Copier SMTP Authentication thru Exchange 2010


Unfortunately, I've been instructed to setup a receive connector that will allow copiers to send to external domains.  While I can do anonymous relaying by IP address, I'd much more prefer to use SMTP Authentication.  I have the RC created, as well as the "copier" account.  The issue for me is identifying what permissions the authenticating account needs.  If I add the "copier" user to Domain Admins, the copier sends without issue.  Obviously, I have no plans to have such an account have any more rights than necessary.  However, if I have the "copier" account be a member of the Domain Users group, the copier no longer sends.  I'd rather not have the "copier" account even be a member of Domain Users.  I just want it to have the minimum rights required, reducing the risk to my environment if the "copier" account is compromised.  I've seen a few posts mentioning edits to the actual RC, using commands similar to:

Add-ADPermission "Copier Relay RC" –User "Copier User" –ExtendedRights ms-Exch-SMTP-Accept-Authoritative-Domain-Sender

Add-ADPermission "Copier Relay RC" –User "Copier User" –ExtendedRights ms-Exch-SMTP-Accept-Any-Sender

However, I'm not sure if they apply and when I tested these in my test environment (which doesn't have a copier), I couldn't confirm what had changed with anything.  As such, I'm not keen on performing anything in production without more information.

So, I'm hoping you can help me out.  What do I need to do to the "copier" user or to the "Copier Relay RC" to make SMTP authentication work with the absolute least rights for the "copier" user?

I appreciate any assistance that you can provide.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi Jeremy,

Here is what I normally do:

1) I prefer to have servers, printers / scanners, routers etc have a fixed IP.

2) I give the Exchange Server a secondary (fixed) IP for Scanners to use (perhaps not required, but I have always done this)

3) I setup a separate receive connector, have it answer on the secondary IP, and restrict it such that it will only allow incoming connections from the scanner(s) on the network (I have seen people set it up to allow any internal IP to connect, but I prefer not to do that in case a machine gets infected).

4) Permissions = Anonymous Users / Exchange Servers

It has always seemed to work for me, and I have never had any issues with spam getting out.

Hope that helps,

JerAuthor Commented:

Thanks for the reply.  Anonymous relaying for select IPs is actually what I have been doing up to this point.  While it is easy and not the biggest risk in the world, I was hoping to get a bit more secure, if reasonable (using IP AND authentication).  It may just be me being overcautious, but I do have users that will click and trust everything.  Anything I can do to reduce the risk of being an unintended spammer, the better.

Hi Jeremy,

Nothing wrong with being cautious :-)

How about the above config, but use this instead:

Permissions = Exchange Users / Exchange Servers

Use the account you already created (but move out of domain admins).

Note that this will only work if the scanner(s) all have the ability to authenticate, and I would only do that if I had exclusive (internal) control over the scanners (no external parties supporting them).  But that is just probably me being paranoid!


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Price Your IT Services for Profit

Managed service contracts are great - when they're making you money. Yes, you’re getting paid monthly, but is it actually profitable? Learn to calculate your hourly overhead burden so you can master your IT services pricing strategy.

Solution offered
JerAuthor Commented:
Depending on the models of the copiers, authentication proved to be inconsistent.  Ultimately, we abandoned the use of authentication and simply went with anonymous, with IP restrictions (as we had done previously).
Hi Jer,

Glad it's working.

As I noted above, that's what I usually do too.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.