Create a SMTP relay connector in Exchange server

In most organizations, apps/devices use Exchange servers for sending emails. However, there is configuration required on the Exchange server that depends on the SMTP connection used.

The steps for how to configure Exchange Server 2016 SMTP relay are:
 

1. Check whether you need an internal relay or external relay
2. Check whether apps/devices send authenticated traffic or anonymous traffic.
3. For an authenticated relay you just have to configure a TLS certificate for the client front end connector
4. For an anonymous relay, you will have to create a new frontend receive connector that is restricted to specific IP addresses for anonymous emails.

Determine Internal and External Relay Scenarios
There are generally two types of SMTP relay scenarios that Exchange Server 2016 is used for:
 

• Internal relay – Apps/devices that need to send emails only to internal recipients in the Exchange organization.
• External relay – Apps/devices that need to send emails to internal and external recipients.

 Let's compare both.

Internal SMTP Relay with Exchange Servers

When Exchange Server is installed the setup creates a receive connector (Default Frontend Servername) that is pre-configured to use for receiving emails from anonymous/external recipients to internal recipients. This allows inbound internet emails to be received by the server and is also suitable for internal relay scenarios.

 The receive connector is named “Default Frontend SERVERNAME”, for example, “Default Frontend EXCHSERVER”.

Get-ReceiveConnector
Identity                                Bindings                                Enabled
--------                                --------                                -------
EX2016\Default EX2016                   {0.0.0.0:2525, [::]:2525}               True
EX2016\Client Proxy EX2016              {[::]:465, 0.0.0.0:465}                 True
EX2016\Default Frontend EX2016          {[::]:25, 0.0.0.0:25}                   True
EX2016\Outbound Proxy Frontend EX2016   {[::]:717, 0.0.0.0:717}                 True
EX2016\Client Frontend EX2016           {[::]:587, 0.0.0.0:587}  

Now let’s do an SMTP test by telneting SMTP port (port 25)

EX2016.DOMANI.LOCAL Microsoft ESMTP MAIL Service ready at Sat, 3 Apr 2021 18:45:48 +0300
ehlo
250-EX2016.DOMAIN.LOCAL Hello [::1]
250-SIZE 36700160
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 XRDST
mail from:abbasiftt2@gmail.com
250 2.1.0 Sender OK
rcpt to:administrator@domain.com
250 2.1.5 Recipient OK
data
354 Start mail input; end with <CRLF>.<CRLF>
Subject:Test Email Relay
.
250 2.6.0 <694f41b5-49b5-4bd9-8131-4360ab77459a@EX2016.DOMAIN.LOCAL> [InternalId=101588861452334, Hostname=EX2016.domain.local] Queued mail for delivery

There is no specific configuration required on the server or the connectors to allow this scenario, however, it is recommended that you use a name(A record) instead of an IP address or server’s FQDN. For example mail.domain.com.  It will help you configure all the devices/applications with name (A Record) and change the server later upgrade/migrate to a higher version or change the server.
 
 External SMTP Relay with Exchange Server 2016
 
Now let us check what happens if we try the same to an external recipient.

220 EX2016.DOMAIN.LOCAL Microsoft ESMTP MAIL Service ready at Sat, 3 Apr 2021 18:59:35 +0300
ehlo
250-EX2016.GT.KW Hello [::1]
250-SIZE 36700160
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 XRDST
mail from:administrator@domain.com
250 2.1.0 Sender OK
rcpt to:abbasiftt@gmail.com
550 5.7.54 SMTP; Unable to relay recipient in non-accepted domain

An SMTP error code “550 5.7.54, Unable to relay recipient in non-accepted domain”. The receive connector will not allow an anonymous/unauthenticated sender to relay to external email addresses, which prevents our Exchange server from being exploited as an open relay.
 
We have two options to resolve this and allow our devices/applications to send emails to an external recipient.

1. Send email using authenticated SMTP traffic/connection.
2. Configure an anonymous relay connector in Exchange server.

Option1.
Authenticated External Relay

The first option is to use authenticated email traffic/connection. Exchange Server has a receive connector designed to be used by clients that need to send via SMTP called “Client Frontend SERVERNAME”.

