you are pretty much trusting the internal Servers, the relaying servers are “Trusted: therefore you will be adding the IP address of the relaying servers into here.


Here is list of permissions gets assigned to this connector


MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Authoritative-Domain}


MS Exchange\Externally Secured Servers {ms-Exch-Bypass-Anti-Spam}


MS Exchange\Externally Secured Servers {ms-Exch-Bypass-Message-Size-Limit}


MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Exch50}


MS Exchange\Externally Secured Servers {ms-Exch-Accept-Headers-Routing}


MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Submit}


MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Any-Recipient}


MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Authentication-Flag}


MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Any-Sender}

See the  Receive connectors



Add AD Permissions to this Receive Connector

$ReceiveConnector = "E1\Internal_Relay-1"

Get-ReceiveConnector "$ReceiveConnector" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"


Now let’s see the properties of this connector

Get-ReceiveConnector -Identity "E1\Internal_Relay-1" | fl


Now if you have applications will relay off this connector and they are defined with short names, you will need to add your SMTP domain name in this filed, otherwise the short name completion may fail with 501 5.1.3 Invalid address Short Name Rcpt SMTP address etc.

Basically the application server is passing valid from SMTP Address format on the relay submission and on the CC or BB it is passing short names such as casey.Dedeal


To: Casey.Dedeal

Bcc: Jon.Doe


To overcome with this issue allow applications to continue to use short names on the CC or BCC field use

$ReceiveConnector = "E1\Internal_Relay-1"

Set-Receiveconnector "$ReceiveConnector" -defaultdomain


Now this connector will append default specified SMTP domain to short names when application is performing relay submission.


One less to worry , especially for applications who are written poorly. ( none full SMTP compliant)

If you like to see the AD Permissions on this connector

$ReceiveConnector = "E1\Internal_Relay-1"

Get-ReceiveConnector "$ReceiveConnector” | Get-ADPermission | where {$_.extendedrights –like “*Any-Recipient”}


Lastly , use network sniffer and SMTP loggings options  to further troubleshoot any SMTP submission failures on this connector.

Oz Casey, Dedeal ( MVP north America)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server + (Blog) (Blog)

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at

%d bloggers like this: