Building a Relay in Exchange 2010 that any IP can Authenticate to


I have a need to build an email relay in Exchange 2010 for Phone systems that are installed at numerous locations with various IP Addresses to allow my voicemails to send emails to multiple email addresses.  Obviously I want to require authentication.  Can Anyone offer me some guidance on this?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Helao MwapangashaData Centre: Server EngineerCommented:
so you want to have your phones pass messages via the relay in exchange? yet you want the relay to require authentication
Will SzymkowskiSenior Solution ArchitectCommented:
This is quite easy to setup. You just need to create a new Receive Connector and set the parameters properly...
- Open EMC
- expand Server Config
- click Hub Transport
- Create New Receive connector
- Give it a Name
- Network Tab Port 25 and Add the IP Addresses for all of the phone systems to this Receive Connector
- Authentication Tab leave all options unchecked
- Permissions Tab check Anonymous Users

That should do it.

EmulousAuthor Commented:
Yes Helao.  That is what I want to do.  And Thank you Will.  However, I'd like to keep it open to all IP addresses because a portion of our customers have dynamic IP addresses.  I don't want to have to keep track.  So I want them be HAVE to authenticate.  I DID have this setup and working but somehow it wasn't quite right because spammers started relaying off of my server within hours.  So the security wasn't quite right.  However, if I telnet'd to the server it would not allow me to relay unless I used the account I specified with the following Exchange Shell command.  Not quite sure how they were able to relay.....

Get-ReceiveConnector <RelayName> | Add-ADPermission –User “NT Authority\Anonymous Logon” –ExtendedRights ms-Exch-SMTP- Accept-Any-Recipient,ms-exch-bypass-anti-spam
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

Will SzymkowskiSenior Solution ArchitectCommented:
I would highly NOT recommend doing something like this. If you are going to use a receive connector for this situation and you are allowing anonymous to allow sending then you need to lock it down via IP.

As you have stated in the past you had spammers compromise your environment. You are just looking for trouble trying to configure something like this again.

Spam appliances are not 100% Spam will always get through to some degree. If they know you have an open Relay they will find away around it.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
EmulousAuthor Commented:
Why would I be able to make it work like that though?  In theory, It doesn't seem too hard.  If I allow ONLY people who authenticate to my server to relay mail to anywhere for that one account and be sure to have a hard password, why wouldn't that work in theory?  Not trying to be a pain, just wondering how they may penetrate that...
Helao MwapangashaData Centre: Server EngineerCommented:
open relay for external dynamic ips means that you will have a connector accepting emails from any ip that is known to you, very risky and a big no no. if these are trusted clients why doont they assign a device a static IP that is known to you and you allow only that IP or those IP.

else you are looking at creating a  situation where you have your domain blacklisted or identified as spam becuase of spamers that will relay via your exch enviroment.
EmulousAuthor Commented:
Thank you.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.