Unfortunately, I've been instructed to setup a receive connector that will allow copiers to send to external domains. While I can do anonymous relaying by IP address, I'd much more prefer to use SMTP Authentication. I have the RC created, as well as the "copier" account. The issue for me is identifying what permissions the authenticating account needs. If I add the "copier" user to Domain Admins, the copier sends without issue. Obviously, I have no plans to have such an account have any more rights than necessary. However, if I have the "copier" account be a member of the Domain Users group, the copier no longer sends. I'd rather not have the "copier" account even be a member of Domain Users. I just want it to have the minimum rights required, reducing the risk to my environment if the "copier" account is compromised. I've seen a few posts mentioning edits to the actual RC, using commands similar to:
Add-ADPermission "Copier Relay RC" –User "Copier User" –ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
Add-ADPermission "Copier Relay RC" –User "Copier User" –ExtendedRights ms-Exch-SMTP-Accept-Any-Sender
However, I'm not sure if they apply and when I tested these in my test environment (which doesn't have a copier), I couldn't confirm what had changed with anything. As such, I'm not keen on performing anything in production without more information.
So, I'm hoping you can help me out. What do I need to do to the "copier" user or to the "Copier Relay RC" to make SMTP authentication work with the absolute least rights for the "copier" user?
I appreciate any assistance that you can provide.