Exchange 2010 Allow Relay

Posted on 2012-08-25
Last Modified: 2012-08-26
We have an exchange 2010 server.  Users use GreatPlains software and have the ability to email from the applications directly.  It appears that GP's does not use the mapi profile on the workstation (outlook 2010 and 2007) but sends the email directly.  You control the email server via a config file on the PC.

Therefore, I need to allow the entire subnet, my internal subnet, to relay off the server to send emails to outside email addresses.  If they send to an Exchange user, it works no problem.  The issues is sending to other domains.

Receive connector:

[PS] C:\>get-receiveconnector -identity "greatplains" |FL

RunspaceId                              : b45592cf-4c66-406d-a2a6-bea9eeda9e6f
AuthMechanism                           : Tls, ExternalAuthoritative
Banner                                  :
BinaryMimeEnabled                       : True
Bindings                                : {}
ChunkingEnabled                         : True
DefaultDomain                           :
DeliveryStatusNotificationEnabled       : True
EightBitMimeEnabled                     : True
BareLinefeedRejectionEnabled            : False
DomainSecureEnabled                     : False
EnhancedStatusCodesEnabled              : True
LongAddressesEnabled                    : False
OrarEnabled                             : False
SuppressXAnonymousTls                   : False
AdvertiseClientSettings                 : False
Fqdn                                    : server.domain.local
Comment                                 :
Enabled                                 : True
ConnectionTimeout                       : 00:10:00
ConnectionInactivityTimeout             : 00:05:00
MessageRateLimit                        : unlimited
MessageRateSource                       : IPAddress
MaxInboundConnection                    : 5000
MaxInboundConnectionPerSource           : 20
MaxInboundConnectionPercentagePerSource : 2
MaxHeaderSize                           : 64 KB (65,536 bytes)
MaxHopCount                             : 60
MaxLocalHopCount                        : 12
MaxLogonFailures                        : 3
MaxMessageSize                          : 10 MB (10,485,760 bytes)
MaxProtocolErrors                       : 5
MaxRecipientsPerMessage                 : 200
PermissionGroups                        : AnonymousUsers, ExchangeServers
PipeliningEnabled                       : True
ProtocolLoggingLevel                    : None
RemoteIPRanges                          : {}
RequireEHLODomain                       : False
RequireTLS                              : False
EnableAuthGSSAPI                        : False
ExtendedProtectionPolicy                : None
LiveCredentialEnabled                   : False
TlsDomainCapabilities                   : {}
Server                                  : DIFS02
SizeEnabled                             : Enabled
TarpitInterval                          : 00:00:05
MaxAcknowledgementDelay                 : 00:00:30
AdminDisplayName                        :
ExchangeVersion                         : 0.1 (8.0.535.0)
Name                                    : GreatPlains
DistinguishedName                       : CN=GreatPlains,CN=SMTP Receive Connectors,CN=Protocols,CN=DIFS
                                          N=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administr
                                          =First Organization,CN=Microsoft Exchange,CN=Services,CN=Confi
Identity                                : DIFS02\GreatPlains
Guid                                    : 75bd38ce-6ce8-4465-ad35-3520b7afb005
ObjectCategory                          : domain.local/Configuration/Schema/ms-Exch-Smtp-Receive-Conn
ObjectClass                             : {top, msExchSmtpReceiveConnector}
WhenChanged                             : 8/23/2012 11:35:22 PM
WhenCreated                             : 8/23/2012 11:35:08 PM
WhenChangedUTC                          : 8/24/2012 3:35:22 AM
WhenCreatedUTC                          : 8/24/2012 3:35:08 AM
OrganizationId                          :
OriginatingServer                       : server.domain.local
IsValid                                 : True

Set permission with shell for connector:

Get-ReceiveConnector "greatplains" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

Error from PC and Application:

"Order email failure....  5.7.1 Unable to relay"

We did this in 2003 on the virtual smtp connector and it worked.

Please advise my mistakes?

Question by:RFloyd30
    LVL 17

    Accepted Solution

    Try this... I did this less than a week ago for several IPs and it worked great.  In your case, just define your whole LAN as the IPs allowed for relay.
    LVL 7

    Assisted Solution


    The settings are looks to be fine, but again do the below.

    1. Open the properties of the receive connector which you have created for the relaying of internal sub net,
    2. navigate to the Authentication Tab
    3. Ensure that the Externally Secured (for example, with IPsec) is checked.
    4. Try relaying the emails, and if fails again take a restart of transport service or the server itself.

    also remove the TLS settings on authentication tab, though it does not affect.

    If it still fails, we need to ensure that the connections are landing to the correct receive connector. For that you can change the FQDN to custom and try telneting from one of the application server you are trying to relay and ensure that the custom FQDN is received as response.

    share the results.

    LVL 52

    Expert Comment

    by:Manpreet SIngh Khatra
    Allow Anonymous Relay on a Receive Connector

    This will briefly allow you to Relay ... you need to provide relay on the Receive connector for the IP's :)

    - Rancy

    Author Closing Comment

    Thanks for the replies.

    I think it was working the entire time.   It appears that the application has a method of sending a single item like an invoice or sending in "bulk" and i would assume many invoices.  When yous end a single item, the email works.
    So back to the application...

    Solution: Follow the link given above - This is exactly the way i setup the receive connector in the beginning and also had the anonymous checked.  Not sure if it will work without that checked and may get a chance to test that - if so I will update post.

    Thanks for the time.

    Featured Post

    Are your corporate email signatures appalling?

    Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

    Join & Write a Comment

    Granting full access permission allows users to access mailboxes present in their database. By giving full access permission one can open and read the content of any mailbox but cannot send emails from that mailbox.
    Use email signature images to promote corporate certifications and industry awards.
    In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now