Get-ReceiveConnector
Identity                                Bindings                                Enabled
--------                                --------                                -------
EX2016\Default EX2016                   {0.0.0.0:2525, [::]:2525}               True
EX2016\Client Proxy EX2016              {[::]:465, 0.0.0.0:465}                 True
EX2016\Default Frontend EX2016          {[::]:25, 0.0.0.0:25}                   True
EX2016\Outbound Proxy Frontend EX2016   {[::]:717, 0.0.0.0:717}                 True
EX2016\Client Frontend EX2016           {[::]:587, 0.0.0.0:587}                 True

 
A nominal configuration is required to it working as we already have an SSL certificate configured in Exchange server and a name(A record) for our devices/applications to use (e.g. mail.domain.com).

Now we need to set TlsCertificateName for the Client Frontend receive connector.
 The following command will help to find the thumbprint to identify the thumbprint of the SSL certificate (3^rd party) we are going to use.

Get-ExchangeCertificate | ft thumbprint,notafter,issuer -AutoSize

 [PS] D:\>Get-ExchangeCertificate | ft thumbprint,notafter,issuer -AutoSize
 
Thumbprint                               NotAfter              Issuer
----------                               --------              ------
EF748982B467BE652624CEDB5569011D7AB7CECA 7/10/2021 2:59:59 AM  CN=Sectigo RSA Domain Validation Secure Server CA, O=...
D3512533EDC3ECED8CE40ECC34DE2CEB7296F3C1 6/17/2022 4:46:56 PM  CN=EX2016
29A2F0B52524469D77307DB0CB87CC728331DCB7 6/15/2027 3:55:05 PM  CN=WMSvc-EX2016
EE64D939BCD76050A01AC386D4E9255F6622DE6E 4/28/2022 5:53:01 PM  CN=Microsoft Exchange Server Auth Certificate

The syntax of the TlsCertificateName string is made up of two different attributes of the certificate, so we use the following commands to apply the configuration to the Client Frontend receive connector.  

[PS]$cert = Get-ExchangeCertificate -Thumbprint EF748982B467BE652624CEDB5569011D7AB7CECA
[PS]$tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)"
[PS]Set-ReceiveConnector "Client Frontend EXCH2016" -Fqdn mail.domain.com -TlsCertificateName $tlscertificatename

Let’s test Client Frontend receive connector to send email message from PowerShell. Let’s authenticate first using the following command.

$credential = Get-Credentia

Now send an email by specifying the server name(A record), To address and From addresses, subject line, and the port number. You have to specify the same email that you used to authenticate in the authentication popup.

Send-MailMessage -SmtpServer mail.domain.com -Credential $credential -From 'administrator@domain.com' -To 'exchangeserverpro@gmail.com' -Subject 'Test email' -Port 587 -UseSsl

The email we sent is received successfully received by the external recipient. So the device/application on the network that sends authenticated SMTP traffic can be configured to use Client FrontEnd connector listening on port 587 on Exchange server.

External Relay with Exchange Server Using Anonymous/unauthenticated Connections.

When authenticated traffic/connection is not possible you can create a new receive connector on the Exchange server which will allow relay from anonymous/unauthenticated traffic from the IP addresses we specify in the connector.

In the Exchange Admin Center go to mail flow and then receive connectors. Select the server that you want to create the new receive connector on and Click “+” button.


Give the new connector a name. I gave the name Allow-Relay. Set the Role to “Frontend Transport”, and the Type to “Custom”. Click Next
 

Keep the default settings (i.e. “All Available IPv4” and port 25) and click Next.
 
Click the edit( pencil) button on the Remote network settings.


Type the IP address of the device/app which you want to allow relay anonymous/unauthenticated traffic and click Save. In our case, we use 192.168.0.215.

Note: It is not recommended to add the entire IP subnet of Exchange server as it can issues for server-to-server communications.


Ensure the IP address is correct and click Finish to complete the wizard.

 
Now we have to run these two commands in the Exchange Management Shell to allow anonymous relay/unauthenticated traffic.

Set-ReceiveConnector "Allow-Relay" -PermissionGroups AnonymousUsers
Get-ReceiveConnector "Allow-Relay" | Add-ADPermission -User 'NT AUTHORITY\Anonymous Logon' -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient

Now let’s test the same we performed above from the application server. i.e. running the same commands from IP 192.168.0.215.


Now we have tested authenticated email traffic and configured anonymous relay.