Exchange 2010 Receivers - Permission Group question

In Exchange 2010 Hub Transport for Receive Connectors, what does the "Exchange servers" Permission Group mean?
Does that mean that the Receive Connect could be used as a relay from an internal device such as a backup device?
Or is "Anonymous Users" have to be checked?
The backup device is on the subnet that is allowed on the Network list, so does it even need any permission groups as long as it's sending to accepted domain addresses (
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

StuartTechnical Architect - CloudCommented:
You should have two Receive connectors by default - Default and Client

Default is for SMTP traffic inbound and Client is for internal client traffic inbound (TLS 587)

The Exchange Servers group represents members of the Exchange Servers universal domain group

If you wish to enable routing from an internal device (your backup device) to use anonymous auth then you need to create a new Receive connector (enabled for Anonymous Auth). Use this article to create the receive connector - just lock it down to specific IP addresses which are allowed to route.

It is not a good idea to enable anon auth on the default connectors

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
garryshapeAuthor Commented:
Well one one of my Hub Transport Servers, the "Default Mail2" one is not present. It does have the "Client MAil2" though.

On the other Hub Transport server Mail1, I noticed on the "Default Mail2", the range is
It has "Anonymous users", "Exchange users" and "Exchange Servers" checked.
Authentication has TLS, Basic/Offer, Exchange server and Integrated Windows, authentications checked...
StuartTechnical Architect - CloudCommented:
It sounds like someone has already renamed and edited the config on the default receive connectors. Allowing anonymous authentication to the Internet is security risk.

I suggest you create a receive connector as I previously suggested for internal applications and then look at removing anon on your default2 receive connector. Be careful as you may have a whole bunch of applications already routing to this default2 connector. You could enable logging on this and pick out these but you will have a lot of lines to go through as your internet mail inbound also traverse's through this
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

garryshapeAuthor Commented:
Wow you're right it looks like I was able to relay from the outside world. Who the #$%! thought it'd be good to turn that on...?
garryshapeAuthor Commented:
So Anonymous Access just means that while the mail server is accessible without being authenticated, you can still only send to/from a recipient who's on an accepted domain.
So it doesn't mean you could relay and use from address at to send to anyone at another domain like
But you could make from address any e-mail on the internet, sending to an accepted user in the Exchange organization..?
StuartTechnical Architect - CloudCommented:
Correct, not an open relay but still not recommended
garryshapeAuthor Commented:
Yeah because to me that means somebody could send e-mail to/from people within the organization, as a prank or social engineering. Maybe even include a file attachment that's malicious and users will open it trusting the "sender".
garryshapeAuthor Commented:
I have a smartsniff running on TCP port 25 to see what connects. That may help me figure out what servers use the specific relay.

If I create the same receive connector on another hub transport in dame organization, would that offer redundancy incase the other hub transport went down?
Would I just have to configure the same fqdn ip addresses and permission groups?
StuartTechnical Architect - CloudCommented:
Yes you could duplicate the new "internal relay" receive connector on as many hub servers as you want and load balance through your load balancer (presuming you have one)
garryshapeAuthor Commented:
Thanks a lot. Hopefully after this I can get a separate OWA client access servers and load balance them.
However I'm on 2010 and I'd imagine it'd be best to just spin up 2013 and migrate mailboxes.
I hear the 2013 is better than 2010 in terms of high availability, performance and reliability.
Haven't seen any comparisons on HA specifically though.
StuartTechnical Architect - CloudCommented:
A lot better! Also a change in architecture so do your homework before you install and migrate :)

Happy to help
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.