SMTP Relay to Smart host only accepting authoritative domains

I have local exchange 2013 CU18 servers set up as a SMTP server.  I have set up a send connector to go to a smart host.  This works fine.  But I need to make sure emails coming from other systems inside of the domain are using an authoritative domain to send email via my SMTP servers.  I know I can set up another send connector using MX records, but I have to have all emails go out my smart host.  

Neil Sands, Citrix CCAApplication Systems AdministrationAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MASEE Solution Guide - Technical Dept HeadCommented:
Hi Neil Sands,
Welcome to Experts Exchange.
-->But I need to make sure emails coming from other systems inside of the domain are using an authoritative domain to send email via my SMTP servers.
I am not clear on your query. Please elaborate.
Do you mean your outlook clients or do you have another(3rdparty) email program using the same SMTP server.
Receive Connectors are responsible for receiving incoming emails sent to a Transport server. This includes emails sent from Mailbox Servers, POP3 and IMAP clients, and other hosts or applications sending via SMTP.
Server will use "Send connector" to send emails to external users. In your case it goes to SMTP smart host.

So basically you wanted to use your email server as SMTP relay for your internal servers so that they can send emails out, correct?

In that case create one custom receive connector as mentioned in below blog
Ensure that u will add all internal servers ip / subnet which need to send emails through your exchange server (relay)
This would allow you to receive emails from your internal servers and then use your send connector to get it out
MASEE Solution Guide - Technical Dept HeadCommented:
Agree with Mahesh if you want other devices (e.g. Scanner, printer etc) use Exchange server for sending emails out you can follow article posted by Mahesh.  You don't need additional send connector Exchange will use the same send connector for sending emails out. An additional receive connector with the IPs required to relay would be enough.

Good write up Mahesh. :))
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Neil Sands, Citrix CCAApplication Systems AdministrationAuthor Commented:
There are no Outlook clients that use the SMTP servers.  I have the default frontend and hub transports scoped so only internal servers can send email to the SMTP servers.  We use O365 as our primary email system.  These SMTP servers are for internal IBM systems to email.  I already have it all set up and working fine.  This is to satisfy a Rapid7 scan.  Rapid7 can send an email as  I need to lock the SMTP servers down so only an authorized domain can send a message out.  I currently have send connectors set to go to specific smart host.  Depending on which SMTP server gets the email, will determine which smart host gets the message.  I had to use port 25 on the default hub transport due to default mail routing.  If an email is sent to a specific SMTP server it has to stay on that SMTP server to be delivered to the specific smart host.  So the task is using the current set up to only allow authorized domains to send to the SMTP servers internally.  No external email can get to or use the servers.  Again, this is just to satisfy a Rapid7 scan.  As crazy as this sounds. Here is the other twist.  I can't require basic authentication or TLS due to the systems don't support this.  Some do, but the most important system does not.  Great dilemma I have been tasked with.
If we talk about onpremise exchange server, 1st it will check to which recipient address mail is triggered and based on that it will choose smart host.

Are you saying that internal servers are not sending emails to out on internet ?

All you need to do is to avoid creation of external relay as mentioned in above post and stick to internal relay only.
This will ensure that no internal server can trigger any mail to external recipients

When you say authorized domains to send SMTP servers, it means the "from" email address you use representing internal server must include any one of available accepted domain, this is something you cannot control as far as I think because once you added internal server IP to internal relay receive connector, it can send internal mails with any *from* address

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Neil Sands, Citrix CCAApplication Systems AdministrationAuthor Commented:
Emails hit the smart host then out to internet.  The last paragraph hit the mark. That's what I thought. I was just making sure. I didn't want to persuade any answers. Thanks guys. Always appreciate the input.
Neil Sands, Citrix CCAApplication Systems AdministrationAuthor Commented:
Thanks for the quick responses.  I was just confirming what I knew.  I needed others to back me when I tell them the solution. I can make it do what they want, but it will break the current email processing.
Emails hit the smart host then out to internet.

You are right, once you configured relay connector, no matter its internal / external, connector will accept any *from* address
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.