Problem with Open relay in Exchange Server

Hello people,

I have an Exchange 2016 server with the latest CU. I have created open relay in order that servers can send emails with the correct IP. Everything works perfectly..but we found out that users can send emails with the following:

Send-MailMessage -To -from -subject "test" –SmtpServer "name"

Problem: Everybody can send as everybody.

How can I restrict it?

Rowell ByrneAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

timgreen7077Exchange EngineerCommented:
If you setup the internal relay to only allow servers with specific IP addresses to relay through that connector, then any emails coming from any other IP will not be successful. also make sure that you don't have a subnet of IPs listed. This is should only be single IPs. If the users are using the Send-MailMessage cmdlets from a server that has a allowed IP address then it will be successful. Look to make sure that only single IPs are listed.
Ganesh Kumar ASr Infrastructure SpecialistCommented:
Run the diagnostics using the

To remove anonymous restriction especially you have mail gateway routing all your inbound and outbound smtp traffic through it you can use this following command to restrict anonymous access.

Get-ReceiveConnector "Default Frontend <server>" | Remove-ADPermission -User "NT Authority\Anonymous Logon" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

Here is the MS article for various option suits your need:
Sunil ChauhanLead AdministratorCommented:
you have created an open relay, the best options for you is to restrict based on the source IP (application Host), you can run the following CMd.

for adding single first IP address.

Set-ReceiveConnector -Identity  "Relay Connector"  RemoteIPRanges

Open in new window

Note: It's a multivalued property, so to add further IP you can use the following ways.

$RecvC = Get-ReceiveConnector "Relay Connector"
$RecvC.RemoteIPRanges += ""
Set-ReceiveConnector "Relay Connector" -RemoteIPRanges $RecvC.RemoteIPRanges

Open in new window

Todd NelsonSystems EngineerCommented:
If you made changes to the default receive connectors, you should reset them to the original settings.  Once you complete that task, create a "relay" receive connector using this reference ...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Todd NelsonSystems EngineerCommented:
Sufficient information provided for resolution.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Clients

From novice to tech pro — start learning today.