• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 96
  • Last Modified:

How to tell which Receive Connector is set to allow open relay?

We have several receive connectors. And we did issue the following cmdlet in the past to allow open relay on that specific connector. But now we don't remember which one. How to tell?

Get-ReceiveConnector -identity 'server\receive-connector' | Add-ADPermission –User  "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
3 Solutions
Jason CrawfordTransport NinjaCommented:
I can think of two ways:

Method 1
Enable verbose logging on all Receive Connectors:

Get-ReceiveConnector | Set-ReceiveConnector -ProtocolLoggingLevel verbose

Open in new window

Once you do that, relay an email through your Exchange servers and look for the connection in the SMTPReceive Protocol Logs.  The name of the connector will be included in the log.

Method 2
Look for the Ms-Exch-SMTP-Accept-Any-Recipient extended right:

Get-ReceiveConnector | Get-ADPermission | Format-List

Open in new window

Adam BrownSr Solutions ArchitectCommented:
You can go into ADSIEdit, Connect to the configuration partition, then navigate to Services>Microsoft Exchange><Org Name> >Administrative Groups > Exchange Administrative Group > Servers > <Server name> > Protocols > SMTP > SMTP Receive Connectors from there, you can see the permissions on the connectors by right clicking them and going to properties, then the security tab. Any of them that show "Anonymous" will likely be your Open Relay.

For the future, though, an easy way to set an open relay if you need one is to set the connector to  Externally Secured on the Authentication tab. You have to have Exchange servers selected on the Permission groups tab before doing so, though. Setting Externally Secured authentication will set the connector to allow anonymous relaying. It's also a lot easier to spot.
This should do it for you

Get-ReceiveConnector | Get-ADPermission | where {$_.ExtendedRights -like "*Ms-Exch-SMTP-Accept-Any-Recipient*" -and $_.User -eq "NT AUTHORITY\ANONYMOUS LOGON"}

Open in new window

CastlewoodAuthor Commented:
You have to have Exchange servers selected on the Permission groups tab
Would it accept only Exchange Server to relay messages? I need a backup computer to send alerting email via this Exchange. If it only allows Exchange sever to connect and relay, then could be an issue. Please advise.
No it will allow for any user not only exchange, it is just that the "Externally secured" option cannot be selected unless "Exchange servers" is selected but since in the permission group you have anonymous it will be allowed for anyone listed in the remote IP range
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now